Situational awareness. Military strategists live and die by it. Their soldiers do too. So do pilots. Even good stock brokers and traders depend on it for their very financial lives.
For these occupations, situational awareness is a very real thing. It’s something you practice just as cyber professionals do boundary protection, root cause analysis or defense in depth.
Yet across the business world today, few organizations or their cybersecurity teams practice simple, diligent cyber situational awareness from top to bottom, despite dynamic and continuous cyber crime that threatens the livelihood of their enterprises.
And despite the fact that cyber is quickly becoming enemy #1.
The phenomenon is even more puzzling when you consider that effective situational awareness is one of the easier to set up and more cost-effective parts of a cyber defense or cyber risk management program. The data to support its practice is usually “lying around” most enterprises, easily collected and put to use.
Situational awareness is knowing what’s going on all around you at all times so you can figure out how best to react when conditions change. It can be a process used by individual team members and employees or a full-blown program for a whole organization built around tested methodologies that are taught everywhere from the military to flight schools. For me, it was one of the first in-depth training programs I went through in the Army. What’s more, when situational awareness is paired with its “brother in arms,” Operational Security (or OPSEC), the combination gets really – dare I say it – actionable.
It sounds simple enough, but it’s almost always disregarded in favor of more sophisticated, less effective solutions. It’s very rarely a distinct program committed to at the highest levels and pushed down through the business.
It’s as if this time-tested concept just isn’t sexy enough, trendy enough or perhaps even costly enough to be considered worthwhile.
So what keeps companies from devoting time, energy and money to situational awareness?
Analyzing the data from my own efforts implementing these kinds of approaches over just the last two years, here are 4 observations:
1. “Somebody Else’s Problem Field”, or SEP
In the imaginary world of his The Hitchhiker’s Guide to the Galaxy series of books, famous author Douglas Adams humorously described a simple tool that runs on a flashlight battery and creates a field that, when used against something, would render it invisible to those around it. Well, not so much invisible, as have it go completely unnoticed. Disregarded into invisibility, if you will.
The fictional, satirical SEP field worked by utilizing a human’s natural tendency to ignore concepts they can’t or won’t easily accept as “someone else’s problem”.
When it comes to situational awareness, it’s an SEP for most management and cyber operations teams. Accepting something this simple, something this relatively easy to implement and capable of making a real difference in cyber defense across the whole enterprise is just not easily acceptable.
Sadly, the litmus test for acceptance these days as a part of any corporate cybersecurity strategy holds that a solution must be flashy, new and improved, hard to implement, expensive as hell, require multiple highly-skilled technical personnel to work the levers, be the same as what everyone else is doing and get talked about at dozens of seminars and conferences. Otherwise, it’s someone else’s problem.
2. Tunnel-Vision, Stove-Pipe, Navel-Gazing, Horse-Blinders Addiction Syndrome
From having family and friends in the medical field, I’ve learned that a medical professional who spends all their time looking down the barrel of a microscope at a problem develops “Microdeckia,” or comes to “play with a small deck of cards.” In more ways than one.
Inside most corporate cyber operations, the intelligence focus is usually on a SIEM or a TIP or feed usage that:
• Focuses on internal, low-level data sources (e.g. logs)
• Aggregates lots of flat data of the same type, from many myriad sources (e.g. workstation logs)
• Depends on indicators and alerts (e.g. Snort or patch management)
• Trends almost solely toward “alert and search” or ephemeral real-time usage
• Ignores historical data collection and mining
• Disregards high-level, comprehensive threat indicators
• Fails to capture specific, contextually relevant business characteristics, or risk profiles
The effect of all this?
• Traps data at just the security operations level
• Fails to link company risk areas to possible threats for mitigation and response
• Impedes information sharing and accurate reporting
• Makes a dynamic, long-term strategy almost impossible
• Inhibits shared alertness and agility throughout the org and its units
• Dramatically reduces awareness of “over the horizon” problems
• Leads to complete reliance on reactive postures as opposed to anticipatory
• Makes you blind to the “Big Picture”
• Promotes “Ostrich Security”
Worst of all, a lack of situational awareness due to this disease may lead to a false sense of safety and security.
3. A Case of Mistaken Identity
In most of my engagements, implementing cyber risk intelligence solutions to support situational awareness, the dialog usually starts with most in one of two ways:
• We already do situational awareness. We have lots of tools that alert us and let us know when we need to pay attention. It’s automated situational awareness.
• If we can’t use it to defend our networks, it’s worthless to us. We only invest in things that protect our networks.
In both instances, there’s a mistake in identity going on.
First, that’s not actually situational awareness at all. In fact, it’s something I call “operational awareness,” or being really efficient at doing the same things you do every day in the same ways. It’s kinda like saying your house is safe because you put a motion-sensitive camera on the front door.
Second, situational awareness can’t directly defend your network. It’s not supposed to.
But, without data from different levels and different perspectives inside and outside your network plus an informed methodology continuously evaluating threats and risks, neither can you or your tools.
Without situational awareness, triage, prioritization and action suffer. All those tools that directly protect the network are less and less effective.
4. Situational awareness is not a “need to have,” it’s a “nice to have”
This is my personal favorite of all the challenges to adding a situational awareness focus to cyber intelligence tactics and strategy.
Situational awareness techniques are actually quite foundational but surprisingly, most see them as optional.
For me, combining techniques that teach you to constantly analyze the problem as a whole for what’s normal, what’s not, and what’s changing with threat and risk data from both inside your company’s walls and outside in the larger environment to help you know better what to do as things change or go wrong would seem to most to be a ground-floor assumption. But it’s not.
Most often, businesses rush to acquire lots of expensive tools in every shape and size. These are viewed as “need to haves.”
It’s like buying a really nice, expensive private jet and then grabbing someone halfway through their flight training to fly it and telling them “we took out most of the ‘optional’ gauges except speed and altitude, so here’s the manual and if something goes wrong, pull up.”
Without a solid base in knowing who you are as a target and what’s going on around you at all times, everything else you do is essentially a half-measure. As with the military where life, limb and victory are always on the line, situational awareness isn’t a “need to have, “ it’s an “absolute must have.”