Situational awareness is the perception of your environment and comprehending the elements within that environment with particular focus on those critical to decision making.
Cyber defenders, operators, and analysts must maintain “situational awareness.” This is more than sitting in a room with several large televisions streaming Twitter and [insert management’s favorite cable news channel here].
Maintaining situational awareness is the act of continuously defining your environment and identifying (and comprehending) elements critical to decision-making. The purpose of this act is so that one can continuously orient towards the best decision.
Those familiar with the OODA Loop will recognize this as the observe phase in the loop.
It is important to know and comprehend your environment, which means both your internal situation AND the external situation.
Knowing your internal situation usually comes with dashboards, alerts, network activity graphs, parsing log files, vulnerability scanners, updates from vendors, etc. From this view an analyst finds particularly interesting events or anomalies and understand their organization’s exposure surface.
Most importantly, the situational awareness from these data points should provide a decision-making construct to identify necessary actions (e.g. “should we patch for that?”, “should we close that firewall hole?”, “should I explore that spike in traffic?”).
However, maintaining knowledge of the internal situation is not enough. Just as a pilot must keep their eyes on their instruments AND the horizon an analyst must keep their eyes on their internal sensors AND the external threat environment.
Keeping track of just ONE of these environments is hard enough, how can an analyst hope to track both environments effectively, make effective decisions on that information, and act on those decisions on time?
Both management and analysts dream of some tool that will quickly and easily integrate these disparate and complicated environments simply to make the best decisions quickly. However until that dream tool is created:
1. Know your organization’s mission statement, business strategy, and business rules
You’ll never know what elements or events are important if you don’t know what is important to your organization. Be able to articulate your organization’s mission statement. How is your organization attempting to meet its goals and how do you support that? How do the various business units work together to create cohesive whole? With this information you can make an informed decision as to the criticality of an event based on the assets being affected.
2. Be cognizant of external events affecting your organization’s mission
What is happening in your market space or global sociopolitical space which is changing your security profile? Will that new acquisition by a foreign competitor cause you to become a target of corporate espionage? Will hackers target your organization in retaliation to country X expelling ambassadors from country Y?
3. Be aware of internal events
What is happening inside the organization? Is there a new desktop load being deployed? Who is being fired today? What are the upcoming mergers/acquisitions? All of these affect the exposure surface of an organization and it’s target profile to attackers.
4. Find and follow the best
The internet is the greatest collection of human knowledge ever assembled. Use it. There are great security researchers and analysts constantly updating information sources with critical knowledge. Find these sources and follow them. Use Twitter, Google Reader, Listorious, and other sources to help aggregate this information. Who/What are the critical sources following?
5. Be aware and able to communicate what is missing
Know what is missing from your viewpoint. Are there any data feeds which would add to the picture? What are the biases and limitations of your data sets? How do these affect your decision-making? Knowing this in advance and taking it into account will help reduce poor decision-making and unexpected consequences.
6. Know the rule sets, analytics, and data sources
The better an analyst knows their own rule-sets, analytics, and data sources, the more efficiently and accurately they can distinguish critical from non-critical events.
7. Eliminate Useless Information
One must carefully balance the need for information with the danger of information overload which will cause poor or delayed decision-making. Therefore, eliminate any useless information sources. This includes high false positive hitting signatures, network activity graphs which nobody pays any attention to. It is better to have less information of higher quality than high quantity which muddles decision-making. Replace bad data feeds with something useful, or better yet don’t replace them at all.
8. Not Everyone Requires the Same Information
It is important for organizations to understand that everyone does not need the same information to maintain situational awareness. People think differently. Use that to your advantage. Don’t try to make robots. People perceive their environment differently from one-another. Allow each to develop their own information feeds and visualizations to maximize effectiveness.