Imagine you traveled to a new town—a town that you’ve never visited before. Where do you go? What should you do? How alert will you need to be?
All of these questions are probably linked to your comfort level in that town. If it’s similar to other places you know well, you might already know how to act, how to respond to the setting and have a good idea of how alert you need to be to ensure you and whoever you are with enjoy their experience and feel safe in the setting.
Cybersecurity is no different. Today more than before your organization and its team members should be thinking about their situational awareness. They probably have varying comfort levels simply because some on your team have seen and experienced more related to certain areas on your network than others.
Visibility is key to understanding their situation. When thinking about situational awareness in the context of alerting on points of concern, having the appropriate vision to spot risks and shore up holes is super critical in today’s environment.
That means you need to be looking at the right view of your collected data and have proper protocols in place to deal with the analysis and interpretation on that data to inform sound decisions. Today I want to discuss these components as they relate to cybersecurity, particularly focusing on monitoring that will help you see incidents before they become problems.
Using the proper tools.
Some of you already have the tools in place for observing and detecting anomalies in your environment.
SIEM—many of you have a security information and event management tool already in place. These tools receive events from a variety of sensors, allowing your users to understand and detect chains of events that indicate attacks on the network. You will want to understand your SIEM configurations, as you probably want to have automated actions in the event something triggers on your network.
Firewalls—if you are using smart firewalls that contain intrusion-detection and intrusion-prevention systems (IDS and IPS, respectively), you have visibility and reaction on what is moving across your network. This is extremely important today, since most attackers are moving sensitive information off network to further exploit your organization or that of your clients.
SOAR—security orchestration, automation and response (SOAR) tools will offer you more capabilities than simply the SIEM. The SOAR should integrate reports from your security tools (event loggers, IDS/IPS, and firewalls) and automate production of metrics related to your security alerting. SOARs will also allow for an automated incident response and can in some instances help ensure that your technical policies are being met.
UEBA—user and entity behavioral analytics (UEBA) require machine learning methods to interpret aggregation of user related behaviors on your network, focusing on anomalies. These tools typically rely on large training sets to help characterize what those anomalies are.
When you are thinking about cybersecurity situational awareness beyond simply tools, it’s a good idea to think about approaching the subject a bit more holistically. Most security experts advise to have some understanding of your network environment from a variety of perspectives:
Road-mapping your development—understand the architectural roadmap of where your technology and support are going. Assess where emerging technologies will help you and how to eliminate risks within your system.
Understand your policies and their effectiveness—leverage the policies and protocols that your team is (or should be following) to understand what your organization is doing well in and pinpoint areas that need improvement. Realize that policies and procedures may not be the root problem to the issue. Discuss with your team(s) why specific policies are hard to follow and figure out ways to work together to make better and easier to comply measures to keep your data and network secure.
Understand the architectural design to your network—by understanding how something is built, you’ll have a better idea of how to fix or mitigate a risk when something comes up. This doesn’t necessarily mean relearning every technical component within your infrastructure, rather, understand why things are there, what they do and how they can be improved.
Understand your metrics—understand what you are analyzing. Metrics are useless if they aren’t actionable to the people in your company. Define clear security metrics that everyone can understand.
Train your team to understand they ‘why’—tell stories how security goes off track and show consequences in those stories to illustrate why security policies or procedures are a certain way. Make people on your team understand why they need to continue to think about security on an on-going basis.
One last note—effective situational awareness requires a wide scope of visibility into your organization’s activities and assets. This requires a variety of perspectives ranging from policies and governance, documentation, workflows, and even business objectives. Giving yourself and your team a broad perspective of security will help establish a good balance to obtain business objectives within a security-centric environment.
