Cyber Security Situational Awareness

6 11 2011

by Sam Merrell

Ensuring that you are maintaining a secure operating environment requires not only that you develop effective strategies to protect and sustain your assets and services, but also that you actively monitor your environment for threats and vulnerabilities that may affect your infrastructure.   After studying fighter pilot behavior, military strategist and renowned combat pilot instructor Col. John R. Boyd worked to understand the analysis and decision-making that occurred within a pilot’s mind during combat operations.  He named this process the “OODA Loop,[1]” which described the continuous cycle of observation, orientation, decision, and action that must occur in order to keep abreast of dynamic conditions.  This process occurs outside of the cockpit – in fact, it exists wherever information must be rapidly absorbed, evaluated, and acted on.  People employ OODA Loops on a daily basis, while driving, speaking, and engaging and in many other activities.  Strategic Forecasting, Inc (STRATFOR), a global intelligence company describes the “process of recognizing a threat at an early stage and taking measures to avoid it”[2] as situational awareness. The U.S. Coast Guard defines situational awareness as “the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regards to the mission. More simply, it’s knowing what is going on around you.”[3]

Situational awareness is an essential skill for the cyber security manager.  In order to establish and maintain situational awareness one must ensure that they perform key activities that follow the OODA Loop:

Observe – Observing means that the cyber security manager deploys monitors that filter information.  Technologically, these monitors might be tools such as intrusion detection systems, log event monitors, and other notification systems.  Administratively, managers might seek cyber security information from outside the organization, from well-known resources such as the SANS ®Internet Storm Center[4], US-CERT[5], InfraGard[6], software vendors, or numerous other resources.

Orient– in cyber security management, orientation is what happens when the enterprise analyses the information once it has been received.  This requires efficient and effective communication about what is learned, ensuring that all relevant stakeholders have the same information, which is known as maintaining a common operating picture[7]

Decide– The decision of what (if any) action to take based on the information analyzed must meet enterprise objectives, accompanied by a risk analysis[8] that incorporates a number of key considerations, including:

  • How might this information be used against my organization?
  • What is the worst possible outcome if it were to be used against my organization?
  • What are the available options that I have to respond to this information?  What are the costs and benefits of these options?

Act – Acting on information means implementing the decision that was reached through analysis.  It may be a god idea for organizations to have pre-defined actions that align with particular scenarios.  For example, in the case of being notified of a new piece of malware that is threatening to the infrastructure, an organization may identify actions that will reduce its attack surface[9].  These actions might include making changes to firewall rules, patching software, or temporarily stopping planned changes to the infrastructure pending additional analysis.  The range of potential actions is vast, and likely is unique to the individual organization.

Cyber security situational awareness is an organizational capability that needs to be cultivated and maintained.  It is useful for an organization to develop strategies for how it learns about cyber security information and effectively communicates it across the enterprise to ensure that decision-makers keep a common operating picture.  By planning for adverse operating conditions, an organization will be prepared to rapidly and effectively reduce its attack surface and promote operational continuity.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: