Are You Aware of Your Cyber Situation?
The original article can be found at https://www.csoonline.com/article/3201972/security/are-you-aware-of-your-cyber-situation.html
As human beings, we are constantly looking for information to help improve situations. If we live or work in a crowded city, for example, we want to know which routes are best to avoid getting stuck in traffic. When we enter a restaurant or movie theater we look for the exits. This behavior is known as situational awareness, and it’s second nature to most of us.
But while such behavior often occurs in our everyday lives, it does not seem to carry over into digital environments. We often click on things we shouldn’t, open files we don’t recognize, and connect devices to networks we are unfamiliar with. Many IT teams can’t even tell you what devices or applications are on your network or outline the current topology of the network, let alone identify external threat actors. They lack cyber situational awareness.
What is Situational Awareness?
The US Army defines situational awareness as, “Knowledge and understanding of the current situation which promotes timely, relevant, and accurate assessment of friendly, enemy, and other operations within the battle space in order to facilitate decision making.”
Basically, it’s about getting the right information in enough time to allow you to make good, educated decisions. Now, if we apply that same idea to cybersecurity, it can be very simply stated as:
“At any point in time, I understand my Priorities, Risks, and Threats”
This means having the right information at your finger tips, pulled from the volumes of information your networks generate, to help you make better decisions about your current set of risks and threats.
Situational Awareness starts at the top
Your CISO and team of security professionals are constantly dealing with a variety of challenges, such as meeting compliance regulations, tracking increases in threat volume and sophistication, understanding the growing market of vendor solutions, and managing limited budgets.
But they must also be more than technologists and risk managers. Security has business ramifications, so your team must be able to frame the issues they are dealing with within short and long-term business objectives, have clear line-of-sight across the organization and technologies, and be able to establish policy and governance for everyone who touches your data.
Cybersecurity and situational awareness also needs to cross all levels of the organization, from the CEO and CFO on down. Each business or functional leader must be mandated to embed security into the core processes, business strategies, and initiatives that they own. Every leader must also have a role in understanding and assigning risk and assuming the weight of consequences.
To address these challenges, everyone needs to have a focus on organizational priorities, risks, and threats. Establishing cyber situational awareness as a core business value helps provides that focus.
How do you achieve cyber situational awareness?
To achieve cyber situational awareness, business leaders need to understand four key things:
Business Mission & Goals – What’s most important, now and into the future, for organizational success?
Cyber Assets – What are our most critical assets and resources, and which of them are within my scope to protect?
Network Infrastructure – What does my network look like? Where is my data? What applications are running? And who has access to critical resources?
Cyber Threats – What external cyber threat actors are motivated to steal the data within my network? What are the most likely vectors they will use to achieve their objectives?
Let’s walk through each of these in a bit more detail.
1. Business Mission and Goals
The primary objective is to understand your business mission, and then tie it to the processes and resources required to enable that mission. As you learn about and document these processes, you will begin to understand the type of data your company uses and generates, and how much the processes that use this data overlap with those of other teams. You will then need to prioritize data and systems, determine which have regulations tied to them, and compare your priorities with those teams that share these resources.
2. Cyber Assets
I used to do internal penetration testing, and the way we typically broke into an organization was by exploiting an asset the company didn’t even know existed and that had not been patched in ages. We would usually exploit a publicly known vulnerability that would allow us to obtain the admin password to the device, and then we would own the network. This wasn’t an anomaly.
Which is why it’s very important to understand and catalog all the assets on your network, along with any vulnerabilities they may have. You will also need to know their profiles, such as: What OS and which version is installed? What applications reside on those devices, and what data do they hold?
Once you have a good idea of the devices you own, you need to ensure they are securely configured and patched. Remember, the vast majority of exploits target publicly known vulnerabilities that are five or more years old. Next, you need prioritize all your critical vulnerabilities, which is why knowing your network infrastructure, including your topology and where and how your data flows, is critically important.
3. Network Infrastructure
All devices are connected, which means we need to understand how they are connected, and to what. The biggest reason that you need to know your topology is that cybercriminals are already spending time and resources doing it so they can exploit the vulnerabilities in your system. Understanding how and where devices are connected, and how and where and what data flows through them will determine where your risks are, what policies need to be created, and what countermeasures you need to have in place.
You also need to document the various attack paths and threat vectors to your data. Do you have the proper security sensors placed in the right locations of your network to identify possible attack attempts against critical data? Ask, if you wanted to get in, how would you do it? Vulnerable devices? Email? Web servers? Make sure you address this question as you build out and segment your network.
4. Cyber Threats
Finally, you need to understand the threat actors that are targeting your organization. What are their capabilities? What are their tactics? What resources are most valuable to them? Threat actors can include:
- Government Sponsored Cyberespionage
- Organized Crime
- Insider Threats
- Opportunistic Hackers
- Internal User Error
Knowing is half the battle. It will help you engineer as much risk and vulnerability out of your network as possible. It will also help you select those solutions that are most appropriate to protecting your unique environment. Just remember, to be the most effective, the security technologies you choose ought to be able to interact with your other enforcement points. This means developing holistic architectures and selecting open solutions that allow devices to interact, share intelligence, and respond to threats in a coordinated fashion anywhere across your extended network.