Incomplete information can be an obstacle to effective cybersecurity. For example, a security operations (SecOps) team gets an alert from a firewall but cannot easily determine if it is a meaningless ping or the start of a major incident. It might be hard to know, especially early on. Missteps can be very costly. At the same time, investing too much energy into false positives is a drag on resources.
Situational awareness offers a solution to this dilemma. Being situationally aware means having timely and accurate knowledge of multiple information streams related to a potential incident. It may involve coordination between security systems. Strong situational awareness helps the team avoid getting bogged down in false positives while remaining keenly aware of serious, but masked, threats. It enables the organization to be resilient in the face of cybersecurity threats.
Cybersecurity experts agree that cyber resilience is a top priority
A recent panel discussion of government security officials revealed how today’s leading cybersecurity professionals are responding to the cyber threat environment. The event brought together representatives from the Office of the Director of National Intelligence, the Transportation Security Administration and others.
Cyber resilience is perhaps their most important objective. In day-to-day life, resilience means being able to recover quickly from a setback like an injury. Panelists described cyber resilience as “using situational awareness to thwart an attack early or to quickly get back to normal following a breach.” The goal, according to the panel, is to “meet occurrences all along the cyber kill chain from detection of a threat to the eventuality of some sort of damage or loss of data.”
Resilience is holistic. It goes beyond the standard recovery time objective (RTO) defined in service level agreements. While RTOs are necessary and important, they are basically data points that define how well a particular system is being protected.
Resilience reflects an entire organization’s security posture, its ability to sustain an attack and overcome it—or, better, avoid it altogether. Being resilient means being aware of the big picture – being situationally aware.
In this sense, situational awareness is both local and global. Cybersecurity managers need to be aware of their particular situation but also of the totality of the cyber threat landscape. This may require communicating with other organizations and sharing security information in a structured way.
SecOps teams need to have both local and global cybersecurity situational awareness.
How top federal government cybersecurity pros build situational awareness
Situational awareness has to be fast and as close to real time as possible. The panelists discussed how they effected rapid response.
Wally Coggins, director of the Intelligence Community Security Coordination Center at the Office of the Director of National Intelligence, is tackling rapid response through situational awareness in three ways:
- He’s automating data flows between his security coordination center and those of other agencies. The goal is to provide information as quickly as possible to everyone regarding vulnerability management, endpoint security and security incidents.
- He’s bringing people together from different backgrounds and intelligence functions to focus on cybersecurity. For example, connecting counterintelligence and cybersecurity professionals in an analytical “cell” that collaborates to identify insider threats.
- He’s conducting cybersecurity exercises. For example, these include cyber “war games,” to improve cybersecurity staffers’ response times and capabilities.
The goal of these steps is to build a cyber defense capability that delivers resilience through cybersecurity situational awareness.
Security automation and orchestration (SAO) and cybersecurity situational awareness
Rapid response is an essential requirement for cyber resilience through situational awareness. This is also true in the orchestration and automation of security processes. Too much reliance on manual incident response tasks will impair situational awareness. This reinforces the need for a solution like Security Automation and Orchestration (SAO).
Automation
All of the government officials on the panel use some sort of SAO tool. These solutions automate the traditionally slow, manual analyst tasks and incident response plans. The solutions can orchestrate security case management tasks across multiple systems, people and entities. They replace manual processes with machine-speed decision making.
Detection and analysis
An SAO solution streamlines threat detection and analysis. For example, it can be configured to react automatically to an alert from an intrusion detection system. Upon receiving the alert, the SAO solution can automatically submit the details of the alert to a threat intelligence system, open a case management ticket in a system, like JIRA, and send emails to relevant stakeholders.
Threat intelligence
Having greater threat intelligence improves cybersecurity situational awareness and resiliency against threats. As it automatically responds to alerts, the SAO solution keeps the security team informed about what it’s doing. In this way, it enables the team to be situationally aware and respond rapidly to threats. The solution can also execute broader tasks needed for situational awareness. These include comprehensive data gathering, standardization and workflow analysis. Some SAO solutions can “learn” to emulate security team practices for different threat responses. The tool captures the knowledge and best practices demonstrated by the security team. This capability leverages the team’s skillset and gives them more time to focus on complex issues rather than repetitive administrative work.
Logs and reports
SAO solutions generate logs of their activities. These logs can be subsequently analyzed and shared amongst teams and entities. With interpretations of logs and past case management histories, it is possible to improve aspects of security management that advance situational awareness, rapid response and resiliency.
Improve cybersecurity situational awareness with Swimlane
Swimlane delivers security automation and orchestration to drive situational awareness and enrich the situational information presented to analysts. Easy to implement, use, manage and scale, it uses object-oriented methods that enables a security operations team to leverage the capabilities of their existing security solutions.
Are you interested in learning more about how security automation and orchestration can help your organization? Download our e-book – 8 Real-World Use Cases for Security Orchestration, Automation and Response.