Tech Insight: Getting The Big Picture On Your Security Situation

'Situational awareness' can make a dramatic difference in the efficiency of your incident response effort

January 16, 2009

A Special Analysis for Dark Reading

Bad economic times and budget cuts can lead good employees down the wrong path in trying to make ends meet. Combine this simple truth with a few targeted malware attacks and some smart, financially motivated attackers, and the critical need for enterprises to achieve true "situational awareness" for security becomes clear.

Situational awareness -- a term borrowed from the military -- means that security professionals, both managers and techies, have a keen understanding of their environments and the dependencies on them so they can fully assess the impact of a change or event. This includes human and technical resources, how they interact, the importance of each IT resource, the nature and value of the data that resides on each resource, and what threats they face.

Today's ever-changing technology creates new hurdles for security professionals in gaining this valuable awareness. For example, the nature of the environment is constantly altered by an increasingly mobile workforce bearing smartphones and laptops. Virtualization is an additional challenge because what was once one machine providing one or two services is now many virtual machines providing many more services. This makes the separation of logical and physical security domains cumbersome, if not downright impossible.

Obtaining full situational awareness is not an easy task, especially for large, geographically diverse organizations. But there are three steps, or processes, that can help security teams gain a better understanding of the environment they're protecting and prioritize the analysis of attacks and potential breaches:

The first step is having a thorough asset management system that can track all current versions of software, hardware, and other resources. While not glamorous, knowing where every IT resource is and what it's running can be critical during incident response. This is where a solution that includes a configuration management database (CMDB) and integrates into the software and inventory management life cycle can ease the pain of identifying which hosts are affected by an attack. Similar to having all packet data when analyzing IDS alerts, knowing what's running provides context to an attack and whether the system could have been exploited.

The second step is more obvious than the first: conducting a comprehensive risk assessment. Taking data from the first step, a thorough risk assessment of all assets needs to be conducted to understand what risks threaten the confidentiality, integrity, and availability of IT resources. Many times, an organization that performs a risk assessment will end up having to go back to Step 1 to figure out its assets and value before proceeding.

The final and most critical step is achieving full visibility throughout the enterprise network. It sounds easy -- until you consider such issues as remote sites on WAN links, mobile workers on VPNs, and virtual server farms. But visibility is even more important in complex environments, especially in virtualized environments where traffic regularly passes directly from virtual host to virtual host without ever traversing a physical network device. And once visibility is achieved, it needs to be leveraged to understand how hosts interact on the network with internal and external systems.

Providing visibility into networks is an area where network behavior analysis products, such as those from Lancope and Mazu Networks, can help. They collect network flow data exported directly from the switches and routers, providing analysis through direct packet capture. A large part of their value is the ability to create baselines for hosts within your network so that you can detect anomalous behaviors, such as abnormal bandwidth usage, new hosts on the network, and new services offered from hosts that aren't normally servers.

Even after the three steps are completed, situational awareness nirvana isn't necessarily guaranteed. Remember, each step is a process that must be continually refreshed as new hardware and software is purchased and upgraded. But the value gained from implementing each step will go directly toward helping security teams prioritize attack alerts and hone in on hosts that were running a certain software package, exposed to a particular threat, or affected by a correlated IDS event.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message