Situational Awareness: A Must
A successful security program doesn't always require large financial and staff resources; rather, it needs individuals to have situational awareness. That statement refers to the capability to maintain a constant vigil over important information (web proxy logs, database access logs, fraud detection tools) to understand the relationships among the various pieces of information monitored, and then to project this understanding into the near future to make critical decisions.
The role of the IT security professional today is expanding from mere analysis of firewall and anti-virus to analysis of custom and packaged mission-critical applications like advanced logs, real-time data streams and investigation of security events such as fraud or data loss that significantly impact the business. Therefore, professionals today are required to quickly detect and understand relationships and patterns within information and data to enable accuracy, timeliness and reliability of information to decision-makers for effective response.
A successful security program doesn't always require large financial and staff resources; rather, it needs individuals to have situational awareness.
They need to understand the dynamics of their environment, gather metrics to know whether their controls are working, and then have the time to perform tool gap analysis to determine if a new technology or tool suite would fit better in their environment.
This calls for a complete situational awareness across technology silos that enables detection of complex information and data patterns to quicken response time within organizations.
For instance, in my prior role as a CISO for one of the top 10 busiest airports in the nation, I encountered an incident when the facility's wireless and internet connections went down, causing flight delays and loss of flight information to passengers via flight monitors. This issue became critical, as monitors were not updating the changed flight information and status, keeping the passengers totally oblivious to the whole situation.
The security team, notified by pro-active monitoring, had immediate understanding of the situation and its cause and effects. Without wasting time, we immediately had all logs correlated, traffic patterns and flow analyzed, customers notified and updated, and worked with all other affected parties in a team atmosphere to resolve the problem such as paper flight information out to locations to update passengers every 10 minutes.
Without that situational awareness of the cause and effects of such an incident, flight schedules would have been affected so much more, passengers would have been frustrated because of delays and misinformation, missed connections -- the entire national flight pattern would be thrown off.
A leader therefore, must cultivate a strong security program built on situational awareness that includes:
- Being aware of effective vendor products -- like FireEye, Netwitness, Q1 Labs, Nagios that can help in data analysis, fraud detection and incident response capabilities, interfacing with a central management system.
- Enabling the leader and his team to act proactively and integrate real-time information from security systems, databases and applications, to quickly detect and understand relationships and patterns within the data to help enforce critical decisions such as: Is this a security incident? How many resources or what resources should be involved? And are there other parties that should be concerned such as public relations or legal?
- Understanding the meaning that security professionals assign to situations and how they deal with information to support critical thinking and decision making within organizations. For example, as information security professionals, a lot of what we do revolves around the concept of an incident. Most of my time as a leader is spent dealing with staffers who are trying to prevent an incident or analyze unusual occurrence like suspicious traffic pattern that may cause harm. Without being aware of what is going on in the environment, it is hard for us to respond to an event or occurrence. We need to know: What is the root cause of the issue? Why it's happening? How did it take place? How we can prevent its occurrence? What controls are not working? What next steps to follow? As professionals we need to start looking for patterns, system behaviors and acquire necessary tools to know how best to respond to a situation with all our coordinated efforts.
Whether we realize it or not, the best information security professionals are situationally aware and attuned to what is happening to them and their environment. All we need is a mindset to maximize what it takes to work effectively in our roles and actively pursue situational knowledge to enhance our career.
Share with me your thoughts. How do you stay alert for change within your environment?
Seth Kulakow is the former State of Colorado Chief Information Security Officer for the Governor's Office of Information Technology. He was responsible for enterprise-wide cyber security governance and management for the State. Prior to joining the Governor's Office of Information Technology, he was the Information Security Officer for Denver International Airport (DIA), ranked the 4th busiest airport in the nation and the 10th busiest in the world.