In cyber security, there's a lot going on at any given time: changing cyber threats, new vulnerabilities, more technology, additional detection algorithms, and even competing ideas about how to protect a network.
The good news is that there are some tried and true approaches to cyber security that are not only easy to understand, but proven to work. One of these approaches is cyber situational awareness.
What is cyber situational awareness?
The term situational awareness has its roots in the military, aviation, medical, and other fields. It's intended to describe and improve processes in environments where decisions and actions must be timely, accurate, and useful. Cyber situational awareness can be defined in a few ways, however, we prefer the simple definition:
- Know your systems
- Know the threats to your systems
- Know what to do in response to those threats
Why does cyber situational awareness matter?
Consider that you're asked to protect a very important “thing”. You agree to it, but then without any more information, it is an impossible task. Are you protecting information? Bars of gold? A priceless painting? A house? Each item requires a different type of protection because the threat itself is different.
For example, protecting gold would probably mean stopping the average criminal from taking it. Protecting a priceless painting, however, might involve defences to thwart a far more sophisticated, organized and capable burglar. In contrast, protecting a house might mean designing it to avoid regional floods or seasonal high and low temperatures.
To protect something well, you need to understand what it is and what the most likely threats are. Otherwise, any protections you build must counter all threats and will, therefore, be too expensive, ineffective, or both.
Knowing your network is one of the most challenging aspects of cyber security. Naturally, most of a network is invisible and intangible. For example, you can’t really “see” what vulnerable version of network protocol the IoT device in the storage closet is running—unless you have the right tools.
Protecting the network is the opposite of protecting a priceless piece of art in a museum. Unlike the physical world, you cannot easily spot all the entryways to your network’s information. This presents a challenge since, without insight into your network, you must defend against all types of threats, all the time, with equal priority. This is a costly, if not impossible, task.
How cyber situational awareness works
Knowing your network means knowing various elements, including:
- The number of systems you have
- The operating systems you use
- What other network-enabled devices you run
With this information, you can begin to categorize your most vital assets. For some companies, this is your customer database. For others, it's your employees' ability to operate. You can use this intel to determine the types of cyber attackers you need to care about most and how best to defend against these attacks.
Instead of worrying about all types of threats, all the time, against all possible types of technology, you can focus on the threats most likely to affect you and your environment specifically. This is not only more effective but cost-efficient too.
Example: Cyber situational awareness in action
It was reported that managed service providers (MSPs) using certain configurations of remote management software Kaseya integrated with ConnectWise were being targeted.
The vulnerability allowed the attackers to leverage MSPs to install ransomware on the computers of the MSP’s customers. Without cyber situational awareness, most organizations will be aware that a problem exists but won't have the tools or knowledge to respond.
Field Effect Covalence provides network and endpoint monitoring solutions to help develop the network knowledge and insight required to respond to these kinds of situations.
For our Covalence clients, we were able to quickly query deployed sensors to identify whether a client was using or might be using that vulnerable software. We informed those that were and provided specific steps to take in response:
- Know your systems: Is the network running Kaseya and/or managed by a third-party (MSP)?
- Know the threat to your systems: If yes, ransomware attackers are known to be leveraging vulnerabilities in Kaseya/Connectwise to install malware.
- Know what to do in response to those threats: Confirm with administrators and/or your MSP if Kaseya and ConnectWise are being used on your network.
Instead of ignoring the threat completely or worrying about a threat that didn't affect them, our Covalence customers could focus on their business and not another cyber security concern.