What is it and why does it matter to you?
In Cyber Security there is a lot going on these days: changing threats, new vulnerabilities, more technology, additional detection algorithms, and even competing ideas about how to protect a network. The good news out of all of this is that sound and consistent approaches to implementing cyber security have emerged that are easy to understand, and they work. One of these is “Cyber Situational Awareness”.
The term “Situational Awareness” has its roots in military, aviation, medical and other fields to help describe and improve processes in environments where decisions and actions must be timely, accurate and useful. Cyber Situational Awareness can be defined in a few ways, Field Effect uses a simple definition:
- Know your systems
- Know the threats to your systems
- Know what to do in response to those threats
Why do we care about these things when it comes to defending your network?
Consider for a moment that you are asked to protect a very important “thing”. You might agree to do it, but then without any more information, it is an impossible task. Are you protecting information? bars of gold? a priceless painting? a house? Each item requires a different type of protection because the threat would be different. For example, protecting gold would probably mean stopping the average criminal from taking it; however, protecting a priceless painting might involve defenses to thwart a far more sophisticated, organized and capable burglar. In contrast, protecting a house might mean designing it to avoid regional floods or seasonal high and low temperatures. In brief, to protect something you need to understand what it is and what the most likely threats are. Otherwise, any protections you build must counter all threats and will, therefore, be too expensive, ineffective, or both.
“Knowing your network” is one of the most challenging aspects of cyber security: by virtue of its technological nature, most of a network is invisible and intangible. For example, without additional tools, you can’t “see” what vulnerable version of network protocol the IoT device in the storage closet is running. It is the opposite of protecting a priceless piece of art in a museum: unlike the physical world, you cannot easily spot all the entryways to your network’s information. This presents a challenge since, without insight into your network, you are forced to defend against all types of threat, all the time, with equal priority. A costly, if not impossible task.
How Cyber Situational Awareness works for you
Given enough knowledge of your network, which includes information like the number of systems you have, the operating system they are using, and what other network-enabled devices you might have running, you can begin to categorize the most important assets you have (like your customer database or simply your employees ability to operate). Armed with this information, an understanding of the types of attackers you might face (could be ransomware attackers) and how to best defend against them (e.g. ransomware attackers often use distinct and identifiable ways of infecting their victims).
What this all means is that instead of worrying about all types of threats, all the time, against all possible types of technology, you can focus on the threats most likely to affect you and your environment. This is not only more effective, but it is also cost efficient as well.
An example of Cyber Situational Awareness in action
In mid-February 2019, it was reported that managed service providers (MSPs) using certain configurations of remote management software “Kaseya” , integrated with “ConnectWise”, were being targeted. The vulnerability allowed the attackers to leverage MSPs to install ransomware on the computers of the MSP’s customers.
Without the capacity to develop cyber situational awareness, most organizations will be forced into treating these kinds of news stories as “elevated fear”, an awareness that a problem exists but without the tools or knowledge to respond.
Field Effect’s Covalence provides network and endpoint monitoring solutions to help develop the network knowledge and insight required to respond to these kinds of stories. For our clients using the Covalence service, we were able to quickly query deployed sensors to identify whether or not a given network (client) as using or might be using some of the vulnerable software. For those customers that were (and only those customers), we issued a notice about the vulnerability and specific steps to take in response:
Know your systems:
Is the network running Kayesa and/or potentially managed by a third-party (MSP)?
Know the threat to your systems:
If So, ransomware attackers are known to be currently leveraging vulnerabilities in Kayesa/ConnectWise to install malware.
Know what to do in response to those threats:
In response, validate with administrators and/or your MSP to confirm whether Kayesa and ConnectWise are being used on your network. Additional information to determine if you are vulnerable is available in this article.
So instead of ignoring the threat altogether, or spending time worrying about a threat that only affected certain networks, our Covalence customers are able to focus on the important part of their day: their business, rather than another concerning cyber security story.