Skip to content

Situational Awareness, Inside-the-Beltway Style

February 24, 2011

On Tuesday and Wednesday of this week, eIQ took some time to attend the AFCEA DHS conference in D.C. at the Ronald Reagan International Trade Center in Washington D.C.  AFCEA, for those who don’t know, is a professional association catering to the federal space (including the DoD, civilian, and Intel communities).  This particular event featured (among several speakers) Gen. Keith Alexander, head of U.S. Cybercommand.  General Alexander is no stranger to the concept of situational awareness as it applies to information security; indeed, his succinct definition of situational awareness perfectly aligns with SecureVue’s design philosophy on the subject.  During the event, Gen. Alexander again reiterated the value and importance of three key properties of situational awareness:

1. Having access to all the data, in real time (or darn close to it);

2. Knowing how it all relates to each other, and;

3. Visualizing these relationships in a way that allows people to make the right decisions.

The AFCEA show was rife with all kinds of vendors wrapping two taglines around their products: “Wikileaks”, and “situational awareness”.  Of course, we at eIQ chuckled a bit at seeing vendors’ marketing machines in action: every vendor selling point products — from encryption tools, to e-mail non-repudiation tools, to SIEMs – was trying to convince federal technologists that their individual point products somehow qualified them as “situational awareness” platforms.  The good news (for us; bad news, of course, for point product vendors) is that very few people were buying it.  All of this made me realize a few key things:

– Buyers are smart, and they’re getting smarter. Information security is now well past the “drop an appliance on the network, and we’re safe” phase, just as security compliance reporting via a “check-box” mentality is also a thing of the past.  Information security and compliance professionals know that they need individual point products, but they also know that these products are only part of a larger puzzle — and that puzzle can only be pieced together by taking the data from these individual tools and bringing it together into a single, cohesive, database of normalized and categorized data elements.

– The days of signature-based detection are over. While that’s not to say that you don’t still need an IDS/IPS, or anti-virus software, the fact is that advanced persistent threats (APTs), insider threats, and other complex threats are increasing in frequency.  These threats utilize multiple attack vectors that cannot be encapsulated in a single signature or definition file.  Detecting them requires visibility and correlation across many different types of security data: events, network traffic (NetFlow, SPI and/or DPI), known vulnerabilities, asset and configuration changes, file integrity, and even performance metrics.

– The definition of “situational awareness” is in flux. Although I poke gentle fun at vendors who attempt to repurpose their point products as real situational awareness solutions, the fact is, there is more than one way to skin the proverbial cat.  The very definition of situational awareness will change over time, based on multiple factors: the types of data required to solve problems; advances in technology that allow more real-time analysis; the changing regulatory landscape (such as NIST 800-137); and other factors.  For that reason, situational awareness needs to be delivered as a flexible platform, rather than a fixed-purpose product — and this is why vendors who are trying to fit their square product into the round hole of situational awareness are going to encounter EPIC FAIL.

Credit: ImageShack


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: