Skip to content

SIEM or Situational Awareness: crash avoidance or crash investigation!

October 6, 2011

You’re piloting a 747 cruising at 35,000ft and travelling at 555 mph. Suddenly your TCAS [traffic collision avoidance system] warns you that you’re on a collision course with another aircraft.

There are the two questions you need to answer – and quickly?

1. Where [exactly] is the threat coming from?

2. What action should you take, immediately, to avoid a collision?

In the early days of flight all pilots had to rely on was radar. Radar provides what is known in the security industry as ‘event data’, which would tell you the current position and heading of the other plane.  Flying with radar only pilots relied, In part, on their instincts and your ability to make a call on what action to take in the event of an emergency. Even if you had enough information to take action they were also betting that the pilot of the other jet doesn’t take action that puts you back on a collision course!

Radar [and navigational beacons] worked in the early days of aviation when the skies were less busy, aircraft cruising speeds were slower and pilots were trained in fly-by-sight systems and processes. In today’s congested skies they simply don’t provide a pilot with enough information to safely get from point A to point B. It’s a useful tool, but insufficient as a standalone.

If you’re piloting either one of the planes on a collision course event data won’t help you answer either of those two critical questions in time to avoid a disaster. What you really need is ‘state’ data.  State data tells a pilot not only the position of the other aircraft, but how fast it is moving; it won’t just tell you the altitude it will tell you whether it is ascending or descending and how quickly. It will give you a specific heading – it’s not just ‘on your left’, but that the other plan is  advancing from ‘the pilot’s seven o’clock position’.

By correlating event and state data, a TCAS system will tell a pilot specifically what he needs to do – and immediately. He’ll know that he needs to climb or descend [and how rapidly], that he needs to turn the plane immediately right by forty-five degrees and that he needs to hold a new altitude and heading for a specific period of time in order to avoid a collision. We call this actionable intelligence.

Now translate this analogy to your network.  SIEM provides log and event data, but not state information. As a result, you’re only every getting a small piece of the picture about your security posture.  It can tell you that you’re under attack, but can’t tell you specifically where from, where an attack is heading, or how quickly it’s moving. As a result it can’t tell you what you should do to repel an attack and to minimize the damage.

I’m assuming that most of you wouldn’t want to fly on a plane that doesn’t have a TCAS system fitted – so why manage your network without it?

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: