Skip to content

Situational Awareness: It’s not a Technology; it’s a Way of Life

January 9, 2012

Recently, CSO Magazine published a story on the efforts to secure the new Freedom Tower and other buildings that are being built at the site of the new World Trade Center in New York.  Throughout the article, Louis Barani – the former U.S. Naval Officer who is developing the security technologies for the new facility – frequently uses the term “situational awareness” to describe his team’s efforts to ensure the security of the Freedom Tower and other buildings.

What’s most interesting is how Mr. Barani talks about situational awareness not as a product, but as a capability.  While much of his interest is in physical security — as opposed to information security, which is where eIQnetworks and SecureVue reside — he identifies all the different types of security-related information that are required to achieve situational awareness: physical access control and logs; CCTV feeds and data; HVAC systems; elevator controls; and many, many more.  His team will be using a platform designed to bring together the physical security data from all these different sources into a single platform that facilitates situational awareness.

So what’s the point?  First, that situational awareness isn’t just a tool or a technology — it’s a way of life that requires continuous, real-time evaluation of the environment (whether the goal is system operations, physical security, information security, or otherwise), correlation of different types of events and other data together, and the ability to act on abnormalities right away.  Second, to make all of these things happen, you need the right tools to facilitate — not automate – situational awareness. In the information security world, that means collecting all security-related data, whether that data is encapsulated in events, asset state, network traffic, system performance, or any other piece of information.  Once you have the data, the other critical capability is correlation: are unusual network traffic, an abnormal performance metric, and an unauthorized change on a server related?  If so, how?

Just like in physical security systems, in the world of information security there are plenty of assets generating security data: events from host OS’s, devices, applications and databases; point security tools like IDS/IPS and anti-malware; performance data; network traffic; the current operating state of systems; and so much more.

Like the architects of physical security at Freedom Tower, delivering situational awareness for information security requires the ability to bring all of this data together into a single location, and correlate this data to find abnormalities — the hallmark of situational awareness.  Unfortunately, there aren’t many solutions available today that really do this for information security: SIEMs have limited data collection capabilities, and treat everything like an event (which is decidedly not situational awareness); configuration management tools have no visibility into events or what’s happening at the network layer; and NBA and network monitoring tools lack visibility into system state.  So, like a CCTV system, or an HVAC controller, or an elevator system, each of these information security tools provides visibility into a limited — but critical – wedge of data.  You still need something to bring all the data together, and facilitate true situational awareness.  Fortunately, we know exactly where you can find a product that does this.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: