The Case for Internet Situational Awareness

I spend a lot of time talking to people from all walks of life about situational awareness, and what it means for 'cyberspace.' While there are a growing number of people who seem to understand the concept, its importance, and the future trajectory it is on, I find a disproportionately high number of people - even those I would consider expert in this field - either don't understand or have not yet embraced situational awareness and the means by which it can improve security, operational capabilities, and hence the bottom line.

 

Some folks are only hesitant to embrace the concept because they have not yet given the idea much thought, while others seem to be completely against the idea.

 

I find that it takes some significant talking (and often a bunch of question and answers with them) to get anyone who's not actively involved in using information from global threat awareness to understand the immediate need for enterprises to consider global situational awareness, so it's unfortunately not a surprise to meet some resistance to the idea and concepts.

 

What I do say, though, to get someone with initial resistance to start to think about the need for situational awareness in a more 'proactive' way, includes:

- Financial Institutions (those who have significant skin in the game with respect to global cyber threat activities) are now starting to field 'Threat Intelligence' teams, providing them deep insight as to the overall threat posed to them from external actors

- These FIs - as well as parts of the Defense Industrial Base, state and local governments, and a good number of Fortune 500s - are all considering or already implementing cloud computing practices - for applications, services, hardware, etc. 

- The move to that model - where you are very concerned about threats but are still placing assets, services, and capabilities outside your standard sphere of control - requires either complete trust in the Internet infrastructure, your providers, your partners, and your customers, or a level of insight and visibility which go beyond the old model for enterprise security (the perimeter model) - because risks you fail to identify and manage are risks you've unknowingly accepted

- While I agree that situational awareness for national defense, security, and full spectrum information operations belongs in the government, there is *definitely* a move in the private sector to use situational awareness on the Internet side (especially when you can combine Internet perspective with what you are seeing inside the network together into one place)

 

For one set of customers we have the following external and internal data sets being fused by ScoutVision (Lookingglass' Cyber Situational Awareness tool) and shown through our visual interface:

 - Internal SEM event data

 - External Phishing lists

 - External Top Attacker lists

 - Internal vulnerability management system reports

 - Internal network scan data

 - External 'known compromised host' lists

 - Internal inventory management

 - Internal routing and topology data

 - External physical threat data (weather and natural disaster)

 - Threat information shared between multiple enterprises 

 

The end result is a comprehensive view into your security posture (internal), the current state of your providers, partners, customers, etc., and any external threats which could hinder your operations.

 

Does anyone really think it's not worth the effort to have that view, to be able to identify and manage those risks?