Situational awareness (SA) is the process of collecting information from across your organization, synthesizing it into usable intelligence, and disseminating it effectively so your employees understand how to make good decisions to keep your organization, its assets, and its employees safe and secure.
At its core, good SA gives organizations the ability to know the state of its activities and assets when the organization is functioning normally, and whether the current state of the organization matches that “norm.” If there is a discrepancy between the norm and the current state, SA allows organizations to discover it quickly, understand the reason for the discrepancy, and take appropriate action to manage it.
Effective SA, however, requires a wide scope of visibility into an organization’s activities and assets that is difficult to establish. It involves assessing the organization’s policies, governance, and business objectives; documenting systems, workflows, and processes; employing methods of analysis to detect violations or undesired events; and making sure all activities fulfill legal requirements and business interests.
Accomplishing these objectives to establish SA while finding a good balance to maintain them are challenges that most organizations struggle to implement, leaving key business assets without adequate protection. In such situations, organizations run the risk that their assets could be lost or compromised to malicious actors or through mistakes that could go undetected.
Even in the best-funded, most mature organizations, there are information gaps in knowing what the current state is and what it should be. Effective situational awareness therefore requires an understanding of what augmenting data will allow practitioners to make competent inferences with the information they have and to understand the limitations of the inferences they are able to make.
Angela Horneman Analysis Team Lead, SEI CERT Division
A Complete Approach to Security
The SEI has developed best practices, tools, techniques, procedures, and methodologies to help the DoD, government agencies, and commercial entities protect and secure their information systems. In addition, we have a broad portfolio of cybersecurity assessments that include a selection of assessment tools, techniques, and analytics, ranging from those that can be self-applied to those that require expert facilitation or mentoring.
The SEI can draw on its expertise and experience to provide tailored assistance in any of the following areas:
- strategic roadmap development—The SEI is available to help your organization develop strategy and architecture roadmaps. We can also assess emerging technologies, support early risk identification, and develop acquisition documentation and artifacts for on-premises, cloud, and hybrid multi-cloud environments.
- policy assistance—We can leverage our experience to support your organization in creating well-defined, comprehensive policies for various aspects of cyber assets, identifying if your controls match policy, and assessing how well your technical controls match those policies if there are gaps.
- architecture support—The SEI can help document your organization’s existing systems, find gaps in coverage, and plan for integration of appliances and processes, implementation of solutions for multi-level security, and documentation of mission threads and workflows.
- visibility design—We can help you identify which devices to use for different types of visibility, research endpoint visibility options for assets, and determine visibility strategies.
- analysis—Thanks to our expertise, the SEI is a leader in evaluating new techniques for analysis such as AI and ML. We can also develop analytics using SEI tools, and we can document workflows and processes for application to SOC, NOC, threat intelligence, and vulnerability management.
- training—The SEI offers support for developing scenario-based training for organizations’ analysts that focus on real-world analyst workflows and go into depth on concepts and decisions, all while making use of available and relevant data sources and tools.
What We Offer
Assistance for assessing and improving your organization's SA
Our experts can help you assess the effectiveness of your organization's SA and help you improve it.
The Analysis Pipeline supports inspection of flow records as they are created.
CERT NetSA Security Suite
The Network Situational Awareness (NetSA) group at CERT has developed and maintains a suite of open source tools for monitoring large-scale networks using flow data.
CERT super_mediator is an IPFIX mediator for use with the yaf and SiLK tools.
Join Us for
January 9-12, 2023
Santa Fe, NM
The CERT Division sponsors the annual FloCon conference where those with common security concerns gather to discuss cutting-edge techniques. Applying what you learn at FloCon helps you analyze and visualize large data sets so that you can protect and defend your networked systems.
Beginning with FloCon 2018, the conference has expanded to focus on analytics of any large-scale data set—not just network flow data. If you are interested in data-driven security, you can participate in this conference and discuss these issues, including innovative ways to use big data to address security problems.
The Latest from the SEI Blog
How Situational Awareness Informs Cybersecurity Operations
February 08, 2021 • Blog Post
Situational awareness (SA) helps decision makers throughout an organization have the information and understanding they need to make sound decisions about cybersecurity operations. In this blog post, I review and provide examples of how to use SA in cybersecurity...read
Pandemic Home Security for Your Enterprise
January 25, 2021 • Blog Post
Phil Groce, Harry Caskey
The COVID-19 pandemic has greatly increased remote work among enterprise employees. Home-network environments are not professionally managed, so they are an appealing target for attackers. In this post, we advise how to mitigate these risks to regain a security...read
Our Vision for the Future of Situational Awareness
In the coming years, the expert researchers at the SEI continue to refine the areas of architecture support and analysis assistance for both IT systems and weapon systems. We are working to find ways of applying early risk identification to determine how security postures must change and how to mitigate them as organizations move to cloud or hybrid environments, as they change their development practices to DevSecOps or Agile, or as they begin to use next-generation network and communication solutions like 5G.
We’re also working to expand our analysis capability and apply more advanced techniques that will help organizations better prioritize detected activities.
Contact us to work with the SEI on these issues for your organization.