Situational Awareness
Moving Beyond Common Operational Pictures (COPs)
Introduction
Whether in the military, government, or private sector, network security is a critical component to an organization's health, and ultimately, its success. Threats from intruders are multiplying daily, and the ability to not only respond to attacks, but to anticipate and prevent those attacks is even more vital to optimize a network's efficiency and operability. As networks become more complex and broader reaching, the opportunity for attacks increases. With the advent of wireless networks and devices and their endless applications, the opportunity for a successful attack is even greater.
With all the advances in network communications, the need for security has grown as well. A traditional IT staff is no longer sufficient in dealing with the massive amounts of attacks a large-scale (especially military or government) entity may face daily. Network security experts with tools specifically implemented to anticipate, prevent, and repel attacks are now as vital to an organization as the network itself. Without an operating network, the corporations and government agencies of the 21st century are virtually left in the dark until a resolution is found.
In this white paper, the current shortcomings of the Common Operating Picture (COP), the advantages of Situational Awareness (SA), and a solution which will help organizations in their fight against network intrusion will all be explored.
What is COPS, and why does it fail?
"A common operational picture (COP) is a single identical display of relevant (operational) information (e.g. position of own troops and enemy troops, position and status of important infrastructure such as bridges, roads, etc.) shared by more than one Command. A COP facilitates collaborative planning and assists all echelons to achieve situational awareness" (Department of Defense 2011). In terms of network security, commands should be able to easily share information through the COP in order to make decisions regarding responses to threats and intrusion prevention.
In theory, COPs should provide network security personnel and all other applicable personnel with a view into their networks which will allow them to make timely and informed decisions. However, this is often not the case. COPs are typically constructed utilizing generic user interfaces or an assortment of interfaces. These COPs do not provide in-depth authentication, integration, correlation, analytics, collaboration, or access to the underlying applications themselves. Without these components, COPs just provide a "picture" and no real means into accessing any solutions. As COPs only simply provide a picture of a network's operations at a given time and no methods for analysis or actions, personnel will interpret "multiple versions of the truth" from the picture. Individuals will derive different meanings from the picture based on their backgrounds, training, and biases. Without any additional information from a COP such as possible solutions or analyses, miscommunication, mixed messages, and disagreements are inevitable. In order to create a more secure network, administrators need to move from a reporting and visualization environment (CND UDOP) to a collaborative environment that enables shared SA to conduct network activities organization-wide.
With just a single picture supplying a look into a network, COPs cannot meet the needs of network security personnel who are constantly investigating, preventing, and repelling attacks. COPs do not provide a central collation of events and run-through rules before distributing to personnel, so end consumers will only receive partial or watered-down information. This partial information also does not take into consideration other types of information personnel will need in order to make informed decisions; COPs cannot supply a fusion of physical, network, IA, and security data which are necessary to combating intrusions. Without all the pertinent information, personnel will rarely come to quick, logical, and agreed-upon decisions which can lead to wasted time while attacks are digging deeper into the affected network. As COPs do not provide a great deal of pertinent information, a lack of sharing across jurisdictions and domains occurs since there is not enough information to share. Obviously, sharing information is critical in network security. This lack of information and lack of sharing will all result in difficulty managing command and control (C2) and collaboration across mission partners.
COPs only provide a limited amount of data to end-users, a peek into the network as it is currently operating. More data is needed to combat intrusions to include Data Fusion (access and visualization) and Behavioral Fusion (what you do with the information). Correlation and visualization layers should also be separate from systems management tools. Data exchange and access infrastructure needs to also be separate from systems management tools.
The criticality of the "picture" and how COPs fail
A picture that gives network administrators all the information they need to quickly respond to and prevent or repel attacks or outages is absolutely vital. The more limited the information, the less likely the outcome will be successful. The picture needs to define not only the network's status at that given time, but also such critical information as relationships between those objects, potential attacks or outages, and potential solutions or action items.
The need for increased situational awareness became paramount after the attacks of 9-11. As the decade progressed the military adjusted the phrase to "situational readiness," a combined theme of gathering intelligence about the potential threat through situational awareness and developing quick responses regarding the risk involved for protection and recovery if attacks occur.
The DoD has moved this joint vision of situational awareness further, preparing for nonconventional warfare tactics by having each military branch organized and working together on the battle field. The goal is to improve command response time and overall mission effectiveness.
The business sector is following the military's lead, moving from multiple lines of communication among many companies, including law enforcement, to a more formal and streamlined organizational structure that involves less people but can react quicker and disseminate information in a more timely manner. The differences are that the military is more focused on prevention and defensive measures in the field, and businesses, in addition to protection, strive for risk reduction and rapid recovery to prevent monetary losses and maintain continuity. (National Institute for Situational Readiness 2005).
These components will allow personnel to quickly decide the next, most appropriate course of action and then provide quick access to the tools that can implement the chosen solution. A free-standing picture that a COP provides is not the tool that personnel need in order to monitor and maintain their networks; they need integrated tools with greater capabilities and unlimited scalability.
Emergence of system diversity and information overload
Communication networks are becoming more and more complex, with new and diverse applications and programs being constantly added as new requirements and needs are determined and responses gathered. Often, this leads to networks that are slow, cluttered, and increasingly less useful as personnel become more frustrated with using the network. Networks must also comply with a number of evolving security standards that can also impact network performance and diversity. New applications and devices must be integrated into the network, and this integration sometimes does not happen seamlessly or intuitively.
In addition to system diversity, personnel must also deal with information overload on a regular basis. The amount of data on any network can be staggering, overwhelming, and often counterproductive. Having this massive amount of data may seem beneficial, but more often than not personnel must spend hours sifting and browsing to find the right data. Search and filtering tools can sometimes prove helpful, but searching and filtering can sometimes be too advanced or time-consuming a skill to prove valuable.
Information overload can be caused by the following factors (New World Encyclopedia 2008):
- A rapidly increasing rate of new information being produced
- The ease of duplication and transmission of data across the Internet
- An increase in the available channels of incoming information (e.g. telephone, e-mail, instant messaging, rss)
- Large amounts of historical information to research
- Contradictions and inaccuracies in available information
- A low signal-to-noise ratio
- A lack of a method for comparing and processing different types of information
- The pieces of information are unrelated or do not have any overall structure to reveal their relationships
These factors in combination commonly lead to personnel not being able to perform their jobs adequately. Any system that contains more than one of the above factors will make the system too cumbersome and difficult to use, which will lead them to increasingly ignore the system and use something different to perform their duties.
The Dilemma of providing a converged picture - enter the COP
With so much data available to network personnel, officers had to find an effective way to capture vital data while leaving out unimportant data. By only capturing critical data, personnel can focus more closely on the task at hand and not get distracted trying to sift through noise. To this end, the COP was created. The original intention of the COP was to provide all network users with a common picture of network activity data which can then be used across departments to keep the networks secure. With this COP, everybody would be "on the same page" and could then come to an agreement on how to best handle intrusions or outages or how to make the best use of resources.
However, this is not often the case. Deciding which data should appear on the COP is often an issue as officers disagreed on which data should appear in the view. This means that much more data than necessary was included in order to appease officers and their agendas. Conflicting or unrelated data can appear which defeats the purpose of the COP.
As complexity grows, COPs become the problem not the solution
The COP is a simple picture of network activity at a given time. As networks grow and become more complex, this picture becomes less useful in preventing and repelling threats. A picture dotted with icons that do nothing but indicate activity is happening is not a useful tool. To be effective, the tool must indicate relationships between the icons, provide some analysis of the icons and their relationships, and finally, offer solutions to potential or occurring problems.
Trying to monitor all the activity on a complex communication network can prove to be too daunting a task for a team of network administrators working around the clock, especially if the network is targeted for attacks. Personnel cannot get the information they need quickly enough to respond to potential threats, and therefore are at greater risk to failure if an intrusion is not detected in time or if the full extent of the intrusion is not realized. If the COP is filled with data that serves no purpose other than to indicate that activity is happening on the network, then the COP has failed; it must do more than provide a pretty picture.
Summary of why COPs fail
Preventing and repelling network intrusions is an extremely involved and meticulous process, and the most critical factor in successfully deterring attacks is for personnel to have all the information regarding the intrusion available at any moment. COPs are useful in providing a cursory view of a network's activity, but in reality are nothing more than that - "a pretty picture." COPs provide the picture, but then personnel are left to find other means to continue the mission. As COPs only provide a picture, they are not often used by operational personnel, and the information provided by the COPs is not trusted by commanders (Prevous and Hibner 2011).
COPs' main failing is the inability to provide a "single, shared truth" for personnel. Since they simply provide a picture of current activity and no meanings, underlying conditions, implications, or possible resolutions for the presented data, the data is rather simple in nature and can then be interpreted in a variety of ways by a number of different individuals with varying agenda. A picture filled with icons and symbols with no means for relating them to each other or to possible outcomes can only serve as an incubator for misinformation and uninformed decisions. As a result, COPs do not facilitate collaboration or coordination of activities. In order for the COP to be an effective tool, network administrators must be able to determine the problem (including its source and extent), the impact of the problem, the solution, the correct facilitators of the solution and the best method for avoiding the problem in the future.
Situational Awareness
Situational Awareness (SA) is defined as "the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future" (Endsley 1988). In this definition, three critical elements are identified as vital to achieving SA: perception, comprehension and projection. The first element, perception, is identified as the simple identification of objects in an environment. Objects are identified and then named and defined. For the second element, comprehension, the relationship between objects and the environment are defined. In regards to network security, comprehension refers to the identification of an intrusion and its possible sources. The projection element deals with the understanding of the repercussions of the attack as well as realizing future prevention methods (Lambert 2001). Any successful SA product must include these three elements in its solution in order to allow administrators to effectively fight intrusions. If capable applications are not included to handle each of these elements the network is still prone to attack and failure.
An effective SA solution must include three components in its final product to address perception, comprehension and projection. These components are: Adaptive/Interactive User Environments, Controlled/Authenticated/Validated Universal Data Access, and Correlation/Analytics/Event Processing. Each of these components is necessary to an SA solution's success. If even one of these elements is lacking the solution will not supply network security personnel with the tools to prevent and repel intrusions.
As opposed to COP (which only provides a picture of the network's current state), SA can also combat the increasingly more common "swivel chair management" of networks, which is the phenomenon of "switching among multiple network management terminals in order to track activity and problems across various segments of the network," (Horwitt, 1989).
As personnel are required to access more applications and programs across multiple networks, work is slowed through inefficiencies. Typically, personnel will not utilize all the applications at their disposal if they find access becomes too cumbersome or slow. They will find other means to perform their duties, even if those means are less effective or efficient. With SA or some other method to easily access all applications through a single, user-friendly interface, users can more successfully defend their networks from intrusion. With a properly designed and integrated SA interface, users can quickly determine the source of intrusion and then quickly access the tools necessary to combat the intrusion.
Adaptive/Interactive User Environments
The Adaptive/Interactive User Environment will provide an overall picture of the network status. In this environment, all applicable objects (both internal and external) can be seen, identified and possibly managed. In this environment, access to assessment support and predictive and analytic tools is also included (Lambert 2001). The user environment must allow personnel to quickly and easily access data and views that will supply them with the information to quickly make decisions in repelling and preventing attacks. Views must be customizable so personnel can view only the information they need at the time and avoid sifting through "noise." With a useful user environment, the time from notification of attack to resolution is minimized.
Controlled/Authenticated/Validated Universal Data Access
If an alternative to the COP is to be proposed, personnel must be able to access all applicable data and underlying applications effortlessly. If network administrators are forced to travel circuitously to a critical application or data point, then valuable time can be lost. Since the COP is not integrated with any other tools or data, users must take the time to open those applications separately and then traverse back and forth between the COP and any applications to perform any actions. A solution that ensures that access to data and underlying applications is easily permitted will allow for better defense and maintenance of the network.
Access must be controlled and authenticated so communication between all appropriate personnel can be optimized. Analysis results can be viewed by only those personnel with proper permission. To achieve this information sharing, systems must communicate across a variety of mediums, and with absolute security to protect mission-critical data.
Controlling and authenticating access is extremely important as multicore devices are becoming more prominent in the battlefield. "Technology firms and military organizations are also tapping more powerful, multicore devices to tackle multiple military applications on a single, compact computing platform. Multicore processors allow for more tightly integrated data and information processing, as well as provide a more efficient SWaP platform," (Howard 2010).
Correlation/Analytics/Event Processing
SA is optimal when objective content is high and the operator(s) is/are subjectively aware of that. SA is disastrous when the content is off and the operator doesn't realize it. There are other combinations, so it's always best to measure the two together if possible. (McGuinness 2004)
For subjective measurement, you could get each operator to rate the quality of SA of himself and the team as a whole.
- Awareness of perceptible data
- Awareness of the big picture
- Awareness of future developments
- Awareness of response options
The problem can also be approached from both 'objective' and 'subjective' angles to blend a combination of actual knowledge queries and subjective ratings of SA. This is a form of cognitive analyses, often in the form of true/false questions that captures both cues that go into a person's decision-making process. (Nofi 2000).
Beyond UDOP
Unlike a traditional common operational picture (COP), a User-Defined Operating Picture (UDOP) allows the user to select what information should be included in or excluded from the data set defining the operational picture at the source. (Mulgund & Landsman 2007) The core elements of a UDOP capability are data access mechanisms to build a UDOP from the outputs of systems of record using net-centric means, visualization and presentation tools that provide effective situation awareness, business logic for creating added-value information products derived from raw data inputs, and collaboration tools to enable shared situation awareness.
FTS Situational Awareness Solutions (FTS-SAS)
Founded in 2008, FedTechServices, Inc. (FTS) specializes in providing cutting-edge network communications solutions to government agencies. Since its inception, FTS has partnered with such agencies as U.S. Central Command (USCENTCOM) and U.S. Forces - Afghanistan (USFOR-A) and supplied these operations with customized network monitoring tolls which helped them dramatically improve their networks' efficiency, operability and security.
In response to the military's increasing needs to improve their communication network capabilities, FTS created Theater Network Management Architecture (TNMA). Theater Network Management Architecture (TNMA) supplies organizations with a centralized, distributed architecture which provides a common operating picture of the customer's communication network which will monitor and manage network performance, threats, policy compliance and control network access.
With its numerous monitoring applications, TNMA provides situational awareness to war fighters in the field by supplying network administrators with the information they need to make quick decisions regarding their networks' security and operability. TNMA is a fully integrated, robust architecture that provides near-real-time, correlated configuration, performance, status/event and topology information in a common format enabling analysis and modeling capabilities available to all Components, JTFs and Agencies.
The aim of the architecture enables service assurance and service delivery across the network and enhances network defense. TNMA possesses the ability to provide a culture change from reactive network management to proactive network management and predictive analysis on systems and networks. This information aids communities in providing assured system and network availability, assured information protection, and assured information delivery.
Personnel have the ability to monitor every aspect of their networks; all events and data flows are tracked and logged in near real-time. Users can customize their views to track only what they need to at any given time in order to cut down on the noise which can impede intrusion prevention. TNMA uses SNMP, NetFlow, routing information and device configurations as its data sources to provide network topologies and traffic statistics for network engineering and traffic analysis.
The network topologies and traffic statistics derived from TNMA data sources allow engineers to proactively assess the network to identify potential problem areas such as bottlenecks or single points of failure. Additionally, by providing baselines and trending of traffic statistics such as circuit utilization, TNMA allows engineers and analysts to provide more accurate capacity planning assessments and provides the ability to analyze current statistics to detect anomalies before they impact the intended operational capability of the network.
TNMA's capabilities have been identified by the International Organization for Standardization (ISO) Telecommunications Management Network (TMN) model FCAPS. FCAPS describes the five different types of information handled by management: Fault-management (F), Configuration (C), Accounting (A), Performance (P), and Security (S) systems. The management of each of these categories is imperative in order to have an effective enterprise network management capability. The FCAPS figure below depicts a subset of the FCAPS functionality on which the TNMA architecture was evaluated against.
Figure 1: FCAPS Sample Subset Table
As seen in the table above, TNMA was designed to provide a great deal more than just a simple picture.
To provide a useful tools which will allow users to successfully defend against intrusion, FTS's situational awareness solution will be scalable, virtualized and adaptable. As network capabilities and intrusion methods evolve, security and monitoring tools must evolve as well or be forced into a quick obsolescence. To this end, new hardware and software applications can be added to FTS's situational awareness whenever necessary. The solution's scalability will allow administrators to add new features virtually on the fly to respond to new needs and requirements. With little to no turn around and little manual labor, the solution will be updated with the new processes and be running at peak operation performing the tasks necessary to keep your networks secure from attack.
The solution will be virtualized, which will help to save space and memory. By virtualizing, users will be able to run multiple applications from one machine, and even different operating systems can be used from a single machine. Virtualizing eliminates the potential conflicts of running many applications at the same time, which will help maximize performance while saving space and time.
The solution will be adaptable, giving personnel the ability to fit the solution to their needs. The solution can be deployed in any location, and will be operable in the event of extreme conditions during an active war zone. As personnel determine new requirements, the solution can be adapted to meet their evolving needs. This adaptability is necessary to stem attacks from intruders who will be using new and more dangerous methods to attack networks.
The solution will address a pluggable correlation architecture. This feature has gained prominence in recent years as threats have increased. "The governance, risk, and compliance (GRC) market has recently experienced significant growth as organizations seek to manage internal and external security threats, enforce internal policies, and comply with governmental regulations. For example, government agencies faced significant challenges in implementing SA procedures to comply with regulations such as Homeland Security Presidential Directive (H.S.P.D.) 12, which provides a mandatory federal policy for establishing a common identification standard for federal employees and contractors," (Chouhary, Antony, Cooper and Srinivasan 2010).
Summary
Network security is at the top of everyone's list, regardless of your business. Information distribution is critical and time sensitive, but if your network isn't secure that information can find the wrong hands with disastrous national security implications.
FTS understands this and has the network management solutions such as Theater Network Management Architecture (TNMA) that identifies threats to the Global Information Grid (GIG), senses network and host-based attacks, allows safe sharing, and develops countermeasures to keep your information confidential and secure.
As opposed to the COPs which are integrated into networks across the globe (which only provide a picture of a network in its current state), FTS has integrated SA into its network management and monitoring products so that personnel make more effectively combat intrusions. Products such as the vendor-agnostic TNMA 2.0 not only give personnel visibility into their networks, but can also provide quick access to the tools necessary to deter intrusion and unforeseen outages. This access is imperative to countering attacks in which seconds matter. Loss of data, connectivity, or operability can cripple a network and the warfighter's ability to carry out critical missions, so keeping networks operating under adverse conditions is essential.
The TNMA program has completed rigorous DoD testing under U.S. Central Command's (USCENTCOM) and U.S. Forces - Afghanistan (USFOR-A) certification and accreditation, and also has received secret and top secret accreditations that allow use in classified systems. This allows FTS to develop mobile and tactical networks that improve situational and operational awareness, reduce deployment time, and identify potential security threats.
Our system helps with Web vulnerability scanning and will update future requirements and identify technology requirements for follow-on capabilities. FTS understands government initiatives for secure internal communication and reporting functions in the field for war fighters, and its solutions are innovative and cost effective.
Bibliography
- Choudhary, Usman, John Melvin Antony, Michael Howard Coopoer, and Pattabiraman Srinivasan. 2010. System And Method For Auditing Governance, Risk, And Compliance Using A Pluggable Correlation Architecture. U.S. Patent: 20100198636, filed August 5, 2010.
- Department of Defense. 2011. "DoD Dictionary of Military Terms." Last modified May 15, 2011. http://www.dtic.mil/doctrine/dod_dictionary/
- Endsley, M.R. 1988. "Situation awareness global assessment technique (SAGAT)." Aerospace and Electronics Conference, 1988. NAECON 1988., Proceedings of the IEEE 1988 National 3: 789-785.
- Horwitt, Elizabeth. 1989. "High Hopes for Enterprise Net Management." ComputerWorld, December 25.
- Howard, Courtney. 2010. "Warfighters on the digital battlefield require robust information technology for secure, reliable, real-time access to mission-critical information." Military & Aerospace Electronics, June 16.
- Lambert, Dr. Dale A. 2001. "Situations for Situation Awareness." 4th International Conference on Information Fusion. Accessed June 8. http://isif.org/fusion/proceedings/fusion01CD/fusion/searchengine/pdf/ThC22.pdf.
- McGuinness, Barry, 2004. "Quantitative Analysis of Situational Awareness (QUASA): Applying Signal Detection Theory to True/False Probes and Self-Ratings." 9th International Command and Control Research and Technology Symposium.
- Mulgund, Sandeep, PhD., and Seth Landsman, PhD. 2007. "User Defined Operational Pictures For Tailored Situation Awareness." 12th International Command and Control Research and Technology Symposium "Adapting C2 to the 21st Century".
- National Institute for Situational Readiness, 2005. "Situational awareness in the US military Situational Readiness in corporate security." Accessed June 8, 2011. http://www.entrepreneur.com/tradejournals/article/135896868.html
- New World Encyclopedia. 2008. "Information Explosion." Last modified May 27, 2008. http://www.newworldencyclopedia.org/entry/Information_explosion#.22Information_overload.22_by_Alvin_Toffler
- Nofi, Albert A. 2000. "Defining and Measuring Shared Situational Awareness." Accessed June 8. http://www.cna.org/documents/D0002895.A1.pdf
- Prevous, Dr. Mike, and Keith Hibner. 2011. "The (Un)Common Operational Picture." Connected: Army Operational Knowledge Management III, no. 3: 1-4.