What Is Network Security Situational Awareness?

Origin of Network Security Situational Awareness

Situational awareness is a term coined by the United States Air Force in the 1980s. It mainly covered analyzing the air combat environment information, analyzing the current and future situations, and ultimately making corresponding judgments and decisions. Through continuous development and improvement, related theories have been formed and widely used in domains such as the military, aviation, industrial production, security, and network domains. Network security situational awareness refers to the application of situational awareness-related theories and methods to the network security field.

The concept of situational awareness is abstract. To facilitate understanding, we can use weather forecasting as an example. With continuous observing and analyzing, we can predict the weather at a site over a certain period of time. In particular, the prediction of severe weather events, such as typhoon, smog, and snowstorm, is especially important to us. By transferring people and property in advance and preparing related disaster response measures, the impact of disasters can be greatly reduced. This is the key purpose of situational awareness.

Why Is Network Security Situational Awareness Important?

With the continuous development of network and information technologies, people's security awareness is gradually increasing. Networks are never completely secure. It is inevitable that they will be attacked eventually. Although we cannot prevent attacks, we can identify and detect attacks in advance to minimize losses. In other words, security protection has shifted from passive defense to proactive and intelligent protection.

Furthermore, IoT and cloud technologies are developing rapidly, giving rise to many new disruptive technologies that bring new security issues. For example, massive terminal access, disappearance of traditional network borders, and increased concealment and complexity of network attacks pose new challenges and higher requirements on the capabilities of network security personnel.

Against this backdrop, products and solutions centering on network security situational awareness technologies have developed rapidly. Network security situational awareness can drive the upgrade of the entire security protection system and implement the following three changes:

• The goal of security construction changes from compliance to enhanced defense and deterrence capabilities, with greater emphasis placed on confrontation. This poses higher requirements on intelligence technologies.
• The object of attack detection changes from known threats to unknown threats. Technologies such as big data analytics, anomaly detection, situational awareness, and machine learning are used to detect advanced threats.
• The response to threats changes from manual analysis and handling to automatic and closed-loop response, with an emphasis on emergency response and collaboration, achieving elastic security.

Application Scenarios of Network Security Situational Awareness

Constructing a network security situational awareness system is complex and expensive. Such a system is used mainly in large and midsize enterprises and large organizations. For small businesses, a single integrated product offering lower performance and simpler functions and architecture can be selected.

• Government agencies: From the perspective of countries or provinces/cities, the system manages and monitors the network security situation of related information infrastructure.
• Large industries: From the perspective of industries, the system manages and monitors the network security situations of internal systems in an industry. Currently, network security situational awareness is mainly applied to sectors such as government, finance, network operations, and education.
• Large organizations or enterprises: From the perspective of routine security O&M, the system manages and monitors the security status of core assets and service systems.

How Is the Construction Result of Situational Awareness Evaluated?

The construction result of network security situational awareness can be evaluated from the following aspects:

• Defense: Whether the obtained intelligence and asset investigation information can be used to improve the defense system and eliminate asset risks
• Detection: Whether continuous network security monitoring capabilities are provided to quickly and accurately detect security threats
• Response: Whether response capabilities covering terminals and networks are provided to support attack forensic, event source tracing, threat fixing, and other items
• Prediction: Whether improvement suggestions can be provided based on the comprehensive analysis of historical security situations, live-network popular attacks, and intelligence systems

What Are the Three Levels of Situational Awareness?

In Toward a Theory of Situation Awareness in Dynamic Systems (1995), Mica Endsley proposed a classic situational awareness model that mimics the cognitive process of humans. Although the model is simple, it has formed the basis of many subsequent theories. It is generally called the Endsley's model.

Endsley's model divides the situational awareness into three levels: perception, comprehension, and projection.

• Perception (Level 1): The first level of situational awareness is to perceive the status, attributes, and dynamics of related elements in the environment.
• Comprehension (Level 2): The second level of situational awareness involves a synthesis of disjointed elements through the processes of pattern recognition, interpretation, and evaluation. This level also requires integrating the information to understand how it will impact upon the goals.
• Projection (Level 3): The third level of situational awareness involves the ability to project the future actions of the elements in the environment. This is achieved through comprehension of the situation in level 1 and level 2.

HiSec Insight — Huawei's Situational Awareness Product

Oriented toward small-, medium-, and large-sized enterprises, such as finance, network security, government, and carrier enterprises, Huawei launched HiSec Insight Advanced Threat Analytics System (HiSec Insight for short). This big data-based APT defense product implements security situational awareness on the entire network by collecting massive amounts of basic data (such as network traffic and network and security logs of various devices) and identifying potential and advanced threats on the network through big data analytics and machine learning technologies.