Cyber situational awareness is
|“||[t]he immediate knowledge of friendly, adversary and other relevant information regarding activities in and through cyberspace and the EMS. It is gained from a combination of intelligence and operational activity in cyberspace, the EMS, and in the other domains, both unilaterally and through collaboration with our unified action and public-private partners.||”|
Cyber situational awareness is the capability that helps security analysts and decision makers:
- Visualize and understand the current state of the IT infrastructure, as well as the defensive posture of the IT environment
- Identify what infrastructure components are important to complete key functions
- Understand the possible actions an adversary could undertake to damage critical IT infrastructure components
- Determine where to look for key indicators of malicious activity.
Cyber situational awareness involves the normalization, deconfliction, and correlation of disparate sensor data, and the ability to analyze data and display the results of these analyses. Situational awareness (SA) is an integral part of an information assurance (IA) common operational picture. Such a picture provides a graphical, statistical, and analytical view of the status of computer networks and the defensive posture.
Situational awareness is the key to effective computer network defense. A robust situational awareness capability is necessitated by the highly interconnected nature of information systems and computer networks, the degree to which they share risk, and the coordination and synchronization requirements of response efforts.
Analysts and decision makers must have tools enabling timely assessment and understanding of the status of the networks and systems that make up the IT infrastructure. This situational understanding must be presented at multiple levels of resolution: 1) a top-level, global indication of system health; 2) exploration of various unfolding threat scenarios against various components of the system; and 3) more local-level details of recognizable or previously unseen anomalous activities.