Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Friday, October 29, 2010

On Situational Awareness in Enterprises

“Situational Awareness” is an area that I am interested in exploring, in particular in the context of enterprises. How can an organisation be reasonable reassured that its risk posture is appropriate and the relevant threats are mitigated?

Indeed both risk assessment and the deployment of suitable control points are key to deal with risks. However situations can change, new threats can materialise or the controls that are put in place could actually be ineffective.

To close the loop, organisations usually invest in monitoring and event management controls to get a “picture” of what is actually going on.

However, how much is this “picture” an accurate representation of the reality? Are the relevant pieces of “intelligence” taken into account? What are their impacts in the overall risk assessment? Which key areas and elements should be cover? Which correlations are necessary to distillate meaningful information? Which investments are required to achieve all this?

Security Incident and Event Management (SIEM) tools and solutions can indeed help, from a technical perspective. But strategic decisions still need to be made (by Risk Managers, CIOs, CTOs, CISOs, etc.). These decisions are usually made in an economic framework.

How to provide decision support in terms of which investments to make, which monitoring areas to cover, which inferences and data correlations to look for, which trade-offs to consider (e.g. costs vs productivity vs risk exposure)?

I am interested in exploring how the HP Labs Security Analytics approach (i.e. applying modelling and simulation to provide decision support) can help in this space, by introspecting current strategic decision making activities and the involved processes, as well as exploring suitable trade-offs and the impact of existing controls, such as SIEM tools.

In this context, I am looking for public case studies, information/documents illustrating the current “assurance processes”, criteria adopted to deploy SIEM tools, as the key decision making steps adopted in this area.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

No comments: