Developing Situational Awareness

Today's Threats Require Network Security Pros to Broaden Skills
Developing Situational Awareness

With continuous attacks on organizations' networks, it is impossible for network security analysts to mitigate them one by one. Instead, they must learn to identify and mitigate attacks on a broader level by combining and analyzing data with threat patterns across the network.

See Also: Defense Strategies for Advanced Threats: Breaking the Cyber Kill Chain with SANS 20 Critical Security Controls

It's all about network situational awareness, says Ed Stoner, a senior researcher at the Software Engineering Institute at Carnegie Mellon University. Since 1998, Stoner has researched new approaches to analyzing broad network activity. A major part of his research focuses on this concept.

Network situational awareness is essentially the ability to monitor large networks and analyze bulk data collections from various data sources, with the ultimate goal of detecting malicious activity. According to Stoner, this approach is crucial for network and security analysts in order to effectively defend networks from new level of threats and malicious activity such as Stuxnet.

"The gap we often find is that network practitioners are still very narrowly focused in looking at network flow data for signs of intrusion," he says. "But from the network traffic alone, it is not easy to distinguish malicious traffic and not malicious traffic."

For example, if there is a piece of malware in the network, it may use the ACTP protocol and transfer data back and forth just like a web browser does. This may appear normal to a network analyst.

In this case, network security analysts need to combine behavioral data about malicious artifacts with the network traffic flow data to understand malicious activity across the network.

"Without combining relevant data sets impacting the network, security professionals will fail in characterizing threats and targeted intruder activity," Stoner says.

Broadened Career Options

The bonus: By effectively targeting vulnerabilities within networks, network security professionals who embrace situational awareness also can see a positive impact on their careers.

This broadened knowledge provides practitioners with more career options in multidisciplinary areas of incident response, malware analysis, web security and data analysis. "These are all hot, in-demand job skills within the IT security industry today," says John Reed, executive director at Robert Half International, an IT staffing firm.

Organizations are heavily investing in practitioners who are entrusted with network security tasks and have a holistic view of protecting their environment to ensure their data is safe.

The number of network security-related job openings listed on, the largest IT job search site, has risen significantly in 2012. Employers have posted 13 percent more jobs for network specialists so far this year.

Reed also finds many network security specialists escalating to leadership positions in IT and information security. The key skill employer's demand is a broad understanding of protection and mitigation strategies to prevent attacks from taking place, he says.

"All they want is an individual who can keep their company's networks safe from ongoing cyber threats like malware and hacking."

But having a good situational awareness to proactively identify threats requires three key skills, Stoner says.

3 Key Skills

The must-have skills for network security pros who want to enhance their situational awareness:

  • Incident Response: From the situational point-of-view, the network analyst should be able to prioritize among incidents such as insider threat or an external breach. Practitioners should know which type of incident needs immediate attention. They also should collect and analyze information based on the prevalence of incidents with insider threat behaviors or a breach activity and accordingly act to control the most damaging ones first.
  • Malware Analysis: To be able to identify malicious activity, network security professionals must be aware of different behaviors malware exhibit. They must understand the network and host-based indicators that reveal the presence and activity of a malware.

    For instance, network security pros should be able to identify if the malware is persistent and understand the mechanism it uses to keep running after a machine is rebooted, or how far the malware has spread and what likely attacks can be expected.

    Practitioners who can conduct reverse-engineering are highly preferred because they are in a position to understand the inner workings of malware such as viruses, worms and trojans. Further, network professionals must be familiar with tools such as VMWare, Winalysis and Snort.

  • Developing Algorithms: Network security professionals must be able to query and conduct interactive analysis to find meaningful correlations and patterns in the combined data sets to target intrusions on the network level.

Finding candidates with all of these skills is tough, Stoner says. But for information security pros looking to enter or transition into network security, they are a must. Stoner recommends they enroll in specific security networking degree programs, or the masters of science degree in information security offered by SANS Institute.

"These are skills which provide ground truth behavior to network professionals on what's going on in their environment," Stoner says. "Practitioners can no longer afford to shy away from this learning."

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network