Oct 20, 2023 by Georgi Nikolov | 295 views
The constant stream of data produced daily, the complicated environment and the need for quick reaction to malicious attacks make the life of cyber defense analyst a living nightmare. Many wonder how are we supposed to be able to review the gigabytes of logs produced daily, how can we manage to analyze them all and extract valuable insight into what is happening in the network?
Such questions have no easy answer. In recent years, there have been major advancements in the ways we treat data, how humans can use sophisticated tools to parse and review the information in easily digestible chunks, but the work is far from over.
Note from the writer: I would like to thank Axelle Perez, a former student at the Université Libre de Bruxelles, for her effort in researching and documenting the theory behind Situation Awareness during her Master Thesis with the Research Unit for Cyber Defense, here at the Royal Military Academy.
To better understand the difficulty of the task, we need to go down to the root of the problem- data can take many forms, many of which complicated to understand at first glance. This is not only the case for network analysis, but for every aspect of the human life. Since the dawn of time, humans have had the need to observe closely their environment to detect possible predators or adapt to the ever-changing environment. This is something quite intrinsic to human nature- the ability to observe our surrounding and gain valuable information, which will then be used to shape our future decisions. The ability to take decisions based on environment cues in the context of complex and dynamic environments has been described many times over the years, but one definition which is often viewed as the most complete is that of "Situation Awareness" (SA). This unanimously accepted definition was given by Mica Endsley, in particular in dynamic environments [1,2]:
Situation awareness is the perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.
The model established by Endsley is widely used in the psychology domain to define how humans can make sense of their surroundings and perceive complex situation. As an engineer working for the US Air Force, she noticed the problems originating with aircraft's dashboard and the abundance of information, which the pilots need to deal with. Without being pilots, we ourselves can relate in many ways. A lot of us have sat at one point or another behind the steering wheel of a car, having multiple gauges and indicators on the dashboard, showing us different information about the state of the car. The dashboard of a car is not really comparable to that of a plane, but it can serve as a good example to what we are up against. A driver needs to keep their eyes on the road, observing the other drivers and the road ahead, but also keeping an eye on the speed/gas and temperature of the engine. On top of that we might need to take into account if there are other passengers in the car and how they act. A big part of juggling these different information inputs is the ability of the driver, but this can be made easier by the tools available to observe the information. This is the goal Endsley wanted to work towards: designing better instruments, which can more clearly and easily convey information to the users.
To achieve her goal, a model describing how "Situation Awareness" works needed to be established. The three essential components of the SA model, as shown in the Figure below, are there to define how well a human can recognize important information and react to it.
The model described earlier is clear and straightforward, but also a bit generic. When we try to apply it to the Cyber domain, we need to introduce and define some extra concepts to extend the model.
In regards to the cyber defense domain, analysts can quickly become overwhelmed by the significant amounts of alerts and events produced by detection assets in the network, as well as by the systems and applications producing logs and audit trails. For ages, humans have used visual aids to better understand complex situations and this is highly applicable for the cyber domain as well. Through the use of visual representation of the data, a domain analyst can perceive important information and suspicious events at a greater rate, interpret the significance of the findings through possible pattern recognition, and estimate the impact they might have on the system . This means that to enhance the Cyber Situation Awareness, we need to rely on the field of Visual Analytics, through which we can combine the strengths of a human analyst with the speed of the electronic data processing [4,5].
As we have seen through this blog, our way of perceiving our environment is of great important to how we understand and use information. In the cyber domain, we need to rely on different software to understand what is happening in our network and we rely on Visual Analytics to quickly visualize and relay information to the user. We will discuss how this can be accomplished in a future blog.
 Endsley, M.R.: Toward a theory of situation awareness in dynamic systems. Human factors 37(1), 32–64 (1995)
 Lavigne, V., Gouin, D.: Visual analytics for cyber security and intelligence. The Journal of Defense Modeling and Simulation 11(2), 175–199 (2014)
 Cui, W.: Visual analytics: A comprehensive overview. IEEE Access 7, 81555–81573 (2019)
 Thomas, J.J., Cook, K.A.: A visual analytics agenda. IEEE computer graphics and applications 26(1), 10–13 (2006)