information that is collected during a disaster incident. The static information consists of: reference data, e.g. topographic maps ... and nursing homes; utility networks, e.g. gas, water, electricity; cadastre containing owners and cadastral ......
Jun 17, 2015 - The Rapid. Deployment Kit (RDK) is the big data solution that supports the data ingest, correlation, ... Planning. Continuous. Risk. Management. Network. Management. Enterprise ... DISA Command Center, OPS, ... including USCYBERCOM, NS
Dec 1, 2015 - (CC BY-NC-ND 4.0) licence. Full details of this licence are available at: .... transition within the general IMM Bayesian filtering framework . To actually ... Then, by taking into account the knowledge of flight rules, the target .
Esri National Security Summit - July 2015 .... Promote Efficient and Cost Effective Resource Deployment ... Portal for ArcGIS, provides users of all skills levels.
with information about available resources (e.g., medical facilities, rescue and law ... uncommon for each city within a county to have its own EOC where rep- resentatives from fire, police ..... ambiguation framework is capable of solving two common
Network Centric Warfare (NCW) is âthe conduct of military ... Network Centric Operations have gained center stage in modern military and security.
May 25, 2006 - background in MCL method and the applications of Hospitability Map, ...... Vtag speed of tagged Robots. 0.10m/s. FrameRate system frame rate.
Signal Magazine, AFCEA, and Tim Bass 1999, 2000. All rights ... David Gruber, Communications Squadron Commander, Hickam. Air Force Base .... for determining the most effective courses of action to counter future hostile activities in.
Yours faithfully,. Mark McCarthy. Paola Primatesta. E-mail: [email protected] DOI: 10.1093/pubmed/fdh166. Sirs,. We read with interest the article by Taylor and Cheng1 which describes the significant social class ... made good use of postcode dat
DSA that can support prediction of performance and inform the interpretation of ... Incident Commander, watching the fire-fighter, realises that there is a risk and ...
Oct 31, 1994 - rations, rate of flow), and driver behavior (our intentions, intentions of other drivers) are some important aspects of situational awareness. While the simpler safety concerns can be addressed by constant monitor- ing of nearby traffi
 NATO Multilateral Interoperability Program Working Group, www.mipsite.org.  Shneiderman B, Visual Data Exploration Access and Analysis, 2nd Annual ...Missing:
shoreâa kind of modern equivalent to the early coastline sketches. We have been conducting an investigation of ways to present such photographic imagery to the mariner. Our focus has been on navigation in restricted waters, using the Piscataqua Riv
These effects should ensure that teams make better and timelier decisions, that their .... standard Microsoft Office applications that support collaborative editing.
California Institute for Telecommunications and Information Technology and. 2. Computer Science ... awareness through manual paper-tracking systems. Such systems often ... plume locations, law enforcement zones, and device locations.
running a geophysical modeling application after connecting ... for the application of machine ML-, DM- and IDA- ...... Currently, he is on deputation from.
contribution of this paper is a feasibility study. We investigate if .... empty room that has a different photograph projected .... from the National Library of Medicine.
how to conduct missions simultaneously at tactical, operational, and strategic ... âcollaborative group of users who must exchange information in pursuit of their ... Throughout the early part of the present decade, the DoD possessed almost no ...
Background: Patient flow from intensive care to acute care units is often problematic and many discharges .... What professional groups were involved in the discharge process? .... and acute care unit activities and processes related to ICU patient d
Introduction ... In our work, we envision a speech-based situation awareness system, that we refer to as Observational. Speech ... starts, breaths, and repetitions.
The previous version of the USV decision making mechanism did not have this capability. ... Collisions at Sea (COLREG) (IMO 2003) and training them to USV. The USV agent can make ..... Consolidated Edition 2003. 4th. IMO (International ...
Situation Awareness (SA) for cyber defense consists of at least seven aspects: 1. Be aware of ... system being threatened by random or organized cyber attacks. ... computer programs (e.g., programs that can learn attack signatures), but also mental .
Salemo(arl.af.mil, Michael.Hinman(drl.af.mil. Douglas.Boulware(irl.af.mil, Paul.Bello(irl.af.mil .... differences, we would like to move beyond these debates and ...
Permission to make digital or hard copies of this publication for internal use within NATO and for personal or educational use when for non-profit or non-commercial purposes is granted providing that copies bear this notice and a full citation on the first page. Any other reproduction or transmission requires prior written permission by NATO CCD COE.
Operational Data Classes for Establishing Situational Awareness in Cyberspace Judson Dressler Department of Computer Science Rice University Houston, Texas, USA
William Moody School of Computing Clemson University Clemson, South Carolina, USA
Calvert L. Bowen, III Johns Hopkins University Applied Physics Lab Laurel, Maryland, USA
Jason Koepke Towson University Baltimore, Maryland, USA
Abstract: The United States, including the Department of Defense, relies heavily on information systems and networking technologies to efficiently conduct a wide variety of missions across the globe. With the ever-increasing rate of cyber attacks, this dependency places the nation at risk of a loss of confidentiality, integrity, and availability of its critical information resources; degrading its ability to complete the mission. In this paper, we introduce the operational data classes for establishing situational awareness in cyberspace. A system effectively using our key information components will be able to provide the nation’s leadership timely and accurate information to gain an understanding of the operational cyber environment to enable strategic, operational, and tactical decision-making. In doing so, we present, define and provide examples of our key classes of operational data for cyber situational awareness and present a hypothetical case study demonstrating how they must be consolidated to provide a clear and relevant picture to a commander. In addition, current organizational and technical challenges are discussed, and areas for future research are addressed. Keywords: cyber situational awareness, cyberspace operations, operational needs
1. INTRODUCTION The critical computer networks of the United States play a key role in our everyday lives, controlling the nation’s energy, transportation, and financial systems. As such, the Department of Defense (DoD) has built operational dependency on its information systems and their associated networks. Disruption of these networks would have significantly damaging effects on the United States’ ability to operate and defend itself. With the constantly increasing rate
of cyber-attacks against our nation’s network infrastructure and the ever-changing nature of computing, it is vitally important for the DoD to have an understanding of the cyber operating environment in order to properly secure and defend the nation. More than a decade ago, Bass  observed that current intrusion detection technologies were not maturing at the rate of new attacks. Former Director of the National Security Agency (NSA), Mike McConnell, echoed this sentiment in February 2010 when he stated: “The United States is fighting a cyber-war today, and we are losing. It’s that simple. As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking” . Commander, United States Cyber Command (USCYBERCOM) and Director of the NSA General Keith Alexander continued: “... to defend those networks and make good decision in exercising operational control over them ... will require much greater situational awareness and real-time visibility of intrusions into our networks” . These concerns clearly identify the need for a comprehensive strategy to gain situational awareness over the cyber domain, which enables commanders at all levels to consider cyber as they make operational decisions and direct actions for their forces. To successfully operate in the cyberspace domain, Cyber Situational Awareness (CSA) must be effectively enabled to empower commanders and government leaders to drive action and support rapid decision-making. In this paper we propose six classes of data for establishing situational awareness in cyberspace. Section 2 provides background information and motivations for situational awareness. Section 3 describes related works in cyberspace research. We describe our data classes in Section 4 and present a case study in Section 5. Challenges to establishing cyberspace situational awareness are discussed in Section 6. Sections 7 and 8 present conclusions and areas for future research, respectively.
2. BACKGROUND AND MOTIVATION Defining the term “situational awareness” is almost as hard as actually building situational awareness. United States Department of Defense joint doctrine does not define situational awareness in its Dictionary of Military and Associated Terms, JP 1-02, though situational awareness is used in the definition of four other terms: blue force tracking, common operational picture, United States Strategic Command’s Global Network Operations Center, and national operations center. The closest definition in JP 1-02 was of “battlespace awareness”, but it has been removed from the latest version. Battlespace Awareness - Knowledge and understanding of the operational area’s environment, factors, and conditions, to include the status of friendly and adversary forces, neutrals and noncombatants, weather and terrain, that enables timely, relevant, comprehensive, and accurate assessments, in order to successfully apply combat power, protect the force, and/or complete the mission .
Since the DoD has established cyberspace as a warfighting domain, many aspects of that definition hold true in cyberspace. With the key being to enable commanders to issue orders to forces based on timely and accurate information. The ultimate goal of situational awareness in cyberspace is to maintain strategic and tactical understanding while continuously taking action or making operational risk decisions. Achieving CSA has proven difficult to date. However, there are a series of issues to be addressed that will allow incremental progress towards CSA capabilities enabling any organization to harness the power of near real-time information supporting decision-making and proactive actions. Those issues include: • • • •
Identification of what decisions and actions the organization may need to take with respect to cyber to assure operations can be sustained Identification of and access to the appropriate data that supports those decisions and actions Analytic tools to make sense of the presented data as it relates to operations Technology to consolidate and visualize data for decision makers at multiple levels within the organization
3. RELATED WORKS Network defense, and in the military realm, information dominance have been hot topics over the last decade [5, 6, 7]. Computer systems have become fully integrated into our very existence, impacting how we live our lives. Research has been focused on defining cyberspace and developing innovative ways to defend it in the ever-changing cyber environment [8, 9, 10], including discussions focused on the unique challenge that most of the network infrastructure is a commercial product outside the control and protection of any one entity [9, 11, 12]. There has also been considerable investment into new hardware and software technologies for intrusion detection systems (IDS), host-based security systems, and anti-virus discovery mechanisms. IDS research has moved closer to the individual user and toward a behavioral based approach, as exemplified in [13, 14]. Automated responses have now been included in these detection tools to effectively shut down an attack once recognized by severing the connection or changing a rule. While progressing, these tools still suffer from a false positive problem which usually causes users to scale back the detection threshold. Commercial visual analytic tools have been developed in an attempt to provide a CSA picture: IBM’s Analyst’s Notebook discovers patterns and trends across volumes of data to identify and predict malicious behavior; Palantir’s toolset focuses on the fusion of disparate data sources into a unified picture for security analysis; and HP’s Arcsite is a security information and event management system for enterprise-level IT architecture [15, 16, 17, 18]. Academic research has also developed visualization techniques in an attempt to provide an insight into the network, most using Ben Shneiderman of the University of Maryland’s mantra of “overview first, zoom and filter, and then details-on-demand” [19, 20]. VisFlowConnect uses a parallel axes view
to the volume of network traffic in sender/receiver pairings over time; CNSSA incorporates information from multiple sources including current vulnerabilities to assign a vulnerability score based on the Common Vulnerability Scoring System; and SiLK provides analysts with the ability to understand, query, and summarize recent and historical network traffic data [20, 19]. Many publications in the last few years discuss security frameworks to gain insight into the situational environment [9, 21] and even more recently, the notion of tying network security to mission assurance [9, 22, 23]. In , the authors present a major task list that a cyber common operating picture must be able to complete as well as technological concerns in the developing of such a system; the Cyber Attack Modeling and Impact Assessment Framework  automates the development of attack graphs for computational analysis and impact assessment; and  argues effective policies for near real-time information sharing between multiple parties. All of these ongoing studies and current analytical tools are inherently important to CSA and the discussion of the optimal way to achieve awareness of the cyber domain; however they do not address the fundamental building block of any situational awareness tool: the data. Our work’s novelty springs out of this gap, discussing what classes of information are necessary and how each one builds upon the others to develop a holistic operational picture for establishing situational awareness in cyberspace.
4. CYBER OPERATIONAL DATA CLASSES To achieve operationally relevant situational awareness of the cyberspace warfighting domain, a system must utilize six classes of information by fusing, correlating, analyzing, and visualizing in near real time. The six classes are as follows: 1) Current and near-future threat environment; 2) Global threats and significant anomalous activity; 3) Vulnerabilities of own computer systems and underlying infrastructure; 4) Prioritized cyber key terrain that allows understanding of operational and technical risks; 5) Current operational readiness and capability of its cyber forces and sensors; and 6) In-depth knowledge of ongoing operations and critical mission dependencies on its cyber assets. As shown in Figure 1, the intersection of any combination of these classes provides more information and moves towards the sweet spot of SA. The factors from all six classes must be continuously assessed in order to provide a true, accurate and holistic representation of the domain which supports the ability to take critical actions and make decisions.
FIGURE 1. NOTIONAL INTERSECTION OF CLASSES OF INFORMATION REQUIRES CONTINUOUS ASSESSMENT TO PROVIDE CYBER SA AND ENABLE CRITICAL ACTIONS AND DECISIONS
A. Threat Environment To successfully defend the network, an in-depth analysis of potential threats is crucial. This includes an understanding of who would want to attack the network, what goals are they looking to achieve, and how do they normally operate. A thorough knowledge of a threat’s personality and normal behaviors will assist in identifying the threat’s tactics, techniques, and procedures (TTP) and developing TTPs for network defense and incident response. Assessing an attack’s vector in its early stages may reveal the attacker’s capability and behavioral trends, leading to projections of future intrusion activities. This awareness can reap huge rewards in the protection from and reaction to a cyber attack. It also can be used to proactively align resources to counter future attacks using similar TTPs. Development of these adversary profiles could also lead to attribution in the event of an attack.
B. Anomalous Activity Most networks have firewalls, anti-virus, and intrusion detection systems, which operate under pre-established rules or signatures, to detect or block when an anomalous activity occurs. These tools cannot respond to a zero-day exploit or a polymorphic virus because these events do not trigger the pre-established rules. Network and host-based IDS are essential to successfully defending the network. However, “IDS sensors can only capture systematic phenomena caused by attacks but cannot positively ascertain whether an attack has happened or succeeded” . Baseline historical and current consolidated and normalized data must be incorporated into an automated system in order to understand what is “normal” and what is “anomalous” then take actions to effectively defend against cyber threats represented by this activity.
C. Vulnerabilities From 2006 to 2011, over 75 thousand new security vulnerabilities were discovered . Vulnerabilities are present in every system no matter how secure the system claims to be. Technology advances so rapidly that it can be virtually impossible to eradicate vulnerabilities altogether. The best one can hope for, in many cases, is simply to minimize them. In order to
assess and minimize the risk to the network, vulnerabilities of the systems and the underlying infrastructure must be known. System administrators and security specialists must have the knowledge and tools to understand the vulnerabilities of their networks and to properly test any new system or application before applying it to the network. Most importantly, these vulnerabilities must be known and continuously assessed. Leadership must be willing to allocate funds for vulnerabilities to be found and fixed.
D. Key Terrain Though a single organization may have tens of thousands of systems ranging from desktops and mobile devices to routers and switches spread geographically across the world, not all systems have equal criticality to mission success. Defending and garnering full knowledge of all systems, accounts, and processes on the network in real time is impractical. Therefore, it is necessary to identify and prioritize key cyber assets to allow the understanding of critical risks both operationally and technically. Identification of cyber key terrain includes all critical information, systems, and infrastructure; whether owned by the organization or used in transit by its information . That said, even these systems must be prioritized and may be less vital than a specific network link supporting a real-time airborne mission. The identification allows for prioritized defense of assets but cannot fail to consider all systems and assets in the network.
E. Operational Readiness Organizations must know the operational readiness and capability of their cyber forces and assets. This includes the status of its tools and capabilities along with the ability of its cyber forces to protect its networks. Understanding the training status of all personnel to operate in the current threat environment and the readiness and integrity of network sensors, paths, and systems is critical. A real-time status of the network and personnel resources provides data necessary to recognize an attack and align resources which are available to appropriately respond. Mission impact is another aspect of operational readiness which is often hard to define and keep up to date. For a situational awareness picture to truly be useful, it must be operationally relevant and actionable. For this to occur, an organization must have a thorough understanding of mission dependencies based on cyber assets. With the knowledge and prioritization of intermission and mission-system dependencies, the organization can now depict to leadership the impact of a cyber event, whether an outage or attack, and the significance of securing certain assets [9, 22].
F. Ongoing Operations Lastly, information about the status of all ongoing operations (cyber, kinetic, and even diplomatic) must be fully understood by commanders at all levels. This knowledge could be used to deconflict controlled outages or upgrades to systems that are currently engaged in support of an operation. It could also be used to dynamically identify key terrain and adjust defensive TTPs during the operational window of time. Understanding which operations are being executed or soon to begin execution, allows commanders to reallocate assets as necessary to support those operations. In addition, this allows leaders to understand the operational impact of systems and their critical operational dependencies.
5. AN OPERATIONAL CASE STUDY A hypothetical operational case study is presented in order to emphasize the value of holistic fusion of data from all six classes. In this case study, we introduce a commander and staff whom are initially presented data from the ongoing operations, key terrain, and operational readiness classes. We will show the improved situational awareness opportunities to impact the commander’s decision-making process as additional information classes are considered. A US Joint Task Force (JTF) is currently conducting combat operations in an area of operations that requires the continuous flow of logistical and personnel resupply. In the operational planning process, the commander has designated his logistical support information systems as cyber key terrain. These systems operate on an unclassified military network so they can receive updates from commercial shipping and airflow systems on the Internet. The JTF commander also is aware that the network sensors deployed to protect these logistical systems are degraded due to required maintenance upgrades. The upgrades are currently scheduled for implementation by a computer network defense service provider (CND-SP) stationed in the continental United States during the next month. Lastly, the commander has an extremely proficient cyber investigative and forensics unit attending commercial certification refresher training. With this partial set of information, the commander has a good baseline of situational awareness of cyber assets and how they may impact his operations across all warfighting domains. During the course of operations, a critical vulnerability in the outdated operating system of the logistical support system is discovered. As a DoD program of record, the potential patch for this vulnerability remains in pre- deployment testing and is not scheduled for release for another 30 days. USCYBERCOM has assessed the vulnerability and issued a high priority message across the DoD cyber enterprise announcing the details of the vulnerability. This vulnerability allows root-level access to be gained on the systems potentially enabling the deployment of malicious software on all unpatched systems. The commander is advised of the potential impact to his key logistics systems, but decides to take no action based on requirements for the continued flow of supplies and personnel supporting his operational mission set. When the intelligence officer advises the commander on a new cyber threat report, an additional class of data (Threat Environment) is fused with the current understanding of the battlespace. In this report, it is assessed that the adversary has ever-increasing interest in disrupting and influencing the logistical flow of forces and supplies into theater. Additionally, supporting cyber assets are known to deploy Trojan-horse software on susceptible systems. This additional information of the threat environment improves the commander’s understanding of the cyber environment and drives him to take decisive action to ensure his combat power will be available at the critical point in his operations. He directs his cyber force to cease with their commercial training and refocus their efforts on monitoring the behaviors of his logistical support platforms. While reviewing the network flow and log data from the logistical system, the team discovers information included in our last class, Anomalous Activity. More than half of the logistical support systems supporting the JTF have been sending irregular sized traffic over TCP port 443 to a subnet outside of the United States. Further forensics work determines documents have
been slowly exfiltrated via covert encrypted and unencrypted channels. The commander is now alarmed and initiates crisis action planning. He directs the stateside CND-SP to immediately upgrade the defensive sensors and remove the logistics systems from the network until appropriate countermeasures can be deployed to protect the systems until the patch becomes available. Further, he requests intelligence and cyber forensics support to determine which files were stolen and the potential operational impact of their loss. Now that he does not fully trust his logistics systems’ information, considering future shipping schedules were the exfiltrated files, he reallocates air and naval assets to protect inbound shipping containers to protect his logistical lines of communications. Lastly, he directs his cyber forces to begin detailed log review with daily update briefings. This case study portrays an environment where all SA information classes have an abundance of data available for consumption by an integrated system or motivated person able to fuse them together to provide the opportunity for total situational awareness. This is not today’s reality. Cyber forces rarely track or concern themselves with the status of ongoing operations across all warfighting domains. Strategic and operational commanders do not know or fully understand how to determine their cyber key terrain. If they do, typically, they have not taken the required actions or time to determine and designate cyber key terrain. Additionally, the operational readiness of cyber forces is not well defined or tracked at the level needed to fully understand capabilities and how it could impact operations. In contrast, vulnerability, threat and anomalous activity data is plentiful within the intelligence and cyber communities. That said, the data is often presented to the commander in a way that information overload or technical jargon routinely make it difficult for the commander to assess the value of the information and therefore the information is discounted or ignored. Other challenges that inhibit today’s ability to gain, maintain, and adjust the fusion of information that can provide SA to the commander are described in the next section.
6. CURRENT CHALLENGES Effective Cyber Situational Awareness requires that data and information be collected, analyzed, and displayed to the end customer in a timely and relevant manner. Although numerous challenges exist, the key barrier to successful implementation and execution of enterprise-wide CSA is solving the following organizational and technical challenges.
A. Organizational Fear Gaining access to all of the necessary network data within different aspects of an organization can lead to a turf war. No entity wants to give up access to their data due to fear. Fear of humiliation in publicizing security flaws, fear of losing a competitive edge or public confidence, or fear of the proverbial 1,000 mile hammer. Regardless of the reason, this fear prevents complete situational awareness. To combat this fear, the United States Department of Defense must define and enforce a single information owner who can aggregate this data for analysis.
B. Data Consolidation & Normalization Data comes in the form of technical and human collections, including IDS, network sniffers, and computer system log files. Ingesting all of the data is currently impractical but may soon become reality due to the advancement of cloud computing and the ever increasing data transfer rates. Determining the proper metrics and alert thresholds for the organization are essential for real time analysis. The data from these sources needs to be consolidated and put into a normalized format in order to be properly ingested into a CSA tool. Data refinement is simplified when a common format exists and requires a temporal calibration of the different data streams .
C. Data Synthesis Currently, stove-piped data synthesis solutions exist across different parts of organizations that were developed separately over time without a clear coordinated cyber strategy. The challenge arises with how to fuse the data together. The fusion process requires the utilization of processing algorithms, such as Sudit’s and Stotz’s INFERD system, and comparison with known statistics (from USCERT, MacAfee, Norton, etc) to assess evolving situations and threats in cyberspace . This data synthesis is needed for a full understanding of the normal state of the network, allowing security to move away from signature-based toward true anomaly-based detection. Intruders executing stealth TCP-based attacks on multiple geographically-separated parts of a corporate network may fall below the pre-established security thresholds. A common situational awareness tool which ideally includes all six classes of information may be able to synthesize the data and combine disparate attacks which may paint the picture of a coordinated and sophisticated enemy [28, 29].
D. Result Visualization and Dissemination Until intrusion detection becomes truly machine to machine automation that responds immediately to anomalous activity, human intervention will require rapid understanding by presenting data in a visual manner. In the traditional warfare domains, situational awareness was represented geospatially on a map. Military leadership is used to this representation of disposition of forces, but this depiction does not always fit well within the cyber realm. Visualization systems need to be much more than PowerPoint presentations and bar charts; however, 2D systems such as parallel axes, logical maps, and temporal visualization of packet flows are limited in their ability to represent all the data attributes in one view. In addition, situational awareness visualizations must be able to illustrate mission impact to truly have meaning to leadership. A dissemination plan must also be established for the actionable results as not all information is appropriate for all personnel. Attributes that clearly identify the mission authorities and identity of the user can be used to present the appropriate data to each user.
E. Timeliness As the amount of data, rules and signatures increase, analysis accuracy decreases and false positives increase, hampering timely detection and response. Cyber attacks occur frequently and can cause debilitating effects within milliseconds. To combat this, a finely tuned advanced threat detection engine must be used in conjunction with the known normal state to ensure the broadest possible spectrum of threats are identified and to eliminate false positives as much as possible. The challenge pivots on the ability to summarize vast amounts of information at the appropriate level and then provide it to operators at the appropriate levels in a timely fashion.
7. CONCLUSION The United States’ reliance on computer networks is undeniable, and there will never be an impervious defense to all network attacks. Thus, robust situational awareness of the cyber environment, detailing what is happening, where, and what are the best available response options is absolutely critical to operations. In this paper, we developed a new approach for decision makers to assist in rapid decision making. We introduced six classes of information necessary (threat environment, anomalous activity, vulnerabilities, key terrain, operational readiness and ongoing operations) to effectively enable and empower commanders and government leaders to incorporate cyberspace into the decision making process. This data must be continuously analyzed to provide a true and accurate representation of the domain. However, there still remain many challenges that must be addressed before situational awareness in cyberspace may be obtained. This paper has identified the decisions and actions the United States must take with respect to cyber, whether it be analytic tools to correlate the presented data to an operation or the technology to consolidate and visualize data for decision makers. Once addressed, the operational view of cyberspace can move from one of network assurance to a true mission assurance focused situational awareness picture. No effective and exhaustive solution exists for recognizing the majority of cyber attacks before they occur and cause damage. With the speed of attack achievable in cyberspace, a fully developed cyber situational awareness picture is as close to an early warning system as one can achieve. Therefore, the challenges must be overcome, and situational awareness in cyberspace must be realized to enable proactive, agile, and successful network defense for the United States.
8. FUTURE WORK The classes of data introduced in this paper are based on the authors’ intensive operational experience working at the highest levels of command in the area of cyber situational awareness for the U.S. Department of Defense. Though the authors have traveled the world talking about Cyber SA to senior leaders in multiple organizations across the Department, experimentation and prototyping of systems uses these classes is necessary to fully validate the claims. Several key aspects of attaining situational awareness are still not well defined. Every organization depends on cyber assets to accomplish their mission. These assets can encompass thousands of computer systems, network sensors, and personnel spread across the globe. An efficient method for determining cyber key terrain to assure mission accomplishment has yet to be found. As networks expand and data rates continue to soar, working with massive datasets in real time is becoming more common. More research is necessary in taking sensor event data, efficiently storing and correlating it to mission impact, and then disseminating it in a timely manner to
enable leadership to make better decisions. The advent of cloud computing may make this more achievable. Many advances are being made in general data visualization techniques. The conventional SA tool displays network events on a geo-referenced map of the network. This method works well for battlefield awareness in ground, naval, and aerial assets, but may not be the best way to view cyberspace based on interconnections that defy geographic boundaries. Other visualization techniques need to be developed which allow SA at various levels to inform the commanders for leadership decisions and the net defenders or system administrators for decisive actions at the operator or analyst level.
T. Bass, “Intrusion Detection Systems & Multisensor Data Fusion: Creating Cyberspace Situational Awareness,” Communications of the ACM, 2000. M. McConnell, “Mike McConnell on How to Win the Cyber-War We’re Losing,” Washington Post, 28 February 2010. K. Alexander, “Advance Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command”. Washington Post. Department of Defense, “Joint Publication 1-02 Dictionary of Military and Associated Terms,” 2010. J. Li, Z. Ou and R. Rajagopaian, “Uncertainty and Risk Management in Cyber Situational Awareness,” Cyber Situational Awareness, 2010. C. Croom, “The Defenders ‘Kill Chain’,” Military Information Technology, vol. 14, no. 10, 2010. K. Deutsch, “Importance of Information Dominance,” Military Information Technology, vol. 14, no. 10, 2010. L. Stovall, “People, Processes and Technology,” Military Information Technology, vol. 14, no. 10, 2010. L. Cumiford, “Situational Awareness for Cyber Defense,” in 2006 CCRTS: The State of the Art and the State of the Practice, 2006. S. Jajodia and S. Noel, “Topological Vulnerability Analysis,” in Proceedings of the Army Research Office Cyber Situational Awareness Workshop, 2009. P. Cuviello and B. Kobel, “Cyber-Awareness is a Team Sport,” Military Information Technology, vol. 14, no. 10, 2010. K. Condello, “Working Together for Real-Time Awareness,” Military Information Technology, vol. 14, no. 10, 2010. R. Koch and M. Golling, “Architecture for Evaluating and Correlating NIDS in Real-World Networks,” in 5th International Conference on Cyber Conflict, Tallinn, 2013. O. McCusker, S. Brunza and D. Dasgupta, “Deriving Behavior Primitives from Aggregate Network Features Using Support Vector Machines,” in 5th International Conference on Cyber Conflict, Tallinn, 2013. G. Conti, J. Nelson and D. Raymond, “Towards a Cyber Common Operating Picture,” in 5th International Conference on Cyber Conflict, Tallinn, 2013. IBM, “Analyst’s Notebook,” [Online]. Available: http://www-03.ibm.com/software/products/en/analystsnotebook-family/. [Accessed 6 February 2014]. Palantir, “Palantir,” [Online]. Available: https://www.palantir.com. [Accessed 6 February 2014]. HP, “Security Information and Event Management,” [Online]. Available: http://www8.hp.com/us/en/ software-solutions/siem-arcsight/. [Accessed 6 February 2014]. R. Xi, S. Jin and X. Yun, “CNSSA: A Comprehensive Network Security Situational Awareness System,” in IEEE 10th International Conference on Trust, Security, and Privacy in Computing and Communications (TrustCom), 2011. X. Yin, W. Yurcik, L. Yifan, K. Lakkaraju and C. Abad, “VisFlowConnect: Providing Security Situational Awareness by Visualizing Network Traffic Flows,” in IEEE International Conference on Performance, Computing, and Communications, 2004. S. Batsell, N. Rao and M. Shankar, “Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security,” 2005. [Online]. Available: http://www.ioc.oml.gov.
 W. Heinke, “What Commanders Need to Know,” Military Information Technology, vol. 10, no. 14, 2010.  M. Gregoire and L. Beaudoin, “The Science of Mission Assurance,” Visualization and the Common Operational Picture, 2005.  I. Kotenko and A. Chechulin, “A Cyber Attack Modeling and Impact Assessment Framework,” in 5th International Conference on Cyber Conflict, Tallinn, 2013.  D. Ferandez Vazquez, O. Pastor Acosta, S. Brown, E. Reid and C. Spirito, “Conceptual Framework for Cyber Defense Information Sharing Within Trust Relationships,” in 4th International Conference on Cyber Conflict, Tallinn, 2012.  B. Casey, “The IBM Institute for Advanced Security Expert Blog,” IBM, 31 March 2011. [Online]. Available: http://www.instituteforadvancedsecurity.com.  T. Pingel, “Key Defensive Terrain in Cyberspace: A Geographic Perspective,” in Proceedings of the International Conference on Politics and Information Systems (PISTA), Orlando, 2003.  M. Sudit and A. Stoltz, “Information Fusion Engine for Real-time Decision-making (INFERD): A Perpetual System for Cyber Attack Tracking,” in 10th International Conference on Information Fusion, 2007.  S. Yang, S. Byers and J. Holsopple, “Intrusion Activity Projection for Cyber Situational Awareness,” 2008. [Online]. Available: http://www.ieeexplore.ieee.org.