Why cyber range training and simulation are key for effective security operations

null

The cybersecurity scene has never been so dynamic and complex. The number of attacks and their complexity has grown drastically, and the amount of security solutions collecting endless amounts of alerts and events have raised drastically. A recent Ovum survey sponsored by McAfee, found that 37 percent of respondents in the financial sector had to deal with over 200,000 daily security alerts, and many institutions deploy between 100-200 disparate security solutions.    

New threats and attack vectors emerge, spanning across a converged attack surface of IT and OT networks, as well as IoT devices. Attacks have become time-sensitive, requiring SOCs to detect and respond within seconds to minutes, and challenging the SOC’s ability to perform effectively. We have seen this new reality once again in the recent attack on the Cosmos Bank in India last month, where over $15M were stolen via ATM hacking. Topping this, new regulatory guidelines are being introduced requiring strict procedures and comprehensive reporting processes. In parallel, our overall ability to recruit, train and retain our cybersecurity experts has been dropping continuously over the last years. These trends will remain with us and in many cases increase in the foreseen future, making the jobs of our CISOs ever more challenging.

Forward thinking CISOs now understand that rushing to spend their growing budgets to purchase the latest tools, hoping that the new technology will finally improve their security posture, will not resolve their strategic, and, in many cases, existential problems. They are beginning to acknowledge that their teams are not professionally equipped to face the new generation threats, not because of the lack of products or technologies, but because they don't really know how to operate them effectively. Most of them have never trained effectively, either as individuals or as a team, never faced a multi-stage attack, and have never used their technologies in a real-life attack scenario, requiring them to respond to an evolving attack within minutes. 

Today, responding to incidents requires using several disparate tools, and an entire team to work on them in tandem, collecting the pieces of the puzzle, assembling them into an attack timeline and  responding to the attack. This kind of team work requires multiple SOC team members and external teams to work in a highly orchestrated fashion. Forensic analysts, tier one and tier two analysts, and external teams like IT, fraud, and risk management, must all be tightly aligned. This level of coordination is very difficult to achieve and requires well-defined procedures, as well as intensive rehearsals and training. 

And yet, we are not taking training as seriously as we should.

Would any of us agree to board a plane where the crew learned how to operate an emergency procedure over a PowerPoint presentation? Obviously not.

Would an elite military unit be dropped into a battle without having gone through numerous dry-runs over months, rehearsing all potential scenarios and using their entire arsenal of weapons? The answer is, again, NO.

So, why do we believe that this approach might work for cyber security practitioners? We’ve repeatedly learned that the human factor is the number one parameter determining the success of complex hands-on tasks. Hence, investing in our cyber experts and in our SOC teams, both as individuals, as well as a unified team, is THE key to an effective SOC. In the case of cybersecurity, this challenge is amplified. The shortage in cybersecurity professionals is at a critical state and will only continue to grow, forcing cybersecurity leaders to hire unexperienced team members to fill in open positions. Security analysts, often junior and barely trained, are expected to master dozens of security products in increasing numbers, defending against threats they have never experienced before. 

How many of you, or your SOC operators, have ever experienced an advanced threat infiltrating and spreading through an IT network? These tools are hard to configure and use. As a result, at the moment of truth – the team fails to deliver.

No wonder that according to the SANS 2018 SOC Survey, lack of skilled staff was the most common reason respondents felt was hampering SOC capabilities.   

Addressing the Gap

Traditional IT security training is largely ineffective, because it relies on sterile, mostly theoretical training. It is often conducted on the job by SOC team members rather than by professional instructors. To get our security teams prepared to face today’s multi-dimensional IT and OT security challenges, we must place them in a technology-driven environment that mirrors their own, facing real-life threats. In other words: hyper-realistic simulation. 

Just as you would never send a pilot to combat before simulating emergency scenarios and potential combat situations, we should not send our cyber defenders to the field before enabling them to experience potential attacks and practicing response within a simulated environment.

A flight simulator replicates the actual combat zone, from realistic weather conditions, aircraft instruments to enemy aircraft attacks. This realism maximizes the impact of the training session. Similarly, the way to maximize the effectiveness of security training is by providing a virtual replica of your actual “warzone” resulting in a true-to-life experience. Security teams should use the actual security tools they use at work, and should experience their familiar network setup, and traffic. Threats should be simulated accurately, including advanced, evolving threats, targeted malware and ransomware.

The potential of simulation-based training, as compared to traditional training, is substantial. Organizations can not only train people but also test processes and technologies in a safe environment. Furthermore, security teams can train as individuals or as a group, to improve their teamwork. With the help of simulation, your team can experience high-fidelity threat scenarios while training, and improve their capabilities, rather that encountering these threats for the first time during the actual attack. This results in a dramatic improvement in their performance.

The Cyber Range

This rationale is the driver behind the concept of a cyber range. A cyber range is a powerful tool for CISOs and SOC managers to accurately simulate their network and security tools within a dynamic IT, or OT environment. A high-quality cyber range offers a rich catalog of simulated incident scenarios, in varying levels of difficulty, which security managers can choose from to train their teams. This opens up numerous new opportunities, several of which include: 

  • An environment for team training, where security staff can improve their communication and teamwork, both of which are critical elements of an efficient incident response team, and impossible to practice using conventional training systems.
  • A means of training the entire organization in a breach scenario and the related business dilemmas, beyond incident response, including potential business executive decisions. Consider a ransomware scenario where executives are required to decide whether to pay the ransom, negotiate, or mitigate.
  • A test-bed for potential products where they can be tested in a safe and controlled environment.
  • A training environment for newly introduced products enabling team members to master new technologies and dramatically improve their performance and skills.

I am confident that in the coming years cyber ranges, and simulation-based training, will become the gold standard for training, assessing, certifying, and maintaining the skill levels of cybersecurity practitioners, just as it has become the standard for air crew training. 

This approach will disrupt cybersecurity training as we know it by finally addressing challenges such as security tool and alert fatigue and will enable security leaders to build a new generation of better cyber defenders. 

I believe this approach is essential within this dynamic and virtual dimension and I am thrilled to see this approach gradually becoming a mandatory component of every higher education, enterprise, government and service provider cybersecurity training program. 

Adi Dar, CEO at Cyberbit   

Image Credit: Christina Morillo / Pexels