Cyber Ranges: A New Approach to Security
Download as PPTX, PDF1 like315 views
The document discusses the development and implementation of cyber ranges for training security professionals, emphasizing their immersive experiences that enhance skills in a practical environment. Since its introduction in 2016, over 100 organizations have engaged with the platform, which addresses skills measurement, efficiency in training, and the cultivation of talent within the cybersecurity domain. It also highlights the importance of community involvement and catering to various skill levels to reduce barriers to entry in the security field.
Cyber Ranges: A New Approach to Security
- 1. Cyber Ranges A New Approach to Security Chad Holmes, Product Marketing Manager
- 2. About Security Innovation ● For over 15 years, we have been securing or helping secure software in the toughest environments: ● Application Security Expertise: ○ 15 years research on vulnerabilities ○ Security testing methodology adopted by SAP, Symantec, Microsoft, and McAfee ○ Authors of 18 books; 10 co-authored with Microsoft ● Over 2 million licensed users of our training solutions ● Gartner MQ leader
- 3. What is a Cyber Range? • Simulated environment for training and development • More immersive experiences than other types of training • Traditional focus on Infrastructure, Network, OS • New Trend: Application Layer • Often begin as ad hoc or organizational projects • Increasing interest and adoption in public and private sectors
- 4. CMD+CTRL Cyber Range Background • Customer asked to help improve security skill sets • Goals • Provide immersive hacking experience • Focus on security and engineering teams • Exploit vulnerabilities they were learning about • Make more lifelike than products currently available • User experience matters! • Hands-on Hacking + Simulation + Engaging Experience
- 5. What Does That Look Like? Remote Access Detailed Reports Remediation eLearning available Multiple Authentic App Sites Real time scoring Scalable to hundreds in minutes CMD+CTRL
- 6. Results to Date • First commercial version of cyber range delivered mid 2016 • 100+ companies/orgs participated to date • Growth to 7 sites/apps based on feedback • Self service community site coming soon! • Trends emerging that security leadership can learn from – both challenges and findings • More details at https://www.securityinnovation.com/training/hackathon
- 8. Finding Talent • Security is difficult and intimidating to break into • Many barriers to entry • Education • Available training • Experience • Security talent is (justifiably) expensive! • Greener pastures everywhere • Measuring and assessing skills often anecdotal
- 9. Training • CBT – Helpful and necessary, but understandable limits • ILT – Very useful, but expensive and point in time • Self taught/ad hoc – Error prone and unrepeatable • Efficient training is hard • Hard: Accurately assessing skills • Harder: Specific training to improve and solidify skills • Hardest: Pointed training roadmap based on assessed skills and courses available
- 10. Team Structure • Constantly open headcount • Overworked team still can’t cover everything being asked of them • Ongoing worry about turnover and attrition • Hiring in talent is expensive (and worth every cent) • And still, measuring skill sets and areas to improve often becomes anecdotal and unscientific
- 11. Findings
- 12. What We Got Right! • Engaging experience is a must • UI/UX, live events, diverse skill sets involved • Easy to start, hard to complete • Embrace the cloud • Healthy competition • Moderated events • Guidance – planned and on-demand
- 13. Surprises • Breadth of users • Executives, HR, Engineering, Marketing • Speeding ramp up • Building a security skills pipeline • Champion identification • Don’t steal talent, expand it
- 14. Side Benefits • Improved skills measurement • Informed training • Demystification of hacking culture • Building of team camaraderie (aka, fun!)
- 15. Factors Driving Cyber Range Adoption • Larger talent funnel needed • Security is hot, but still difficult to break into • Some courses and websites, but no clear training path • Expanding and clarifying offerings will improve industry • Passion is a double edged sword • Security can be intimidating • Big subject + big risk + big personalities • How do we share passion and welcome n00bs?
- 16. Early Takeaways • We can all act on these • Provide earlier stage immersive experience • Both for training and vetting skills • Clarify entry ways into security fields • Resources, career paths, community involvement • Improved measurement • Validate talent • Identify hidden talent • More focused approach to follow up training
- 17. Snapshot: Hack Through the Holidays • Community event to encourage new and experienced alike • Minimal promotion, great turnout (~500 registrants) • First perfect score achieved! (48/48 challenges) • 26% of registrants were Execs, Managers or Directors • 12% of registrants solved 10+ challenges • Lessons Learned • Strong interest among all levels, not just competitive hackers • Minimize barriers to entry and intimidation factor • Great community response = similar future events! • Great community response = identification of rough edges!
- 18. What You Can Do • Explore and challenge these findings – they’re still early • Reassess training and how Cyber Ranges may fit in • Discuss/Try Cyber Ranges with your team • Contact us • getsecure@securityinnovation.com • https://securityinnovation.com • Chad Holmes (cholmes@securityinnovation.com)
- 19. Check Out Our Cyber Ranges Come See LetSee! • Join us live as we showcase our cyber range suite, including our newest and most challenging site yet, LetSee. • May 23rd @ 2pm ET • Register today: http://bit.ly/ComeSeeLetSee
- 20. Questions? ?