This session provides an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discusses the emerging delivery, adoption and organizational lessons learned that are driving further adoption.
1. Cyber Ranges
A New Approach to Security
Chad Holmes, Product Marketing Manager
2. About Security Innovation
● For over 15 years, we have been securing or helping secure
software in the toughest environments:
● Application Security Expertise:
○ 15 years research on vulnerabilities
○ Security testing methodology adopted by SAP, Symantec, Microsoft, and McAfee
○ Authors of 18 books; 10 co-authored with Microsoft
● Over 2 million licensed users of our training solutions
● Gartner MQ leader
3. What is a Cyber Range?
• Simulated environment for training and development
• More immersive experiences than other types of training
• Traditional focus on Infrastructure, Network, OS
• New Trend: Application Layer
• Often begin as ad hoc or organizational projects
• Increasing interest and adoption in public and private
sectors
4. CMD+CTRL Cyber Range Background
• Customer asked to help improve security skill sets
• Goals
• Provide immersive hacking experience
• Focus on security and engineering teams
• Exploit vulnerabilities they were learning about
• Make more lifelike than products currently available
• User experience matters!
• Hands-on Hacking + Simulation + Engaging Experience
5. What Does That Look Like?
Remote
Access
Detailed
Reports
Remediation
eLearning
available
Multiple
Authentic
App Sites
Real time
scoring
Scalable to
hundreds
in minutes
CMD+CTRL
6. Results to Date
• First commercial version of cyber range delivered mid 2016
• 100+ companies/orgs participated to date
• Growth to 7 sites/apps based on feedback
• Self service community site coming soon!
• Trends emerging that security leadership can learn from –
both challenges and findings
• More details at
https://www.securityinnovation.com/training/hackathon
7.
8. Finding Talent
• Security is difficult and intimidating to break into
• Many barriers to entry
• Education
• Available training
• Experience
• Security talent is (justifiably) expensive!
• Greener pastures everywhere
• Measuring and assessing skills often anecdotal
9. Training
• CBT – Helpful and necessary, but understandable limits
• ILT – Very useful, but expensive and point in time
• Self taught/ad hoc – Error prone and unrepeatable
• Efficient training is hard
• Hard: Accurately assessing skills
• Harder: Specific training to improve and solidify skills
• Hardest: Pointed training roadmap based on assessed skills
and courses available
10. Team Structure
• Constantly open headcount
• Overworked team still can’t cover everything being asked of
them
• Ongoing worry about turnover and attrition
• Hiring in talent is expensive (and worth every cent)
• And still, measuring skill sets and areas to improve often
becomes anecdotal and unscientific
12. What We Got Right!
• Engaging experience is a must
• UI/UX, live events, diverse skill sets involved
• Easy to start, hard to complete
• Embrace the cloud
• Healthy competition
• Moderated events
• Guidance – planned and on-demand
13. Surprises
• Breadth of users
• Executives, HR, Engineering, Marketing
• Speeding ramp up
• Building a security skills pipeline
• Champion identification
• Don’t steal talent, expand it
14. Side Benefits
• Improved skills measurement
• Informed training
• Demystification of hacking culture
• Building of team camaraderie (aka, fun!)
15. Factors Driving Cyber Range Adoption
• Larger talent funnel needed
• Security is hot, but still difficult to break into
• Some courses and websites, but no clear training path
• Expanding and clarifying offerings will improve industry
• Passion is a double edged sword
• Security can be intimidating
• Big subject + big risk + big personalities
• How do we share passion and welcome n00bs?
16. Early Takeaways
• We can all act on these
• Provide earlier stage immersive experience
• Both for training and vetting skills
• Clarify entry ways into security fields
• Resources, career paths, community involvement
• Improved measurement
• Validate talent
• Identify hidden talent
• More focused approach to follow up training
17. Snapshot: Hack Through the Holidays
• Community event to encourage new and experienced alike
• Minimal promotion, great turnout (~500 registrants)
• First perfect score achieved! (48/48 challenges)
• 26% of registrants were Execs, Managers or Directors
• 12% of registrants solved 10+ challenges
• Lessons Learned
• Strong interest among all levels, not just competitive hackers
• Minimize barriers to entry and intimidation factor
• Great community response = similar future events!
• Great community response = identification of rough edges!
18. What You Can Do
• Explore and challenge these findings – they’re still early
• Reassess training and how Cyber Ranges may fit in
• Discuss/Try Cyber Ranges with your team
• Contact us
• getsecure@securityinnovation.com
• https://securityinnovation.com
• Chad Holmes (cholmes@securityinnovation.com)
19. Check Out Our Cyber Ranges
Come See LetSee!
• Join us live as we showcase our cyber range suite, including
our newest and most challenging site yet, LetSee.
• May 23rd @ 2pm ET
• Register today: http://bit.ly/ComeSeeLetSee