Seems like the IT security industry is booming. Enterprises are continuously increasing their IT security budgets and Gartner estimates that IT security spending will rise from $75 billion-plus in 2015 to $101 billion in 2018. Organizations have established their security operation centers (SOCs) and ramped up their security teams and the CISO has become an organic and crucial executive position in the organization. New security approaches, as well as a dizzying number of tools are being introduced each month, with the promise of improving and streamlining prevention, detection, automation and response capabilities. CISOs, in turn, rush to spend their growing budgets to purchase the latest tools hoping the new approach will finally improve their security infrastructure.
In addition, the growing complexity and amount of threats, and particularly the increase in targeted, unknown forms of attack requires more resources and creates hundreds of thousands of new jobs. In fact, in a recent Intel Security survey over 82% of organizations reported a shortage of security skills, with an estimate of over 209,000 unfilled jobs in in the US alone in 2015, and the numbers are growing.
So is this constant flow of new technologies and approaches helping companies improve their cyber security readiness? Can we measure these technologies’ impact on our organization, and can we better understand our network’s vulnerabilities and leverage the value of our IT security spending?
I’d like to suggest they do not – and propose an alternative view.
I believe that 2 of the main threats on organizations nowadays are in fact:
- The growing amount and complexity of security tools and their specific integration to the entire cyber security architecture
- The lack of focus on trained and experienced cybersecurity staff, that can operate these tools effectively and understand the workflows and procedures, particularly within the context of their enterprise
Security vendors nowadays talk about the phenomenon of “alert fatigue” caused by the growing amount and complexity of threats. I, however, would like to introduce the term:“security tools fatigue”. I refer to the unmanageable number of tools, intelligence feeds and procedures in the security operation, which usually have significant amount of overlapping, need to be always updated and adapted to the ever-changing IT and cyber security architectures, and in many of the cases are not really contributing to the effectively of the security.
Security analysts, often junior and barely trained, are expected to master dozens of security products in order to defend their organizations effectively, and learn how to operate new tools continuously – against a threat that they have never seen (how many of you or your SOC operators have ever seen how an advanced threat infiltrate or spread in an IT network?). These tools are hard to configure and use. As a result, at the moment of truth – the team fails to deliver.
And when organizations focus on tools and technologies and neglect people, purchasing new tools will not make a difference. Moreover – it worsens the situation, particularly when tools are complex and expert staff is hard to find.
Addressing the Gap
Traditional IT security training is largely ineffective, because it relies on sterile, mostly theoretical training, often using a predefined set of tools. But today’s multi-dimensional IT security challenges can only be solved by hyper-realistic simulation. You would not send a pilot to combat before simulating emergency scenarios and potential combat situations. In the same fashion – you should not send your cyber defenders to the field before allowing them to experience potential attacks and practicing the response within a simulated environment.
A flight simulator replicates the actual combat zone, including realistic weather conditions, the aircraft’s instruments and the attacking bogeys. This realism maximizes the impact of the training session. Similarly, the way to maximize the effectiveness of security training is by providing a virtual replica of your actual “war zone” making this a close-to-real-life experience.
By using realistic simulation your team will be able to experience an authentic attack scenario during the training session instead of encountering it for the first time during the attack. Your team should be using the actual security tools they use at work, and experience their familiar network setup and typical traffic. Threats should be simulated accurately, including advanced, evolving threats, targeted malware and ransomware.
The potential of simulation-based training as compared to traditional training is substantial. Organizations can not only test their procedures and tools, but also prepare their staff to detect and respond to incidents effectively as individuals and as a team. Simulation based training allows your security operations team to have their first encounter with the attack in a training session rather than in the field. The difference in their performance will be dramatic.
The Cyber Range
This rationale is the driver behind the concept of a cyber range. The power of cyber ranges is in the CISO’s ability to accurately simulate the network and IT security tools within a dynamic IT environment, and having a variety of attack scenarios to choose from.
This allows for:
- A test-bed for potential products.
- A training environment for new products – dramatically improving the individual’s performance and their skills in using these tools.
- A team training environment for improving communication and teamwork.
- A means of simulating and training the entire organization on the breach playbook and the related business dilemmas – including potential business executive decisions. Think of a ransomware scenario where executives must make the decision – is this is time to pay, negotiate, or mitigate…
I am confident that in the coming years cyber ranges and simulation-based training will become an inseparable part of IT security training, certification and ongoing qualification just as they have become so for air crew training. This approach will finally address the growing security tool fatigue as well as help security executives build a new generation of better cyber defenders. I believe this approach is essential within this highly dynamic and almost completely virtual dimension.
Adi Dar is the CEO of Cyberbit