Cyber Range Buyers Guide for Fortune 1000 Security Operations Select the right training and simulation platform for your enterprise cyber range White Paper www.cyberbit.com sales@cyberbit.com
Table Of Contents Introduction 3 What Is a Cyber Range? 3 Cyber Range Checklist 4 Architecture 5 Essential Training Models 6 Beyond Training: Assessing Processes and Technologies 7 Benefits of Establishing an In-house Cyber Range 8 Create Tailored Courses for Your Enterprise 9 Cyberbit Range Training Experience 10 Facility & Staff Checklist 11 Build Your Enterprise Cyber Range with Cyberbit 12
Introduction The cyber skill shortage is quickly becoming one of the most serious threats facing the industry and your organization. The demand is far outpacing the supply and the resulting pressure is making it nearly impossible to hire the quantity and quality of security analysts you need. One of the most important parts of your cybersecurity strategy should be addressing the emerging skill gap threat. Establishing your own in-house cyber range training and simulation facility will allow you to onboard new SOC analysts faster, deliver ongoing advanced scenario training to your entire staff and offer challenging specialty courses in topics like advanced investigation training and forensics. In short, a cyber range can help you hire, qualify and retain a highly effective professional, SOC staff. What is a Cyber Range? A Cyber Range is a simulation platform for training information security professionals, assessing incident response processes, and testing new technologies. A cyber range recreates the experience of responding to a cyberattack by replicating the security operations center (SOC) environment, the organizational network and the attack itself. As a result, it enables hands-on training in a controlled and secure environment. The more realistic the simulation experience, the better a cyber range can prepare trainees to deal with real world incidents, and reduce the probability of a security breach happening on their watch. In a highly competitive hiring market, a cyber range can help you stand out, by offering candidates and team members hyper-realistic hands-on cybersecurity training experiences. A robust training platform should allow you to: Simplify Analyst Training: Deliver fast, effective onboarding training for new hires and ongoing skills training for experienced analysts. Create internal certification processes to track analysts progress over time and motivate them to continually strive for better training results. Evaluate Processes and Procedures: Use the cyber range simulation to examine how a change in a process or a procedure inside a your network can affect the enterprise security posture. Provide an Effective Testbed: Your cyber range is an exact model of your SOC environment and therefore can also be used as a dynamic security testbed for evaluating architecture and testing out new security products in a controlled environment. 3 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Cyber Range Checklist The success of your cyber range is built on technology. When evaluating platforms consider the following capabilities: Off-the-Shelf Content Just as a game console is useless without games, a cyber range platform should include, in addition to the simulation technology, a sufficient amount of content to support your curriculum. A library of cyberattack scenarios and courses in increasing levels of difficulty, will help you get started quickly, without the need for time-consuming curriculum development or programmers to code the scenarios. Content Creation Tools The cybersecurity landscape changes quickly. A user-friendly scenario builder will allow faculty to easily create new attack scenarios to challenge analysts without the need to write code. In-depth Scenario Documentation Clear and concise documentation for each scenario contributes to trainee success and reduces frustration. Thorough documentation also supports the onboarding of new instructors as your cybersecurity training grows. Instructor Feedback To be a truly valuable learning technology your cyber range should include session debriefing with a full video of the simulation session, real-time instructor commenting, multi-phase goal setting, and automated personal and team scoring for all relevant skills. Support for IT and OT Environments Protecting critical infrastructure Operational Technology (OT) networks is a growing need in sectors like finance, government and critical infrastructure. Your cyber range platform should be adaptable for a variety of network environments and attack types including both IT and ICS/SCADA environments. On-Premise or Cloud Deployment The range platform should be flexible and available as both on-premise and cloud-based deployments. If you opt for cloud-based, the vendor should offer end-to-end management and support. Easy Deployment and Implementation Avoid frustration and delays by getting a clear understanding of what the deployment process involves in terms of personnel, time and other resources. Automatic Scenario Emulator The cyber range should be able to automatically emulate benign traffic as well as complex attack sequences over the network. This allows any instructor to run simulation sessions, without needing to hire expensive external instructors. An automatic scenario emulator allows recurrent scenario emulation which can be measured and compared to in a reliable way. 4 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Architecture Most cyber training solutions involve a group of defenders (blue team), facing either a computer managed attack scenario or a human attackers team (red team). The simulation management application creates a simulated network with various security capabilities (and vulnerabilities) and a scenario emulator which will be responsible for creating both valid and malicious network streams. The threat generator creates various attack scenarios and the training operators follow the scenario from their own dashboard in order to monitor the training and in some cases, provide tips and assistance. A large enterprise needs the ability to set up a general training network that includes all deployed or planned security tools from multiple vendors. The range must also be customizable to mirror your organization s exact network and incorporate the security tools and traffic typical of your own network environment. Customizable Network, Traffic and Threats Blue Team Traffic Generator Simulated Networks Traffic Generator Red Team (optional) COMPLETE NETWORK SIMULATION Your cyber range should be able to support all SOC capabilities and threat vectors, to create a training environment that will precisely meet your organizational security needs and threat scenarios. 5 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Essential Training Models Your training simulation platform should provide the necessary content and features to train your organization s entire security and IT staff, regardless of skill level or role. It should provide a curriculum that trains in offensive and defensive techniques, and be scalable for large or small teams. Blue Team SOC and IR team members of any level learn to better detect, prevent and respond to cyber incidents, ensuring that when the real thing happens, they are prepared for whatever comes their way. Red Team Red team training allows pentesters and security architects to get the hands-on training they need to perform their roles better and gives IR and SOC teams the tools they need to think like the enemy. Individual The training platform should be flexible and scalable enough to cater to even the most tailored needs. Individual training gives professionals the opportunity to customize sessions to strengthen their specific weaknesses and create a personalized training road map. Capture the Flag Competitions A Capture the Flag module allows you to add a dimension of gamification and competition to training, keeping exercises exciting and fresh. Moreover, a proper Capture the Flag module can be used for recruiting purposes to create a buzz about employment opportunities at your SOC and drum up interest at hackathons, conferences and academic institutions. TRAIN THE ORGANIZATION Cyber security is only as strong as its weakest link. Beyond the SOC team, your cyber range should be able to offer custom cybersecurity training sessions for every member of the IT and R&D in your organization. 6 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Beyond Training: Assessing Processes and Technologies If your enterprise builds a cyber range capable of fully simulating any environment, tools, traffic and attacks you can leverage it to assess processes and technologies to improve the quality of all your security posture. Product POC: The range solution must have a robust simulation platform that allows you to test out new tools and products before implementing them to ensure that they work as planned with the rest of the environment. Sub-Network Pentesting: Your cyber range solution should grant the ability to pentest networks in a safe and controlled environment, allowing your security team to find vulnerabilities before the bad guys do. Cyber Research: Cyber range simulation is an effective way to examine the behavior of various malware and existing attacks. It can also provide valuable insights when investigating the impact on your network, if it was discovered post-attack. 7 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Benefits of Establishing In-house Cyber Range Adding cyber range training simulation capabilities to your security operations allows you to: Train and Retain Excellent Analysts: Investing in training is your best defense against the cyber skill shortage. Simulation training makes your existing team members more effective and can help reduce churn by providing ongoing challenge and learning that is highly valued by top security analysts. Reduce Training Time and Costs: External training is costly both in terms of budget and time. Establishing your own cyber range can both cut costs and increase the frequency of training session for the SOC team and all members of the organization. Onboard New Analysts Faster: The realistic, hands-on experience of a cyber range simulator accelerates the onboarding process for new analysts and gets them ready to start their first shift in the SOC. New analysts will gain valuable experience operating in your network environment, using tools deployed in your SOC. You can be confident they are ready by evaluating their performance in a variety of attack scenarios. Train on Exact Replica of your Network: A cyber range should provide an exact replica of your real network and SOC environment to ensure training is highly effective. Custom Attack Scenarios: Train on the attack scenarios most important to your organization so you can sleep well at night fully confident your team is ready for the most menacing threats. 8 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Create Tailored Courses for your Enterprise New Analyst Skill Development Courses Help new hires get the skills they need with courses tailored specifically to their needs. The hands-on experience provided in a Cyber Range setting allows less-experienced analysts to develop their skills in a safe and controlled environment. With courses created specifically with their skill level in mind, you can ensure that they come out with the competencies they need to defeat real-life threats in far less time than traditional methods. Expert Skill Enhancement Courses Provide experienced analysts (and other security professionals) with specifically tailored courses that allow them to advance their abilities across any skill set, such as malware forensics, network security, pentesting and IR. Not only do these courses enhance skills, they help seasoned professionals remain engaged in a workplace that can become otherwise monotonous. Team and Individual Training Courses A truly customizable platform is one that s entirely scalable. A cyber range is the right answer for training large teams together as a unit or even one professional at a time using hyper realistic scenarios. Certification Courses Due to the cyber skill shortage, every SOC manager is facing an enormous challenge to hire and train enough qualified analysts. When a new analyst is hired they must go through an onboarding process in which they learn everything about the enterprise SOC, its architecture, traffic, security tools and procedures. Develop customized SOC Analyst Onboarding Certification that is tailored to your SOC and gets new hires up to speed quickly and efficiently. A cyber range can also be used to administer a final check out exam before the new analyst is assigned their first shift in the SOC. You can also offer special advanced courses for more experienced professionals in topics like security incident investigation and forensics. 9 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Cyberbit Range Training Experience: The Range training is really hands-on, not just a PowerPoint, so we learn by doing. Working through every step of the incident response process, using our tools and communicating with other analysts are important parts of the job that you can t practice in any other kind of training setting. -Tier 1 Security Analyst, MSSP I ve been through many training courses over the years, but it s impossible to remember everything that was taught. Now that I have implemented the things I learned in the Range simulator, it already feels like second-nature and I m much more confident I can apply what I learned correctly. -SOC Manager, F1000 Executing playbooks in the Range helps me assess how effective our analyst training is and see where we need to improve. Now I know where to focus our training and education. -CISO, financial institution 10 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Facility & Staff Checklist In addition to the range platform itself, consider the following facility and staff requirements: Classroom(s) Each classroom should be able to accommodate 5-20 trainees and 1 instructor. Additional classrooms can be added as needed. Servers Will you need to supply servers or will they be supplied by range vendor? Trainee Workstations Each trainee needs a standard workstation with 2 screens. Training Instructors One instructor is needed per class session. Plan for 1.5-2 instructors per classroom to allow for optimal scheduling. A range classroom can run around the clock, so consider splitting each classroom into two instructor shifts to maximize simulation capacity. Vendor should train instructors to ensure optimal performance. Logistics Assign a person to handle the scheduling of trainings and all that it entails; scheduling instructors, trainees and scenarios. 11 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com
Build Your Enterprise Cyber Range with Cyberbit From day one, Cyberbit Range was developed to be robust, flexible and simple to deploy so you can easily customize training offerings as needed. The simulation experience is deeply immersive and leaves a powerful impression on everyone who tries it and provides clear metrics to show improvement of trainees. Your dedicated account manager wants your cyber range training facility to succeed and will be right by your side offering support, guidance and real solutions. Cyberbit will help you get your new Cyber Range training center up and running as quickly as possible so you can start scheduling training sessions. Cyberbit Range is the most widely deployed cybersecurity training and simulation platform, delivering hyper-realistic training scenarios that dramatically improve cyber security team performance for enterprises, public sector organization, academic institutions and security service providers on three continents. Cyberbit provides advanced cyber security solutions for high-risk, high-value enterprises, critical infrastructure, military and government organizations. The company s portfolio provides a complete product suite for detecting and mitigating attacks in the new, advanced threat landscape, and helps organizations address the related operational challenges. Cyberbit s portfolio includes advanced endpoint detection and response (EDR), SCADA network security and continuity, security incident response platform, and security team training and simulation. Cyberbit s products were chosen by highly targeted industrial organizations around the world to protect their networks. ABOUT CYBERBIT Ltd. Cyberbit provides a consolidated detection and response platform that protects an organization s entire attack surface across IT, OT and IoT networks. Cyberbit products have been forged in the toughest environments on the globe and include: behavioral threat detection, incident response automation and orchestration, ICS/SCADA security, and the world s leading cyber range. Since founded in mid-2015 Cyberbit s products were rapidly adopted by enterprises, governments, academic institutions and MSSPs around the world. Cyberbit is a subsidiary of Elbit Systems (NASDAQ: ESLT) and has offices in Israel, the US, Europe, and Asia. sales@cyberbit.com www.cyberbit.com US Office: Cyberbit Inc. 3800 N. Lamar Blvd. Suite 200 Austin, TX 78756 Tel: +1-737-717-0385 Israel Office: Cyberbit Ltd. 22 Zarhin St. Ra anana Israel 4310602 Tel: +972-9-7799800 12 Cyber Range Buyers Guide for Fortune 1000 Security Operations www.cyberbit.com