Symantec Cyber Security Services: A Recipe for Disaster

Transcription

1 When On-The-Job Training Is a Recipe for Disaster How security simulation prepares IT staff for APTs, breaches and data leakages Contents Sometimes On-The-Job Training Is a Lousy Idea... 2 On-The-Job Training and Conventional Cybersecurity Instruction... 2 Best Practices for Security Simulation... 3 Symantec Cyber Security Services: Security Simulation... 4 The Bottom Line... 5 Brought to you compliments of Experience is a hard teacher because she gives the test first, the lesson afterwards. - Vern Law A TECHTARGET WHITE PAPER

2 Sometimes On-The-Job Training Is a Lousy Idea In the running battle with cyberthreats, your first line of defense is your IT staff: the system and network administrators, SOC and NOC operators, incident response and forensics analysts, and application development and QA teams. Are these IT professionals ready to take on an ever-growing army of innovative, persistent cybercriminals and hackers? Probably not, if you expect them to acquire the knowledge and skills they need through self-directed study and on-the-job training. There is too much to learn, and few members of the IT staff have the time to research every new threat. And you can t afford to suffer through APTs, breaches and data leakages just to provide teachable moments for IT personnel. There is another solution. Security simulation immerses IT professionals in a realistic online environment and challenges them to fill the roles of cyberattackers and cyberdefenders. It borrows from education theory and online gaming to present knowledge in ways that motivate learning and increase retention. By learning to think like attackers, IT staff members discover vulnerabilities in their own systems and are able to identify attacks sooner. Security simulation also helps managers identify and fill skill gaps within their teams. In this short paper we discuss the shortcomings of on-the-job training and conventional classroom instruction for cybersecurity, review the characteristics of successful security simulation programs, and take a brief look at the Symantec Cyber Security Services: Security Simulation program. On-The-Job Training and Conventional Cybersecurity Instruction On-the-job training makes sense in fields where knowledge moves in predictable directions and senior colleagues have the time to mentor. But in cybersecurity, threats change daily, and the best members of your security staff are too occupied with critical work to spare time for teaching. Classroom instruction or conventional online courses would seem to be natural ways to keep IT professionals up to date on the latest threats. However, most cybersecurity classes are far from ideal for experienced IT professionals. Typical shortcomings include: A passive learning style, based on lectures and rigidly structured lab exercises. An academic orientation that puts theory above practical advice. A focus on tools like firewalls and SIEMs, rather than on how attackers operate. Teaching one right answer to each question, instead of showing multiple ways to address a problem. A single level of difficulty, either baffling for beginners or boring for experienced staff. Out-of-date content, in an era when major new threats emerge every month. 2

3 Anyone familiar with the personality styles of most IT professionals will not be surprised that most regard conventional classroom instruction and online courses as unhelpful or much worse. Best Practices for Security Simulation Security simulation engages IT professionals through role playing and progressive challenges, much like roleplaying video games. Participants are placed in an environment where they must evaluate information and actively seek optimal solutions. Point systems can be used to encourage both teamwork and friendly competition. Active learning, thinking like an attacker, and problem solving work together to educate IT professionals on real threats and vulnerabilities, and to empower them to strengthen security when they return to their jobs. To maximize engagement and information retention, security simulation needs to be realistic, complex and immersive. Realistic, Ripped-From-the-Headlines Scenarios Security simulation is most effective when it is based on realistic scenarios that place participants in the roles of attackers (cybercriminals, hacktivists, cyberespionage agents), defenders (system administrators, security analysts), or related parties (managers, auditors). Participants are assigned tasks that reflect current cybersecurity threats, including phishing attacks, efforts to crack lost laptops or mobile devices, and techniques to discover and capture data on a corporate network without being detected. This realism ensures that learning from the simulation is closely linked to current cybersecurity issues. Complex Environment Unlike canned exercises in conventional computer-based training courses, security simulation can create virtual worlds that closely replicate the network, servers, software, vulnerabilities and security measures found in real production IT environments. The complexity helps participants learn how attackers think, how they approach targets, how they exploit vulnerabilities in infrastructures and applications, and how they capture and exfiltrate data. Immersive, Interactive Tasks and Multiple Levels of Difficulty In security simulation, participants can be assigned a series of tasks that require attention to detail and problem-solving skills. To increase realism, the environment can respond to their actions in the same way as a production environment. To increase engagement, success in the tasks can open the door to higher levels of difficulty, as in video games. This task structure improves learning and information retention. It also motivates participants, especially those who enjoy problem solving (and competing with their peers at problem solving). 3

4 Participant Assessment Security simulation can be a management tool as well. It can allow managers to assess the skills of participants, identify gaps in the skills shown by the team, and formulate plans to fill those gaps through additional training or hiring. Symantec Cyber Security Services: Security Simulation Symantec is the industry leader in providing online security simulation services. Its security simulation technology combines leading-edge concepts from education and psychology with advanced video game and entertainment techniques. It also incorporates the cybersecurity knowledge of over 500 security professionals in Symantec Cyber Security Services (CSS). The current simulation service and scenarios were developed and refined based on the performance of thousands of Symantec employees during four years of CyberWar Games, as well as over 80 Cyber Readiness events with participants from 30 countries across the world. 1 Symantec Cyber Security Services: Security Simulation utilizes the best practices for security simulation described above. For example: Simulations take place in complex virtual environments with complete, realistic facsimiles of production hardware and software. Complex, highly realistic scenarios explore pressing issues such as attacks on networks and web servers, exfiltration of intellectual property from corporate networks, and data leakage from lost laptops. Each scenario includes a theme, a set of threat actors, and objectives. Participants are given a series of challenging interactive tasks organized according to the five stages of cyberattacks (reconnaissance, incursion, discovery, capture and exfiltration). Engagement is enhanced by a scoring system based on capturing flags and advancing to higher levels of play. Managers can assess the performance of individuals and teams in the five stages of cyberattacks and their knowledge in areas like security for applications, webservers and cryptography. The combination of complexity, realism and immersion enables participants to prepare themselves for real-world situations, real threat actors, and the actual tools used in each stage of an attack. To make the activity even more effective in corporate environments, Symantec has added refinements: Simulations are designed to provide value to all different skill levels: Beginners can request hints on how to perform tasks, while security experts can achieve the same results (and higher point scores) by relying on their own knowledge. 1 Not Your Typical Hackathon: Symantec's CyberWar Simulation Transforms Employees into Criminals, Fast Company, February 25, 2014; CyberWar Game Simulates Healthcare Attacks, Forbes, February 3,

5 Participants can compete as individuals, or they can compete as part of a team in order to exchange knowledge, learn how to work toward common goals, and experience the value of collaboration. Scenarios are easy to set up and deploy as self-paced training in lab settings, as supervised exercises in real (or virtual) classrooms, or as self-directed tutorials that participants can perform at their own desks, on their own schedule. New scenarios and updated details are added quarterly, to ensure that content always reflects current threats. Some of the key differences between conventional instruction and Symantec Cyber Security Services: Security Simulation are highlighted in Table 1. Conventional Instruction Passive learning Academic orientation Focus on tools One right answer One level of difficultly Frequently out of date Boring Security Simulation Active learning: immersive and interactive Practical problem-solving Focus on adversaries thinking Multiple approaches to each challenge Useful to beginners and experts Updated quarterly Engaging and challenging The Bottom Line You wouldn t send a military officer into battle without live-fire training. You wouldn t allow a commercial pilot to fly without hundreds of hours in flight simulators. You wouldn t even let a teacher stand in front of a fifthgrade class without semesters of practice and coaching. So how can you expect your IT staff to fight experienced, innovative attackers with only on-the-job training and a bit of tedious classroom instruction? If you think education is expensive, try ignorance. - Derek Bok By teaching how attackers act and think, security simulation gives IT professionals the power to: Reduce the duration and impact of attacks by detecting them sooner. Prevent APTs, breaches and data leakage by recognizing and eliminating vulnerabilities in systems and applications and weaknesses in security tools. Improve their skills, teamwork and enthusiasm. 5

6 Security simulation also gives managers a tool to: I loved the challenges. [The simulations] gave me more insight on what I should focus on when doing internal audits and securing our network. These exercises are incredibly valuable because they provide participants with real-world experience to better understand what we are facing out there. Assess the cybersecurity skills and knowledge of their teams. Identify gaps in their staffing. The bottom line is a more engaged, educated and empowered IT staff and a measurably higher level of cyber preparedness. For more information, please visit - Security Simulation Participants 6