Cybersecurity Training. PHOTO: Cybercrime Magazine.

CISOs Turn To Cyber Ranges In The Cloud

Customized on-demand hosted environments are in demand

David Braue

Melbourne, Australia – May 28, 2021

It didn’t take long before Al Graziano’s project team concluded that its nascent cybersecurity skills-testing simulation platform was going to live in the cloud. But as they weighed up the options, they realized the most effective approach was to ignore commercial public-cloud platforms — and build their own cloud instead.

Such full-stack development “is more complicated and requires a lot of effort,” Graziano, a longtime cybersecurity academic and educator who co-founded CYBER RANGES in 2017, told Cybercrime Magazine. “But it allows us to have different options” for delivering cybersecurity breach simulations for clients in a broad range of situations.

Businesses of all stripes are steadily warming to the benefits of cyber ranges — simulated environments where cybersecurity staff can test their hacking, malware-planting, incident response, digital forensics and other skills using facsimiles of real-world environments.

Choosing to build the new platform as a full-stack project meant that CYBER RANGES could offer clients flexibility by offering its tools in several configurations.

There’s the conventional software-as-a-service (SaaS) model, which is accessible using the firm’s own bespoke cloud platform — which presents each instance of the cyber range as a completely customized simulation where, Graziano explained, “you can simulate threats that are specific to your industry or to your vertical.”

CYBER RANGES’ cloud can host a complete, customized environment on behalf of its clients, while the full-stack architecture also allows the company to offer an on-premise version that, he added, “is very important for a number of organizations where data confidentiality and preservation of it is very, very important.”

Another configuration allows the delivery of a complete cyber-range setup that uses just three laptops and can operate offline “in areas where there is limited Internet connectivity, or as part of team building — which is sometimes not done within the confines of the organization.”

Although cyber-range users come from numerous industries, the most interest has been coming from large enterprises, government organizations, or media organizations — for whom a necessary focus on data residency means on-premise and hosted options have been particularly relevant.

Those companies, he said, need more comprehensive training solutions than packaged courses — that might, for example, teach a security staffer to configure a firewall but can’t teach them how to respond to an actual cyberattack on that firewall.

“What we are still not doing, which is what the CISO really wants, is we are not testing if those skills, applied in a realistic environment, can actually work — and until we do that, we are not going to see the improvements that we all know.”

Home on the cyber range

CYBER RANGES has been engaging with partners to help develop industry-specific and platform-specific scenarios that allow companies to test employees across a broad range of conventional use cases, each with its own combination of systems.

Graziano believes the flexibility of CYBER RANGES’ approach helps it stand out in a market where the dominance of military and large-scale projects kept most corporate users from even contemplating the technology.

Amidst growing cybersecurity risks and an ongoing paucity of appropriate skills, CISOs have increasingly turned to cyber-range operators that lean heavily on cloud technologies to productize cyber-range capabilities.

Scalability is accomplished in such environments thanks to cloud conceits such as template-based commissioning of virtual machines — which allow cyber ranges to be easily spun up, compromised, and then reset for the next user.

Such platforms are a big improvement over the complex bespoke simulations of the past, where thousands of machines required an army of specialists to set up a meaningful situation.

Yet cloud-only platforms are only telling half the story, Graziano warned: “Next-generation cyber ranges are really something that at the core, has orchestration and automation of not only the simulation environment, but of everything else,” he explained.

Many cyber-range providers use public-cloud providers to get this level of orchestration, he continued, “but what is missing is the orchestration of everything else.”

Contemporary cyber ranges, he said, include not just simulation environments but also include capabilities like attack simulation, Internet simulation, user simulation, user management, competence frameworks, and other capabilities.

“That’s why we haven’t seen a lot of it,” he said. “It’s not widespread today.”

Yet that is rapidly changing, he said, as CISOs increasingly tap cyber ranges to address two of their major strategic challenges: the need to hire and upskill staff, and the training and continuous professional development of people already in the security team.

Upskilling is straightforward using repeatable, cloud-based platforms that will get new users up and running within minutes.

However, Graziano pointed out, “When it comes to applying those skills and keeping your team up with the current threat level — or to understand if they have the right skill set, the right team dynamics and soft skills to be able to respond to certain security and internal cyber threats — you need to be able to simulate those threats and apply them in the workplace fairly quickly.”

CISOs will find particular value in platforms that allow extensive customizability, he added, noting that the verisimilitude of a cyber range can be crucial for organizations that want to test specific response capabilities rather than simply giving staff a hacking playground.

“If you look at all the possible combinations you have with a SIEM and EDR and all the possible security solutions out there, you can end up with endless combinations,” he said. “You really have to spend time doing a bit of system integration to create something similar to what the organization does.”

“The customization is what makes it unique for the client — and once you have a hosted environment, you can reuse that on demand every time you want.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.