Cyber Ranges: Closing the Cyber Workforce Gap

Introduction:

In the US, we have a significant problem with over 100,000 unfilled cybersecurity jobs. Estimates range, but this number could top 1 million job openings in 10 years. The Cyber workforce shortage has national attention and schools, companies, government agencies, and individuals are scrambling to fill the gap. We faced similar issues with aviation and medicine in the first half of the last Century. At the time, both areas were nascent industries with exciting technology and engineering developments and an ever-increasing job shortage. This lead to some well-trained professionals, and even more under-trained, or ill-trained pilots and doctors. The ad-hoc nature of training and certification lead to lost lives. Eventually, both aviation and medicine developed a new model for training, new standards for operational experience, and in the case of flight training, significant simulation systems to give pilots opportunities to practice safely.

In cybersecurity, we are in a similar period where conventional training models are insufficient to fill the cyber skills gap. As with flight training – and medicine to some extent - the enabling technology is simulation/emulation. The essence of this report is correct simulation/emulation gives us the power of Predictive Operational Performance (POP) for cybersecurity professionals. It instills confidence in cyber workforce seekers and cyber workforce employers that training will predict job success. This following series of posts illuminate the critical role of cyber ranges as the catalyst to closing the cyber workforce skills gap.

Different Types of Jobs to Fill

Not all cyber skills are equal. When looking at the cyber job openings, there are two main classes of jobs available: operations, and management/administrative. Sixty (60%) to seventy (70%) of the open positions, according to CyberSeek, require hands-on operational skills (SOC operations, collection operations, incident response, and vulnerability assessment). Another 20-30% involve hands-on analytical skills (Exploitation Analysis, Threat Analysis, Cyber Defense Analyst, etc.). In summary, ninety (90%) percent of the open positions require interactive, hands-on experience.

Not surprising to anyone who has run a security operation, most of the staff spend their time digging through data, running traces, analyzing SIEM output, and executing scans. To an outsider, many of the roles (SOC Analyst, Forensic Analyst, Cyber Operator, Warnings Analyst, Network Ops Specialist, etc.) look similar, but there are definite differences between positions, each requiring specialized training curriculum. Unfortunately, the current training programs and methods (instructor-based classroom education, on-the-job training, online certifications, etc.) are not granular enough to support this specialization, and demand far outstrips supply because traditional instructor-based classroom training does not scale efficiently. An instructor-based classroom mindset is a costly model regarding cost/student, and skills retention is problematic since students typically lose the majority of learned skills within 30 days, without post-training practice. Also, traditional training cannot address threat currency: threats evolve much faster than conventional curriculum adapts. To highlight this issue, I have spoken with students in the Master of Science in Information Assurance (MSIA) degree program, and much of their curriculum is five years old!

A recent report from NIST - Work Role Capability Indicators: Indicators for Performing Work Roles underscores the insufficiency of traditional training. NIST identified common themes for training and education for all cybersecurity work roles. Specifically, NIST finds:

The report highlights the need for hands-on cybersecurity skills training and the challenges with traditional instructor-based classroom training methods. As discussed in the analysis, formal education is not set up to deliver students with the skills, and companies do not have the in-house resources to provide on-the-job training. The report highlights two related issues that we saw in the early days of aviation and medicine: the rise of self-trained experts, many of whom pretend to have skills they do not have; and, it is impossible to evaluate these people because there is no standardized skills testing. What we need is a standardized methodology to train, drill, and test people in real-world cyber operations situations. We need a method and platform to achieve Predictive Operational Performance (POP). As discussed below, the cyber range is the cornerstone of accomplishing this.

Cyber Workforce Development

Based on my discussion with cyber range platform and cyber range providers, most cyber ranges main goal is closing the cyber workforce gap. For example, Joe Adams (Vice President, Research and Cyber Security) at Merit says their focus is exclusively workforce development: qualifying people for cybersecurity jobs. As listed in an upcoming post, a significant number of cyber ranges run on the Merit platform. Similarly, in a conversation with Sharon Rosenman (VP, Marketing) of Cyberbit, he too is focused on cyber workforce development. As with Merit, Cyberbit powers a significant number of cyber ranges.

Before getting into cyber range specifics, it is essential to keep the focus on the problems cyber ranges address. Unfortunately, many cyber range operators see their ranges as hammers with every training opportunity looking like a nail. Not all cybersecurity roles require cyber ranges and not all cyber training needs a range. After conducting this research, I see six primary use cases for a cyber range:

Figure 1 - Cyber Range Use Cases

At the end of this series of posts, I provide clear directional guidance to help organizations determine what cyber range characteristics are most applicable to each use case scenario. In fact, in talking with cyber range operators/developers, one of their most significant challenges is people coming to them with an unclear idea of the problems they wish to address.

Cyber Range versus Traditional Training

The premise of this paper is to close the cyber workforce gap we require a new training approach. Cyber Ranges are a catalyst to closing this gap because they outperform traditional training methods in the following areas:

Security System Diversity – For the past 15 years we have built security infrastructure under the guiding mantra of Defense in Depth (DiD). A consequence of this mindset is layered security controls, often from multiple security vendors, and often with overlapping functionality and mission. The result is a very complex, yet at times brittle, infrastructure where changes to one control affect upstream and downstream operations. This results in a highly complex security operations environment; an environment which can only be simulated/emulated in a cyber range.

Alert/incident fatigue – When SOC analysts are processing 1000’s of alerts a day, response fatigue is a significant challenge. Cyber Ranges are the only environment to give people a real-world sense of the information overload experienced in an actual SOC. No matter how many times a teacher talks about alert/incident fatigue, one has to experience it to understand it. Moreover, experiencing it is the only possible way that a) we can assess an individual’s ability to deal with it, and b) teach people how to manage the security event firehose, best.

Traffic and false positive distractions – Though related to alert/incident fatigue, managing the signal-to-noise ratio (SNR), and the false positive/negative ratio is critical to successful security operations. Again, this is something that one cannot learn from a book or lecture, it must be experiential. Students must run through traces, logs, firewall rules, and scans while the CR instructor adjusts the CR SNR dial.

Complex multi-vector scenarios – Classroom training tends to be linear and two-dimensional and working in a SOC is non-linear and three-dimensional. For example, we teach the Lockheed Martin Cyber Kill ChainTM in class as a linear process. In the real world, it is cyclic and three-dimensional since multiple threats coincide, each at a different stage of the chain. As discussed above, students must experience a malware attack, masquerading behind a DDOS attack, initiated by a phishing attack.

Team vs. Individual Training - Most classroom and certification training targets the individual. The cyber range teaches groups how to work together because it simulates real-world team interaction. SOC teams attempt to deal with this through tabletop exercises, and the outcomes are unpredictable, varied, and often insufficient.

Conclusion and Next Steps

This post is the first in a series of articles on cyber ranges. As discussed above, the essence of this report is correct simulation/emulation gives us the power of Predictive Operational Performance (POP) for cybersecurity professionals. It instills confidence in cyber workforce seekers and cyber workforce employers that training will predict job success. In the second post, I get into some of the history of cyber ranges and definitive characteristics of a cyber range. This background becomes fundamental knowledge for follow-on posts discussing the best fit of use-case to a cyber range; tips on building a cyber range-based curriculum; cyber range challenges; and, a list of 13 cyber range platforms/enabling technology and 29 cyber ranges in the USA.

____________________________

Companies that will be mentioned in upcoming posts: #Boeing, #Circadence, #Cyberbit, #CybexerTechnologies, #CypherPath, #IXIA, #Merit, #MetovaCyberCENTS, #OracleRavello, #Quali, #Root9bDaedelus, #SCALABLE, and #SimSpace