Putting some muscle behind your security incident response plan

Introducing the X-Force Command Cyber Tactical Operations Center

By Caleb Barlow

When we opened the IBM X-Force Command Cyber Range, at the IBM Security headquarters in Cambridge, Massachusetts, I was expecting a positive response. What I didn’t fully realize was just how much demand there would be from customers looking to get into the range, to experience a breach simulation led by our elite squad of cyber first responders and gamification engineers.

In the past two years, more than 2,000 people have gone through the immersive, gamified challenges in our Cyber Range, including executives, board members, and officers from many of the world’s top government agencies, banks, and energy companies. The Cyber Range has been so successful that we almost immediately began talking about how we could build the next-generation cyber operations center. What we came up with was a bold idea that I’m excited to announce today is ready to roll.

The IBM X-Force Command Cyber Tactical Operations Center, or C-TOC for short, is a first-of-its-kind cyber-experience-on-wheels. There’s currently nothing like it in the commercial sector. Incredibly, it offers the same capabilities as our Cyber Range in Cambridge, but in the form of a mobile tactical operations center – a “jump TOC” – that military and first-responder personnel use in the field to monitor situations that require immediate response and decision-making.

The C-TOC is an extremely versatile mobile facility. One day it might be hosting university students at a capture the flag event. The next day it might function as an operations center at a major event. And the day after that it could be performing red team penetration testing for a large enterprise.

The X-Force Command C-TOC took over a year and a half to design and build. Manufacturing began on the plains of Iowa, where Featherlite Trailers built the completely custom 23-ton trailer. It was like watching an episode of “American Choppers” as they welded this trailer together from the axles up. To accommodate the scale of the C-TOC’s operations, the trailer expands using electric-drive-powered slide-outs on either side, allowing it to more than double its size. Inside the trailer is an impressive array of technology, put together by Diversified in Atlanta, that creates a gestural controlled watch floor, with screens and workstations for more than 20 operators sitting at custom desks created by Winstead.

Of course, all these screens and workstations are fed with video, communications, data, and the security solutions for responding to a cyber incident. The C-TOC recreates an entire IT environment using a large VMware cluster built on a 100TB solid-state disk array, cooled by over 10 tons of cooling capacity from a massive air conditioning unit on the front of the trailer. That air conditioner is rivaled in size and weight by a 47kW generator that powers the C-TOC with enough energy to support a small neighborhood.

Hauling this massive trailer will be a Mercedes-Benz Arocs? -- the 27-ton heavy-duty tractor unit that’s similar to those used to haul giant road trains across the Australian outback.

Why we built the X-Force Command C-TOC

One of the things I’ve realized in my experience at IBM Security and talking to customers, is when companies are forced to respond to a cybersecurity incident, it is often the worst day in the life of that company. The average cost of a data breach globally is $3.86 million, according to the 2018 Cost of a Data Breach study conducted by Ponemon and sponsored by IBM Security. But that cost can be much higher or lower depending on how you respond. The things you do after a breach – “right of boom” – can make a tremendous difference in how bad the fallout from a breach is. The difference is preparation and practice.

If someone you love falls down in front of you with a heart attack, now is not the time to pull the medical book off the shelf and learn CPR. When companies have a security incident, that is not the time to pull the runbook off the shelf and figure out how to respond – what protocols you follow, what actions you take in that moment must be ingrained in an organization like muscle memory. Just like CPR, you need to learn it and practice it before you need it.

There is nothing that can replace real-world experience earned on the front lines of a cyber attack – but an X-Force Command experience is a close second. The X-Force Command C-TOC is the next step in the evolution of the cyber response experiences we offer in our X-Force Command Cyber Range. In the last couple of years, we’ve learned many lessons and best practices from watching some of the top companies in the world running through a breach response, which you can read about in another blog post here.

But before you go check out the videos of the C-TOC and learn more about its cool features and amazing technologies, I’ll say this – we’re not finished. Working with our logistics provider, Brewco Marketing, we will soon be taking the C-TOC to Washington, DC, for a demonstration of its capabilities and a conversation about the security of our US elections. We’ll demonstrate how the C-TOC can be used in real-world scenarios such as responding to special security events, or to conduct cyber investigations.

Finally, the IBM X-Force Command Experience is driven not just by our state-of-the-art technology and simulations. Our people are the key to the whole thing – from the engineers who built the C-TOC, to the developers and designers who created the scenarios, the folks behind the scenes and the facilitators who run the programs in our C-TOC and Cyber Range, and the incident response advisors who meet with our customers to help them build and hone their security response strategy. I couldn’t be prouder of what we’ve built and I’m excited for the next chapter in the X-Force Command story.