6. • Attacker mindsets
• Engaging and fun environment
• Master by doing
• Educational experience for all
skill levels
• Assess individual & team
performance
• Identify areas of improvement
• Map learning paths
• Create security culture
7. Sample - Java Developer
Fundamentals
• Fundamentals of Application
Security
• Fundamentals of Secure
Development
• Fundamentals of Secure AJAX
Code
Secure Coding
Concepts
• OWASP Top Ten: Threats &
Mitigations
• Creating Secure Code –
Java Foundations
• Creating Secure Ajax Code –
Java Foundations
Advanced
Concepts
• Creating Secure Java Code
• Creating Secure jQuery Code
• How to Create an Application
Security Threat Model
1st
CMD+CTRL
event
2nd
CMD+CTRL event
• Run Shadow Bank
which spans
vulnerability types
and skill levels
• Run additional team
events to demonstrate
and expand the skill set
Notas do Editor
Whose name should be first??
What is Satish title??
Start with WarGames movie, transition to Simulation game.
As WOPR (War Operation Plan Response) was not able to tell the difference between simulation and reality, simulation tool has been widely used to predict the true behaviors in real world. In Cyber Security world, we call it Cyber Range.
Notes:
What is a Cyber Range?
A cyber range is a simulation platform that enables cybersecurity teams to train and develop cybersecurity expertise and manage workforce planning. - Gartner
Simulated environment for hands-on security training and development
More immersive experiences than other types of training
Range of focus including Infrastructure, Network, Application, etc
Often begin as ad hoc or organizational projects
Increasing interest and adoption in public and private sectors
Source: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1
CMD+CTRL Cyber Range
Increased focus on application layer
Adopt simulation and gamification to improve learning and retention rates
Focus on learning to think like attackers by doing - identify, build and implement multi-faceted attacks like those encountered in real life
Gamification has shifted into simulation much like flight simulators do. Result: Shift from machine guided learning to a free-formed, self guided experience that speeds learning and increases retention rate
Source: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1
Why now?
Emergence of cloud technologies allow for easier, cost effective development and deployment
Ability to engage with disparate team members in real time to encourage active learning and community building
Increasing cultural acceptance of immersive experiences for learning purposes
Skills difference requiring exploration of non-identical and tailed training
Source: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1
Previously limited to IT infrastructure/networks or security teams, now it is time to let the Dev Teams play too in order to train and equip developers to think and act with a security mindset every day.
With attacker’s mindset, developers can be the first line of defense on their own coding, much earlier than security team jumps in
Focus time and investment on building the product at earlier stage rather than fixing the issues at later stage
Reduce the pain and improve relationship between Dev vs. Security team
Build security culture across all software departments
Identify security champion
Benefits of AppSec Cyber Range
Benefits from both practitioner and leader sides:
Practitioners
Educational experience for all skill levels
Engaging and fun environment
Better understanding of security threats and attacker mindsets
Immersive, real-time experience that helps teams and individuals improve abilities
Leadership
Reporting to understand performance at an individual and team level
Map results into individual and team learning paths, enabling immediately actionable education opportunities
Asses skills of team members and identify areas for improvement
Streamline traditional training based on real life, demonstrated skills
Gain knowledge from providers to understand what methods and approaches work best
SOURCES: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_3-0
https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1
Blended Learning: An enhanced and customized security learning solution that combines roles and technology focused courses with a hands-on Cyber Range to optimize training effectiveness for individuals. Overtime these will become ongoing practice that raise security knowledge across all team members.
Educate Teams - Provide baseline security education to cover fundamentals before Cyber Range engagement
Baseline Performance - Keep early stage events low pressure in order to accurately baseline performance of individuals and teams
Coach Participants - In real time and after the fact. Break down the mindset of a mystical hacker culture through driving open discussions, sharing, etc
Distributed Focus - It’s not just about score, number of issues found or methodology...it’s about all three. Make sure to focus on the hows and whys of attacking a site, not just the scoreboard.
Understand Results to Inform Action - Various data points will arise and can be used to schedule specific training, inform career paths, etc
Source: https://docs.google.com/document/d/1jOwvR1t7nTHnlF0sVWr2gmfYyUikid_vRMwM_PlNlBI/edit?usp=sharing
Surprises
Much broader scope of users than expected (Execs, HR, Engineering, Marketing)
Speeding security training ramp up for users
Leads to improved security skills pipeline
Self selecting Security Champions - Don’t steal talent, expand it
Side Benefits
Improved skills measurement
Informed, results based training
Demystification of hacker culture
Improved team dynamics (fun, engaging events = better teams)
Source: https://docs.google.com/presentation/d/1KitKSfzu6zsDvZEpNYAAADeIRUVPI6PLozMtnJUoD5k/edit#slide=id.p14
To do: get feedback from Accenture or SI CSM on content
Image is from Accenture website: https://www.accenture.com/us-en/insight-disruptive-technology-trends-2017
Wordings are subject to change if it incorrectly reflects the roll out plan. ‘Start small, make progress’ is based on the understanding that Accenture will start with smaller group of players for CMD+CTRL for train the trainer, then pilot to couple of thousand players for always-on, before eventually expanding to much larger groups.
-------------
Goal of slide: Introduce concept of a modern, application focused cyber range to a group who likely knows of them as cumbersome network tools
Maybe make this a slide on “The shifting focus of Cyber Ranges”?