Making Cybersecurity BETTER: Dan Manson to Speak at RSA 2019

With the New Year in full swing, we are resolved to improve not only our own products to meet industry shifts but helping improve cyber professional’s skill sets against evolving threats. One of the ways we are doing this is through the help of our team member Dan Manson, Instructional Designer (Level 5) and current Professor of Computer Information Systems at California State Polytechnic University, Pamona.

Dan is speaking on a panel discussion at the upcoming RSA 2019 conference, titled “How to Create a Truly Diverse Cyber Workforce” on Thursday, March 7 from 1:30 p.m. – 2:30 p.m. alongside panelists Mat Neufield, CISO for Unisys, Jordan Jacobson, California State Polytechnic University, Pomona student. Shelly Westman, principal with EY will moderate.

It is at events like RSA (Find Circadence and Project Ares at booth 6583), the Circadence team and visitors to our booth share industry perspectives and explore dynamic learning solutions for cybersecurity professionals. The insights from these meetings often influence our advance product capabilities, features, and offerings.

In addition to sharing his expertise on the ways to diversify the cyber workforce, Dan looks forward to playing an integral part in our Project Ares® cyber learning platform evolution alongside the rest of our incredible team.  He is helping integrate proficiency standards and competencies into Project Ares curriculum to improve the overall training value, player scoring, points, badges, etc. He also supports the analysis of how well the training content aligns to the NIST NICE Cybersecurity Workforce Framework, identifying the gaps for our Cyber Education and Training department to consider in curriculum design.

We know the cybersecurity landscape is fluid, in a constant flux of improving security provisions, processes, technology, and the professionals behind it all. Circadence understands that there is no “one-size-fits-all” solution, which is why our solution capabilities ride on the coattails of the frequent industry changes. Our “Living our Mission” blog series keeps customers and interested parties current on the latest updates to our platforms and the benefits of the developments on organizational security posture.

To learn more about how our gamified learning platform Project Ares is supporting a more diversified workforce in the midst of a widening skills gap, download our white paper “The Importance of Gamification in Cybersecurity Training” now. 

 

What We’ve Learned from the Evolving IT Landscape and Where Cybersecurity is Headed in 2019

The new year is always a good time for reflection. At Circadence, we look back on the dynamic IT landscape and ever-evolving threats to understand where CISOs and security leaders can direct their attention in 2019 and prioritize new security practices. To learn more, we tapped into our own cybersecurity expert Laura Lee, Executive Vice President of Rapid Prototyping, to answer some questions for us.

Tell me briefly about your own background in IT security and how the changing landscape has impacted your approach.

LL: I’ve been working in Computer Network Operations for over 20 years and have been involved in developing technology for protocol analysis, secure protocol development and defense strategies. I’ve seen tremendous technology evolution in that time as well as a reprioritization of security practices. In the past, we used to be able to rely more on technology (e.g., anti-virus, firewalls and IDS) but now the human cyber defender is critical.  Today, I lead multi-disciplined teams in the persistent development of our immersive cyber learning platform Project Ares, fusing real-world cyber ranges with engaging and gamified learning experiences. Early in my career, my focus was on protecting the networks for large radar and missile systems. For the last decade, I’ve been focused on cybersecurity defense tactics through training and exercises. The shift is a reflection of how security has evolved over time, from being a siloed initiative rooted in government practices to a worldwide business to business effort layered with security complexities and interconnected devices and systems.

How has the enterprise IT security landscape changed in the past 30 years? Are organizations better off now than they were 30 years ago?

LL: I have definitely seen improvements in enterprise IT, particularly in the last 10 years. There are now standards, like the NIST Cybersecurity Framework, which provides security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyberattacks.

In the beginning of the Internet, we were working more on interoperability and sharing data – security was the last thought. Interoperability, which is the ability of computer systems to exchange and make use of information, was still very difficult when the internet first came into being. People weren’t able to share so much information as quickly, so the need for security systems and secure protocols wasn’t something to be concerned about. As the internet grew, so did the vulnerability of sharing personal data with the wrong people or networks. Online shopping, online banking, social media, etc. made information so easily accessible to hackers, that the focus had to shift to cybersecurity.

Unfortunately, hackers and attacks have improved more than defenders, so we are far from “winning this cybersecurity war”. Not only are there more advanced tools that cybercriminals are rolling out and utilizing, but these criminals have more to gain and operate their hacks like a business. They use well-designed tools, such as FakeLogin and GM Bot, which make it easy for those who don’t necessarily have a technical background to launch a cyberattack. From data mining techniques to the sheer volume of information that many organizations keep on file, hackers can access more and reap a higher reward than ever before.

What have been major IT security milestones that have altered or shaped this market? Why are these the most significant?

LL: I believe two things have made it harder to win the war against hackers. First, many offensive hacking tools (including previously classified government ones) have been released and are freely available online. These tools are the same ones that white hat hackers use, but for different purposes. While cybersecurity professionals use them to find vulnerabilities and deploy defensive mechanisms to prevent the exploitation of the network, hackers can use them to launch cyberattacks.

While there are many reasons that we need offensive hacking tools, these tools also make it easier for black hat hackers to cause damage by publishing the found weaknesses. Black hat hackers use the information to launch malicious attacks against these networks based on the research gleaned from ethical hacking. This makes the barrier to entry very low for cybercriminals.

Second, the advent of electronic currencies like Bitcoin have helped monetize cyber-crime. Bitcoin is decentralized, with no bank or single administrator, and can be sent from user to user on the peer-to-peer Bitcoin network without the need for intermediates. Cryptocurrency has made it easy for cybercriminals to monetize hacking. Prior to cryptocurrency, hackers used things like espionage, extortion, and identity theft to make money. Each of these methods came with big risks, which cryptocurrencies have solved by being anonymous, unregulated, and easily converted to cash value.

These milestones have been a catalyst for the increasing ransomware attacks, such as the attack on Atlanta in early 2018 where ransomware was used to glean sensitive information from multiple applications and devices used by city employees. It has also increased attacks on healthcare and energy industries, and the recent attack on the Tribune publishing services, which disrupted printing operations and distribution for newspapers. Criminal organizations are always looking for new ways to build cash and cyber-crime has been lucrative for them.

Looking ahead to the next 30 years, or even the next 10, what do you see as the greatest challenges or threats enterprise or IT security professionals will face?

LL: We already have a huge gap in the number of trained cybersecurity professionals (with estimates of over 3.5 million unfilled positions by 2021). Primary and secondary education programs are just rolling out to help teach the next generation of cyber professionals, but the struggle is real since cybersecurity is such a unique and challenging field. To become an expert, you need thousands of hours in a hands-on environment to learn the network fundamentals, attack strategies, defensive tactics and how to adapt to an ever-changing threat. You need to see what an attacker looks like on a realistic network and practice new ways to detect and respond.  Cyber professionals must be both broad and deep with continued learning being a lifelong requirement!

As the cyber threat surface expands, so do our defensive teams. However, what we are actually seeing is a widening skills gap in the cyber arena, putting us at more risk than ever because we simply don’t have enough people to defend incoming threats. This is why it is imperative that cyber learning becomes more incorporated into academia. Cyber ranges are a great way to learn the ins and outs of cybersecurity. A cyber range is a virtual environment that uses hands-on learning for cyber warfare skills development. By training students to address real-world attack scenarios, we prepare them for the workforce of the future.

Recommended Reading: 

Faces of Cyber Ranges white paper – download now!
Alternative solutions to cyber learning 
Cyber range learning in academia 
The benefits of active, gamified learning in cybersecurity

 

Help Wanted: Combating the Cybersecurity Skills Shortage

Recent news headlines are clear on one thing: there is a massive shortage of cybersecurity experts in the industry. Cyberattacks are permeating every commercial and government sector yet the talent pool of defenders can’t keep pace. When data is compromised and there aren’t enough experts to secure the front lines, we ALL are at risk of identity theft, monetary losses, reputational damage, fines, and operational disruption—to name a few.

With more than one in four organizations experiencing an advanced persistent threat (APT) attack and when 97 percent of those APT’s are considered a credible threat to national security and economic stability, it’s no wonder the skills shortage is on everyone’s mind.

A report from Frost & Sullivan found that the global cybersecurity workforce will have more than 1.8 million unfilled positions by 2020. It begs the question: what’s causing such the shortage?  According to a Deloitte report, the lack of effective training opportunities and risk of attrition may be to blame.

The Search for Cyber Talent

Given the pervasive nature of cybersecurity attacks, enterprises can’t afford to wait around for premiere talent to walk through the door. Companies need to take a proactive approach to hiring qualified talent—and, yes, it takes effort. Through proper training and education, companies can build highly skilled teams of defenders to face ever-increasing threats.

Everything from digital forensics to computer languages to network defense to cybersecurity law should be skills that candidates possess or are willing to learn immediately. In today’s training and education landscape, where traditional cyber training classroom settings prove ineffective preparing professionals for real-world attacks, companies need to adopt a paradigm shift during their talent search—being comfortable hiring for character and cultural fit first, then, training for skills development.

Instead of brooding over the current staffing shortage realities, enterprises can take proactive action to combat the talent gap with these search strategies:

Fill the talent pipeline

Consider hiring people with different industry backgrounds or skill sets to bring new ideas to the table. Sometimes, getting an “outside” perspective on the challenges firms are facing sheds a new light because they notice nuances and inconsistencies that internal teams, who are in the day-to-day, may not see immediately. Look for passionate candidates with an eagerness to learn. Companies today are prioritizing skills, knowledge, and willingness to learn over degrees and career fields because they know that some things cannot be taught in a classroom such as: curiosity, passion, problem-solving, and strong ethics.

Look for individuals with real-world experience

If you happen to have candidates in your pipeline that have industry knowledge, ask about their real-world experience. Inquire about the kinds of things they’ve learned in their previous position and get them to share how they remedied attacks. Create a checklist of skills you desire from a candidate that may include identity management, incident response management, system administration, network design and security, and hacking methodologies, to name a few. Learning how they dealt with real situations will reveal a lot about their personality, character, and skill set.

Re-examine job postings

Often a job posting is the only thing compelling a candidate to apply for a position. If the job posting is simply a laundry list of skills requirements and degree preferences, it may deter candidates who have those skills but also seek to work for a company that values innovation, creativity, and strategic vision. Read descriptions carefully to determine if they portray the culture of your organization. If a cultural vibe is lacking, it may be time to inject a sense of corporate personality to attract the right candidates.

Provide continuous professional development opportunities

With advances in technology, professionals need to be on top of the latest trends and tools to succeed in their job. That is why it is vital to re-skill and consistently train your existing cyber team so they can successfully prepare for anything that comes their way—and you can retain your top talent. Conferences, webinars and certifications are not for everyone—so it is important to find growth opportunities that employees want to pursue for both their personal as well as their professional benefit.

Create a culture of empowerment for retention

CISOs can set expectations early in the hiring process so candidates understand how their specific role impacts the organization. For example, during the interview process, notify candidates of your expectation that they be “students of the industry” such that they are expected to stay on top of security news and happenings. Gartner advocates for a “people-centric security” approach where stacks of tools are secondary to the powerful human element of security. Additionally, send out quarterly or bi-monthly roundups of the latest cybersecurity news and events to keep your team abreast of current affairs. Making it as easy as possible for them to be “students of the industry” increases the likelihood that they will remain current on industry developments and engaged in their role.

Invest in Training to Cultivate Talent

Executives are demonstrating their support for strong info security programs by increasing hiring budgets, supporting the development of info security operation centers (SOCs) and providing CISOs with the resources they need to build strong teams. With the right talent, you will have a better chance of successfully defeating attackers, staying aware of current threats, and protecting your team, your company—and your job. These strategies will go a long way in preventing future attacks and preparing staff and systems to respond when things go awry. The cybersecurity staffing shortage is no longer just a cybersecurity department issue—it’s a global business risk issue.

Finding the needle in the cybersecurity haystack: Why gamification is the answer you’ve been looking for

To say we’re on an upward trajectory in the cybersecurity space would be an understatement. Cyber threats are increasing. Organizational spending is increasing. And the cost of a data breach is increasing—to somewhere around $3.62 million per breach according to the Ponemon Institute. With such exponential growth across the field, CISOs are actively looking for ways to strengthen their efforts. With the plethora of information available today, it is like finding a needle in a haystack. It’s hard to know whom to believe, what to believe and how often. With so many options available, CISOs are understandably stymied in making educated decisions for an optimal solution. Fortunately, our 20+ years in the gaming industry have led us to a valuable conclusion that can help CISOs professionally develop their teams—and protect their organization. The answer lies in gamification 

It’s a buzz word floating its way around the technology sphere for quite some time and is gaining momentum. It’s commonly defined as a process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. The term hit mainstream when a location-sharing service called Foursquare emerged in 2009, employing gamification elements like points, badges, and “mayorships” to motivate people to use their mobile app to “check in” to places they visited.  

The term hit buzzword fame in 2011 when Gartner officially added it to its “Hype Cycle” list. But we’re not recommending gamification because it is the new, shiny object on the heels of AI. We’ve seen gamification work for companies looking to train their cyber teams.   

How does it work 

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. It allows trainees to apply what they know to simulated environments or “worlds,” creating a natural “flow” that keeps them engaged and focused. And we’re not talking about simple Capture the Flag games, we’re referring to cybersecurity exercises inspired by game-like activities to effectively engage learners.

According to Training Industry, gamified training programs are customizable based on an organization’s needs; visually-driven through use of progress bars and milestones; and are usually time-bound to hold employees accountable for task completion. Further, achievements, points, badges, trophies, and rewards/recognition of progress gives users a sense of accomplishment, keeping them motivated and engaged. 

Why is gamification powerful?  

The next gen learner (born after 1980) has never known a world without video games so it’s a natural progression that cyber training incorporate a style of teaching that best suits today’s learner. Neuroscientist Eric Marr said the reason it works so well is because when an individual engages with gamified simulations, the brain releases dopamine, a chemical that plays a role in the motivational component of reward-driven behavior. He says “Dopamine helps activate the learning centers in the brain. If your brain releases dopamine while you’re learning something, it helps you remember what you’ve learned at a later date.”  

Studies like “I Play at Work: Ten Principles for Transforming Work Processes Through Gamification” outline the following benefits:  

  • Increased engagement, sense of control and self-efficacy   
  • Adoption of new initiatives  
  • Increased satisfaction with internal communication  
  • Development of personal and organizational capabilities and resources   
  • Increased personal satisfaction and employee retention   
  • Enhanced productivity, monitoring and decision making    

 

At Circadence®, we have taken these learnings and applied them to our own flagship product, our cybersecurity training platform Project Ares®. Recognizing the widening cyber skills gap and evolving threats, only the most productive and effective training mechanisms will do—and the latest research tells us that gamified environments are here to stay. An immersive training platform, Project Ares appeals to today’s learner—and gets CISOs and their colleagues excited about training again. In contrast to passive, traditional instructor-led courses, gamification provides an active, continuous learning, people-centric approach to cybersecurity skills development.   

For a more in-depth look at the Importance of Gamification in Cybersecurity, download our white paper here.

Circadence Takes “A Different Look at Cybersecurity” on the Road

In partnership with Sirius Computer Solutions, Snowflake Computing, and Puppet software, Circadence is pleased to participate in the roadshow series,  “A Different Look at Cybersecurity.” In cities across Tennessee, Mississippi, and Alabama, Circadence, and partners will help businesses discover new ways to approach cybersecurity readiness in the wake of imminent and persistent cyberattacks affecting every industry today.

Attendees will gain meaningful insights into:

  • Addressing the cyber skills gap
  • Enhancing defense capabilities with AI
  • Simplifying cloud data management
  • Securely automating and accelerating DevOps processes

Understanding that enterprises are actively seeking both strategic and technological solutions to solve their cybersecurity challenges, these informative and educational events include in-person conversations that focus on real-world, practical approaches that apply to CISOs and SOC professionals.

“Connecting with business leaders at events like this is the best way to understand what cybersecurity issues are keeping them up at night,” said Daniel Jaramillo, vice president of sales at Circadence. “By engaging with the cybersecurity community in small groups, we can share ideas that will help them stay protected from attacks and empower their cyber teams with effective learn-by-doing approaches.”

To learn more about each of the stops for “A Different Look at Cybersecurity” visit our Facebook events pages and register for FREE today:

“A Different Look at Cybersecurity” in Chattanooga – https://www.facebook.com/events/438374093367001/

“A Different Look at Cybersecurity” in Nashville – https://www.facebook.com/events/357315905048895/

“A Different Look at Cybersecurity” in Memphis – https://www.facebook.com/events/2291581351131659/

“A Different Look at Cybersecurity” in Jackson – https://www.facebook.com/events/1219009901596924/

“A Different Look at Cybersecurity” in Mountain Brook – https://www.facebook.com/events/223832025193175/

If you have any further questions about these roadshow events, please contact Amy Dageenakis.

 

 

Artificial Intelligence and Learning Through Robotics: An Interview with Circadence CTO Bradley Hayes

We sat down with Circadence’s own Chief Technology Officer, Brad Hayes, to delve deeper into the meaning of AI and machine learning as it relates to the cybersecurity field, to discuss how robotics inform best cybersecurity practices, and to learn about new developments that are shaping the future of the field.

Artificial Intelligence (AI) is a phrase we hear quite often. It’s thrown around in movies and TV shows, listed as a feature in new devices we buy, and is even brought into our homes through voice services like Siri and Alexa. AI is a technology this being positioned to help us, as consumers and professionals perform traditionally complex tasks with ease. The ability to automate and augment responsibilities using robotics continues to gain traction as our digital footprints expand. And surrounding it all, cybersecurity becomes ever more critical as we seek out better ways to protect ourselves, our schools, our businesses, and national security.

Before we talk about Artificial Intelligence and machine learning, can you tell me a little more about your robotics research?

BH: The central theme of my lab’s research is building technology to enable autonomous systems to safely and productively collaborate with humans, improving both human and machine performance. The main goal is developing human-understandable systems and algorithms to create teams that are greater than the sum of their parts, outperforming the state of the art in inferring intent, multi-agent coordination, and learning from demonstration. Robotics is a foundation upon which AI and machine learning technology can be deployed with substantial impact, and it opens doors for skill building and capability expansion when we use these techniques in the context of cybersecurity learning.

Can robots help humans be more efficient?

BH:  Early robotics research focused on creating robots that would primarily occupy a purely physical role: as a force multiplier that adds physical strength, repetition, or precision to a process (like a robotic arm helping to transport material). Within the scope of earlier AI research, decision support systems were designed as cognitive assistants, helping humans make more informed choices. The next evolution of robotics research significantly synthesizes AI advancements and helps engineers and developers understand how to automate and augment processes of cognition and interaction.

The idea of machines/robots helping professionals automate and augment tasks and decision-making is interesting. Can you explain how machine learning folds into this idea?

BH:  Machine learning is a broad concept. It gets confused a lot with artificial intelligence (AI), which is more of an umbrella term.  Machine learning is a term that applies to systems that adapt based on behavior or action, while AI is descriptive of intelligence that doesn’t necessarily need to change as a function of its experiences over time.

AI and machine learning are ever-present in our lives. Route directions on Google maps, for example, use a combination of AI techniques to find a path between your source and destination while machine learning models estimate factors like traffic, time of day, and weather conditions to get you to your destination as quickly as possible. Netflix uses a tremendous amount of data, processed within their machine learning models, to predict shows that you might like. They also use these models to inform which programs they’re going to manage and create. Likewise, Pandora and Spotify use machine learning to tell you what they think you’d like to listen to. Machine learning is ubiquitous, already telling us where to go, what to see, and what to listen to. 

How does robotics relate to cybersecurity?

BH: A lot of the problems that we’re trying to tackle in the human-robot interaction research space are also echoed within the cybersecurity industry. If we want to design a robot teammate for a manufacturing task, that robot will need to be able to infer a human’s goals and intent from observation. This will let the robot perform productive actions, avoid collisions, and generally not be infuriatingly “in the way” during collaboration. Now apply that behavior to cybersecurity: Consider an autonomous agent that can infer the intent of actors on a system on your network, based on their behavior. Once those intentions are known, a defender can take steps to mitigate threats so malicious actors can’t achieve their goals. That’s a force multiplier for those defenders, making them more powerful and productive!

The relationship between the autonomous teammate and the human is especially important to cybersecurity education, as we can use learning technologies to assess a learner’s skill set and guide their progress to make them more effective more quickly. Beyond cooperative activities, we can also use these autonomous agents as opponents, providing a cost-effective means of teaching cyber professionals to react and respond to realistic attacks, forcing them to think more strategically and creatively to overcome adversaries.

Thinking about the relationship between robotics and cybersecurity, an example I often think of is when IBM’s “Deep Blue” beat Garry Kasparov at chess. People were asking: “Does this mean that computers are smarter than people? What does this mean for the future of chess?” My response is that this doesn’t mean we’re going to abandon chess, but rather that we will have new tools to train with and improve. In fact, that advancement helped spur great interest in human-machine teaming within the game of chess.

To me, the most exciting aspect of these systems is when it’s shown that a team consisting of an expert human and the AI can beat the AI by itself, suggesting that there are still aspects of the game not yet captured by the system. This example is illustrative of the fact that even in domains widely considered “solved,” the human still brings something valuable to the team.

Why does cyber learning matter to you and why is cybersecurity so important given advancements in AI and machine learning?

BH:  Cybersecurity professionals can engage in a cyber range learning environment against AI-powered adversaries and gain new insights into their approach, positively impacting threat response and mitigation. Further, they can learn to team up with AI-powered agents to accomplish tasks quicker and develop strategies to mitigate threats to defeat increasingly capable, quick, and clever opponents. Cyber learning through AI-powered intelligent tutoring is of paramount importance for providing affordable, effective, and personalized education at scale.

As we’ve been quick to inject computation into pretty much every aspect of life, the speed at which we’ve deployed these systems has come at a cost. At this stage, I would consider it a debt, as there is a tendency to deploy systems without properly safeguarding them and/or ensuring that they’re reliably operational under potentially adversarial operating conditions.

Further, cybersecurity doesn’t just mean being able to defend against intentional adversaries, but also against unintentional consequences stemming from benign actions from people we trust. In any case, the attack surface grows rapidly as points of interaction grow in number. Because of this, I don’t foresee a viable strategy that doesn’t heavily involve the use of AI and machine learning for cybersecurity professionals, both in terms of learning and continuing education, but also in terms of effective coordination against increasingly capable adversaries.

These concepts are important to know and understand as government, enterprise, and academic institutions look to keep pace with the evolving threat-scape and prepare the next generation of cyber professionals. To learn more about how Circadence is at the forefront of cybersecurity learning tools at https://circadence.com/.