Immersive Cyber Training with Project Ares: Ramping Up a Cyber Career

As promised, I’m back with a follow-up to my recent post on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun.  Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris.  I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft – Circadence joint “Into the Breach” capture the flag exercise.  If you missed Ignite, we are planning several additional “Microsoft Ignite The Tour” events around the world, where you’ll be able to try your hand at this capture the flag experience.  Look for me at the DC event, right after the Super Bowl, in early February.

In the meantime, due to the great feedback that I received from my previous blog (which by the way I do really appreciate, especially if you have other ideas for how we should be tackling the shortage of cyber professionals), I will be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape.  I want to address the important questions of how a new employee would actually ramp up their learning, and how employers can prepare employees for success, and track the efficacy of the learning curriculum.  Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, CO-based Circadence.  Take a look a look at some of her recommendations:

 

Q: Keenan, in our last blog, you discussed Circadence’s ‘Project Ares’ cyber learning platform.  How do new cyber practitioners get started on Project Ares?

The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched.  It’s important to understand what kind of work roles you are looking to learn about as a user. What kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code, or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals, things like ports and protocols, regular expressions and the cyber kill chain. Then they can transition into Battle Rooms, where they will start to learn about very specific tools, tactics and procedures (TTPs), for a variety of different work roles. If you are a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does do some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.

In Project Ares, we have a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area that is based entirely on the work role. That aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you are a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that work role.

 

Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?

You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All of this practice helps prepare professionals to take official cyber certifications and exams.

 

Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning. 

One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console, so we really tried to put a lot of gaming elements inside Project Ares.  For example, everything is scored within Project Ares, so everything you do from learning about ports and protocols, to battle rooms, to missions gives you points, experience points—those experience points add up to skill badges. All these things make learning more fun for the end-user. For example, if you are a defender, you might have skill badges in infrastructure, network design, network defense, etc.  and the way Ares is set up, once you have a certain combination of those skill badges you can actually earn a work role achievement certificate within Project Ares.

This kind of thing is taken very much from Call of Duty, or other types of games where you can really build up your skills by doing a very specific skill-based activity and earning points towards badges. One of the other things that is  great about Project Ares is it’s quite immersive, so the Missions, for example, allow a user to come into a specific cyber situation or cyber response situation (e.g. water treatment plant cyber attack) and be able to have multimedia effects that demonstrate what is going– very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience. She, Athena, was inspired by the trends of personal assistants like Cortana and other such AI “bots” which have been integrated into games. So these things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It is so much more fun, and easier to learn things in this way, as opposed to sitting through a static Power Point presentation or watching someone on a on a video, trying to learn the skill passively.

 

Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness? 

Project Ares offers a couple great features that are good for managers, all the way up to C-Suite individuals who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can actually jump into the Project Ares environment with the students or with the enterprise team members and actually do that in a couple of different ways. So for example, the instructor, or the manager can jump into the environment as Athena, so that the user doesn’t know that they are in there, they can provide additional insight or help that is needed to a student.

A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything, to maybe make it a little more challenging; and then of course, they can just observe and leave comments for the individuals.  That piece is really helpful when we are talking about managers who are looking to understand their team’s skill level in much more detail.

The other piece of that is a product we have coming out soon called Dendrite.  Dendrite is an analytics tool that looks at everything that happens at Project Ares so we record all the key strokes, any chats that a user has with Athena, the in game advisor, and any chatting a user may have done with other team members while in a mission or battle room.  Cyber team leads can really see what’s going on, and as a user, you can see what you’re doing well, and what you’re not doing well.  That can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is, in their particular skill path. It helps cyber team leads to understand what tools are being used appropriately and which tools are not being used appropriately.

For example, if you are a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how you are using tools in your organization optimally. Or, how you’re training your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they are really on top of their game.

 

Q: How do non-technical employees improve their cyber readiness?

Here at Circadence we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCytÔ. Now, inCyt is very fun, browser-based game of strategy where players have some hackable devices that they have to protect, like operating systems and phones. Meanwhile, your opponent has the same thing objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyber attacks. While they’re doing this, players actual get a fundamental understanding of the cyber kill chain.  They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so that they can start to recognize that behavior in their everyday interactions online.

Some people ask why that’s important and I always say: “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.

It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial, after they have already clicked on a link in an suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we are all susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So you may demonstrate a very high aptitude within inCyt in which case we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity and see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy which is just a lighter version of Project Ares.

Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning from novice to expert cyber defender. You’ll be able to track all metrics of where you started how far you came, what kind of skill path you’re on, what kind of skill path you want to be on. Very crucial items for your own work role pathway.

 

How to close the cybersecurity talent gap

Keenan’s  perspective and the solution that is offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want.  We’re in interesting times, right?  With innovations in machine learning and artificial intelligence, we’re increasingly able to pivot from reactive cyber defense to get more predictive.  Still, though, right now we are facing a cybersecurity talent gap of up to 4 million people depending on which analyst group you follow, so the only way that we are going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.

Make it something that they can attain, that they can grow in, and  see themselves going from a novice to a leader in an organization.  This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout, with uncertain and undefined career paths beyond tactical SecOps.  What’s to look forward to?

We need to get better as a community in cybersecurity, not only protecting the cybersecurity defenders that we have already, but also helping to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we are at today.  This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning, to improve the learning experience and put our people in a position to succeed.

 

To read more about how to close the cybersecurity talent gap, please read this ebook.

For more information on Microsoft intelligence security solutions visit:  https://www.microsoft.com/en-us/security/business

Good Bots and Bad Bots: How to Tell the Difference to Stay Cyber Safe

You may have heard or read the term “bot” in the context of cyber security. Normally we hear this word in the wake of a cyberattack and relate it to breaches in computer or network security. While there are certainly bad bots, there are good bots too! So what exactly is a bot, how can you differentiate, and how do they work?

What are bots?

The term bot is short for robot and is a type of software application created by a user (or hacker) that performs automated tasks on command. There are so many variations, from chatbots to spider bots to imposter bots. Good bots are able to assist in automating day to day activities, such as providing up to the minute information on weather, traffic, and news. They can also perform tasks like searching the web for plagiarized content and illegal uploads, producing progressively intelligent query results by scouring the internet content, or helping find the best purchase deals online.

While we encounter bots like these in our everyday activities without really thinking about them, being aware of bad bots is important. Bad bots, used by adversaries, perform malicious tasks and allow an attacker to remotely take control over an infected computer. From there, hackers can infiltrate the network and create “zombie computers,” which can all be controlled at once to perform large-scale malicious acts. This is known as a “botnet”.

How do bots work?

Cybercriminals often use botnets to perform DoS and DDoS attacks (denial of service and distributed denial of service, respectively). These attacks flood target URLs with more requests than they can handle, making regular traffic on a web site almost impossible. Hackers use this as a way to extort money from companies that rely on their website’s accessibility for key business functions and can send out phishing e-mails to direct customers to a fake emergency site.

Protect yourself from bad bots

Don’t let this information scare you though! Awareness is a great first step to recognizing any potential harmful activity, whether on your own computer or on a site you visit online. Preventing bad bots from causing attacks before they start is easy with these tips:

  • Ensure your antivirus software is up to date by setting it to automatically update.
  • Routinely check the security options available to you for your iOS, web hosting platform, or internet service provider.
  • Only click on links and open emails from trusted sources. Avoid accepting friend or connect requests, responding to messages, or clicking on links from unknown persons on social media.

Bots can be incredibly helpful, and we use them every day. Knowing how to differentiate the good from the bad while taking the necessary precautions to protect yourself against malicious bots will ensure that you only need to deal with bots when they are telling you about blue skies or saving you money on that great shirt you’ve been wanting!

Photo by Su San Lee on Unsplash

How to Launch a Cyber Security Career

Preparing for a cyber security career is more enjoyable than you may think! The technical challenge, problem-solving, constant change (you’re never bored!), and continuous learning opportunities are positive experiences one can have when entering the field of cyber security.

For any interested student or autodidactic, a cyber career path may seem a little daunting. But with the right cyber security tools and teachings in place, coupled with the latest proficiencies, any person can learn cyber and garner the skills necessary to enter the workforce with confidence and competency.

The earning potential for an individual pursuing a career in cyber is significant. The national average frontline cyber security career salary is $94,000-119,000 (on the low end) for security-related positions in the U.S. according to the Robert Half Technology’s 2020 Salary Guide

The industry offers high paying jobs, yet many positions continue to be unfilled with an estimated 145% workforce needed to fill the talent gap.

This begs the question: what is the best way to fill the cyber security skills gap with motivated and budding professionals? The answer is multi-faceted but at its core is a fundamental shift in how we prepare and train them with the skills needed to thrive.

Pro Tips for Building a Cyber Security Career Path 

Just like many other career paths, cyber security needs people who possess a mix of academic, theoretical-based knowledge, practical skill sets, and a lot of creative thinking. An aspiring cyber security professional can learn the knowledge, skills, and abilities needed in the industry, seek out internships and/or apprenticeships, and learn of careers in cyber without actually being on the defensive frontlines of cyber attacks. Details of each approach are below.

Step 1: Identify individual strengths, knowledge, skills, abilities

The first suggestion for an individual who wants to learns on their own is to match their unique strengths (technical and non-technical) to the kinds of knowledge, skills, and abilities needed to do certain cyber jobs in the workplace. Understand what kinds of jobs are available too. For students, they will likely learn these details in traditional classes and in their coursework assignments. With Google at our fingertips, however, it’s easy to find a variety of online resources to learn cyber security KSA’s including ISACA, ISC(2), ISSA, and The SANS Institute—all of which provide information about the profession and detail certification and training options. Understanding the kinds of tasks performed in certain work roles and the kinds of behaviors needed to perform certain jobs, an aspiring cyber professional will be better prepared during the interview and job search process. He/she won’t be surprised to learn about what is required to start a job in cyber security.

Step 2: Consider internships, apprenticeships, and alternative pathways to cyber learning 

As a self-guided learner, you likely have the go-getting attitude needed to find a cyber security internship, apprenticeship, or alternative trade school to start building your knowledge, skills, and abilities more.

Internships are available through many community colleges, technical colleges, and universities, each of which has well-oiled practices of connecting students with local companies. In fact, it’s not uncommon for most students, both undergraduate and graduate, to be required to complete an internship in their field of study before graduation.

Apprenticeships are a “learn while you earn” kind of model and are incredibly beneficial for both the company offering the apprenticeship and the student.

“This is absolutely fundamental, and a key plan in meeting the workforce needs. Our solution to the gap will be about skills and technical ability,” says Eric Iversen, VP of Learning & Communications, Start Engineering. “And the most successful of apprenticeship programs offer student benefits (e.g., real-world job skills, active income, mentorship, industry-recognized credentials, an inside track to full-time employment, etc.) and employer benefits (i.e., developed talent that matches specific needs and skill sets, reduced hiring costs and a high return on investment, low turnover rates and employee retention, etc.)”

The Department of Homeland security created a Cyber Corp Scholarship program to fund undergraduate and graduate degrees in Cyber Security. Students in this program agree to work for the Federal Government after graduating (with a one year service for every year of scholarship).

These types of opportunities are especially advantageous for recruiting individuals who may be switching careers, may not have advanced degrees, or are looking to re-enter the field.

Alternative pathways are also quite accessible for the college graduate or self-driven learner seeking a career in cyber security. One cyber career pathway is via “stackable” courses, credits, and certifications that allow learners to quickly build their knowledge base and get industry-relevant experience. These kinds of courses are available in high school (taking collegiate-level courses) and at the college level. Another type of alternative pathway is via cyber competitions and hackathons. Learners can gain practical skills in a game-like event while meeting fellow ambitious professionals. Participating in these events also makes for great “extracurricular activities” on one’s resumé too.

Circadence is proud to lend its platform Project Ares® for many local and national cyber competitions including the Wicked6 Cyber Games, cyberBUFFS, SoCal Cyber Cup, and Paranoia Challenge so students can engage in healthy competition and skill-building among peers. For more information on cyber competitions and hackathons, check out the Air Force Association’s CyberPatriotCarnegie Mellon’s picoCTFMajor League Hacking, and the National Cyber League.

Cyberseek.org also has a detailed and interactive roadmap for hopeful professionals to learn more about how to start and advance their careers in cyber security. This interactive cyber security career pathway map breaks it all down. For example, if you’re interested in a software development role, you’ll want to build skills in Java or Python, databases, code testing, and software engineering, as well as, build cyber skills in cryptography, information assurance, security operations, risk management, and vulnerability assessment. You may also consider certifications in Certified Ethical Hacking (CEH), Security+, Network+, Linux+, Offensive Security Certified Professional (OSCP), CISSP, and GIAC in addition to having real-world experience and training. In addition, check out Cyber-Security Degree, a free service that helps individuals looking to enter into the field find the right path to getting an online degree.

Step 3: Understand Cyber Security Career Requirements

We recommend three types of experience when considering a career in cyber security:

·     Degree experience for basic understandings of cyber theory and practice

·     Technical experience to demonstrate learned knowledge translates to skill sets acquired

·     Real-world training experience, either via an internship/on-the-job opportunity or via realistic cyber range training

Many entry-level cyber security job descriptions will require at least a bachelor’s degree or 4 years’ experience in lieu of a degree. Higher-level positions will require the academic degree plus some technical experience and/or real-world training.

It’s important to note that there are two types of cyber training available: A traditional classroom-based setting and an on-demand, persistent training option. Both are great in their own ways and can complement each other for holistic cyber learning. The classroom-based learning presents information to learners via PowerPoints, lectures, and/or video tutorials. Learners can take that knowledge and apply it in a hands-on virtual cyber range environment to see how such concepts play out in real-life cyber scenarios.

Since cyber security is an interdisciplinary field, it requires knowledge in technology, human behavior/thinking, risk, law, and regulation—to name a few. While many enter the field with the technical aptitude, many forget the “soft skills” to cyber security. To communicate effectively with a cyber team, problem-solve, analyze data, identify vulnerabilities, and understand the “security story” of the employer, a young professional needs to possess and demonstrate those social skills to thrive in their job.

The Variety of Cyber Security Fields are Endless!

There’s more to cyber security than being a network analyst or incident response manager. Interested, aspirant professionals can work in cyber security through other departments beyond security and IT. Cyber careers in human resources, marketing, finance, and business operations are all available sectors that allow a learner to “be in cyber” without doing the actual day-to-day frontline security defense tactics. It is important to know about the other careers individuals can pursue in cyber security because it is not just for the IT department to “manage” within a business. Furthermore, cyber security roles don’t have to be pursued at technology companies – there are many healthcare, banking, energy, and enterprise companies seeking cyber security professionals in their organizations. So, if a certain industry is of interest to you, you can explore cyber in that specific industry. In the age of digital transformation, practically every sector has a security need that needs to be hardened.

For young graduates entering the cyber security field, a multi-faceted approach to learning cyber security skills is recommended. The good news is that motivated learners have lots of avenues and resources available to them to pave a career path that best fits their needs and interests. Check out this article next for options to kickstart a cyber career.

WATCH this On-Demand Webinar

“KICKSTARTING A CYBER CAREER

with Dr. Dan Manson

 

Diversity in Cyber Security: Why It’s Important and How To Integrate It

You may have heard that the cybersecurity skills gap is widening, and that there is a massive shortage of cyber professionals today. In fact, Cybersecurity Ventures predicts that there will be up to 3.5 million job openings in the field by 2021. In spite of the growing need for people in cyber, women continue to be underrepresented in the field.

According to major findings from the 2017 Global Information Security Workforce Study:

  • Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce.
  • Globally, men are 4 times more likely to hold C-suite and executive-level positions, and 9 times more likely to hold managerial positions than women.
  • In 2016 women in cybersecurity earned less than men at every level.

It’s no surprise that women are the underdog across plenty of male-dominated industries. So why is it so important for women to close the gender gap in cyber?

We need diverse perspectives in cybersecurity

Firstly, cyber is an area that benefits greatly from utilizing people with diverse perspectives and histories to solve problems. As threat actors and black hat hackers often come from disparate backgrounds, the wider variety of people and experience that are defending our networks, the better the chances of success at protecting them.

Combat the stereotype that cyber is only for men

Secondly, as there are so many empty jobs in the field, it is ultimately detrimental for a factor like a gender to narrow the pool of people pursuing it. Unfortunately, the message is ingrained in women from a young age that tech and security are “masculine” professions, which results in a self-perpetuating cycle of unconscious bias against women in the field. These problems are difficult to fix because they are subtle and pervasive and often come back to issues in culture and education. In fact, an online survey, Beyond 11%, found that most women have ruled out cybersecurity as a potential job by the age of 15. This is unacceptable!

Everyone can learn cyber

Finally, there is a misconception that the cybersecurity industry is only for people with highly technical skills. Unfortunately, the “bad guy” hackers out there don’t require crazy technical skills to get to your personal information. Fortunately, being on the defensive lines don’t require them either. Cybersecurity is a highly trainable field and has a growing need for people in more positions than ever before, such as legal, marketing, and public policy – all of which women have proven to excel in. In fact, the communication skills, problem-solving and attention to detail skill sets needed to excel in cybersecurity are skills women possess and are really good at.

Introducing more women to cybersecurity


Programs and Events

Since many of these problems start for women from a young age and through somewhat unconscious societal and cultural constructs, it can feel like a daunting task to get women more involved in cyber. In order to combat these misconceptions, many programs and events have been put into place to provide young women with female role models in the cybersecurity field. Events such as the Women in Cybersecurity Seminar, Women in Cybersecurity Conference, and Cyber Day for Girls are just a small number of direct-action groups that companies like IBM have put in place to address the gender gap. Further cyber competitions like the Wicked6 Cyber Games, and organizations like the Women’s Society of Cyberjutsu and Girls Who Code are dedicated to introducing young women to cyber at that earlier age before they are told “it is not for them.”

Cybersecurity Mentorships and Internships

Mentorships and internships are another great way to introduce girls to other women in cybersecurity fields they may think are beyond their reach. Volunteers from tech companies have been going to summer camps specifically designed to encourage young girls to consider careers in STEM, such as the Tech Trek summer camp. Additionally, the Girl Scouts just introduced the first ever cybersecurity badge, which can be earned by completing curriculum and gamified learning around internet safety.

Persistent cyber career development

Another way we can support and retain women who choose cybersecurity roles is for companies have policies in place that ensure women do not miss out on opportunities to further their careers after having children. Things like flexible hours and the option to work from home can be key in maintaining a diverse and productive workforce. Hiring managers can also work to ensure equal employment opportunities when looking to hire for a new position. People from all backgrounds should feel welcome to apply for roles in this highly trainable and accessible field.

We need all hands-on deck now more than ever in cybersecurity, tech and STEM fields. Communicating to girls at a young age that technology isn’t just for their male counterparts, and that it can offer them a long and rewarding career, is essential in closing the gender and skills gap in cyber.

To learn more how to diversify the cybersecurity workforce from a strategic standpoint, read our other blog “Diversifying the Cybersecurity Workforce.” https://www.circadence.com/a-call-to-diversify-the-cybersecurity-workforce/

 

 

Ten Reasons to Check Out San Francisco while at RSA

Your definitive guide to de-compressing from the tradeshow chaos.

Exhibiting at and attending a tradeshow can be stressful. Packing, getting to your flight on time and finding your way in a “new” city are all trying. Not to mention, once you arrive at the show, the hours are long, the coordination is tedious, and all the coming and going from various conference rooms is tiresome—plus you are “always on.” We think you deserve a break! If you’re gearing up for the RSA 2019 Conference in San Francisco, CA this year March 4-8 at the Moscone Center, we’ve compiled the best stress-reducing, fun activities to do and see (after visiting with us at booth #6583, of course).

  1. RSAC After Hours Events: These events, hosted by the conference, offer Full Conference and Discover Pass holders the chance to hang out with industry peers and colleagues in a setting of their choice.
    • Tuesday, March 5th After Hours: Game Night at Moscone Level 2 from 7:00 p.m. to 9:30 p.m.
    • Wednesday, March 6th After Hours: Whiskey & Wine Tasting at Marriott Marquis Golden Gate B&C from 6:30 p.m. to 8:00 p.m.
    • Thursday, March 7th After Hours: Comedy Club at Moscone South Esplanade from 6:30 p.m. to 8:30 p.m.
  1. Check out The View Lounge rooftop at the Marriott Marquis for some delicious cocktails and incomparable views of the city. Only a 6-minute walk from Moscone Center! It’s the perfect place to bring clients and partners, do some networking, or enjoy a little alone time at the end of a long day of networking and meetings.
  2. Head to the Ferry Building to enjoy the sights and sounds of the city. The expansive marketplace inside is home to wine, coffee, food, and souvenirs. A great spot to grab some lunch or coffee and get out of the conference room.
  3. Yerba Buena Gardens is a beautiful place to reflect on the tradeshow experience thus far and find some peace after the busyness of the day. Serene waterfalls, sprawling lawns and gorgeous gardens are sure to help you unwind, and it’s right across the street from the conference. Beyond being a great place to relax, a sponsored game of Intro to Capture the Flag will be taking place in the park from 8:00 a.m. to 9:30 a.m. on Thursday, March 7th. This is a women’s only game geared toward beginners. You will gain real-life hacking experience while collaborating, game playing, and enjoying coffee and bagels.
  4. If you’re looking for hot new restaurants to try, look no further than these gems near the tradeshow:
    • Ayala Restaurant – A seafood-centric haven in the bottom of Hotel G in Union Square (another great place to visit).
    • Z&Y Bistro – Ramen, hot pot, and skewers with minimal, upscale décor. This “baby brother” of Z&Y Restaurant is located just northwest from the original on Jackson Street.
    • Trailblazer Tavern – Located in the SalesForce East Building, unique Hawaiian comfort food abounds in a modern space. Open for lunch, happy hour, and dinner with an indoor dining room, bar, and heated patio.
  5. Visit the San Francisco Museum of Modern Art, just around the corner from Moscone. The inspiring art and calm atmosphere are just the ticket for hitting the re-set button. Here is a list of museums that offer free days around the city if you find yourself craving more artistic expression!
  6. If art isn’t your thing, or you’re on the hunt for a very authentic San Francisco experience, be sure to check out the Cable Car Museum. It’s a free museum in the Nob Hill neighborhood. It holds historical and explanatory exhibits on the San Francisco cable car system, which can be regarded as a working museum in and of itself. If you’d like to actually ride one, here is a list of routes, tickets, and schedules.
  7. After spending the day at the tradeshow, why not visit the Fortune Cookie Factory and see what the future holds for you? This little bakery offers free tours, delicious fortune cookie flavors and toppings, and makes over 10,000 cookies per day, by-hand, from scratch. You can also get custom fortunes made as a gift for your colleagues and newfound customers and partners!
  8. Looking for an amazing shopping experience in the city? The Westfield San Francisco Center has you covered. From top department stores to small, SF-based boutiques, you can get whatever you need here. There’s also a dining hall and many delicious restaurants if you have trouble deciding what to eat.
  9. Still unsure of how to spend your time away from the Circadence booth #6583? Check out this list of sponsored parties around town. Keep checking back as this list will continue to get updated!

We hope you find time to enjoy yourself this year at RSA. Kickstart your city adventures with some fun and be sure to visit the Circadence booth #6583 for more excitement. We would love to talk shop and hear what you’ve been able to do from our list!

Photo Credit: https://unsplash.com/@sonuba

Guest Blog: Taking Cybersecurity Learning to a Whole New Level

Last week I was lucky enough to be able to attend Circadence’s Cyber Learning Tour at the Microsoft Technology Center in Chicago.  This event was hosted by Laura Lee, VP of Rapid Prototyping,  and one of the lead creators of the Project Ares training platform.

The opportunity to attend this event and hear from the brains behind Project Ares was an eye-opening experience for me.  The passion that Laura spoke with was something that I could relate to.  As someone who personally advocates for introducing more people to information technology and more specifically cybersecurity, it was amazing to hear Laura Lee talk about how she utilizes Project Ares in schools as early as middle school to educate students on not only the importance of cybersecurity but also real-world scenarios.  Hearing Laura talk about kids using Metasploit, Nmap, Wireshark and learning how to defend simulated cyber-attacks or infiltrating networks with Project Ares is taking learning to a whole new level.

One of the more interesting topics Laura brought up about the platform is the scoring capability and how it works within the learning environment.  She often finds students begin competing against each other on the platform by going through missions and assessments over and over again to see who can get the better score.  This brings another avenue of excitement and energy to cybersecurity that could lead to more exposure with things such as e-sports using Project Ares.

The fact that Circadence has created a learning environment that brings gamification, cybersecurity, and training to the same platform is ground-breaking to me.  Here is a platform that will simulate real-world scenarios like bank networks, power grids, and other enterprise networks and you either must attack (red team) or defend (blue team) using real-world skills and tools.  If you’re a rookie at cybersecurity, Project Ares offers a variety of battle rooms and assessments that will help get you up to speed.

To hear more about why gamification and AI-powered cyber learning is the future of cybersecurity skill building, check out one of their other Cyber Learning Tour stops here: https://marketing.circadence.com/acton/media/36273/cyber-learning-tour-with-microsoft.

Follow Zach’s YouTube Channel I.T. Career Questions for all things cybersecurity learning and development here: https://www.youtube.com/channel/UCt-Pwe2fODjH4Wuwf5VqE7A.

A Call to Diversify the Cybersecurity Workforce

You’ve read about it, know it well, and can probably instantaneously identify one of today’s top cyber crises: the cybersecurity skills gap. It’s putting enterprises, governments and academic institutions at greater risk than ever because we don’t have enough professionals to mitigate, defend, and analyze incoming attacks and vulnerabilities. According to recent estimates, we are looking at the possibility of having as many as 3.5 million unfilled cybersecurity positions by 2021. The widening career gap is due in part to the lack of diversity in the industry.

And we’re not just talking about racial and ethnic diversity, we’re also talking about diversity of perspective, experience and skill sets. A recent CSIS survey of IT decisionmakers across eight countries found that 82% of employees reported a shortage of cybersecurity skills and 71% of IT decisionmakers believe this talent gap causes direct damage to their organizations[1]. It’s not just the technical skills like computer coding and threat detection that are needed, employers often find today’s cyber graduates are lacking essential soft skills too, like communication, problem-solving, and teamwork capabilities[2].

An ISC2 study notes, organizations are unable to equip their existing cyber staff with the education and authority needed to develop and enhance their skill sets—leaving us even more deprived of the diversity we desperately need in the cybersecurity sector. The more unique thinking, problem-solving and community representation we have in the cybersecurity space, the better we can tackle the malicious hacker mindset from multiple angles in efforts to get ahead of threats. Forbes assents, “Combining diverse skills, perspectives and situations is necessary to meet effectively the multi-faceted, dynamic challenges of security.”

In an interview with Security Boulevard, Circadence’s Vice President of Global Partnerships Keenan Skelly notes that as cybersecurity tools and technology evolve, specifically AI and machine learning, a problem begins to reveal itself as it relates to lack of diversity:

“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, then you’re transferring unconscious biases into the AI,” Keenan said. “What we really have to do…is make sure the group of people you have building your AI is diverse enough to be able to recognize these biases and get them out of the AI engineering process,” she added.

The good news is that is it never too late to build a more diverse workforce. Even if your organization cannot hire more people from different career backgrounds or varying skill sets, existing cyber teams can be further developed as professionals too. With the right learning environments that are both relevant and challenging to their thinking, tactics and techniques, current employees can develop a more diverse set of cyber competencies; all while co-learning with diverse teams around the world.

Companies can also build relationships with local educational institutions to communicate critical workforce needs to better align talent pipeline with industry needs, recommends a new study from the Center for Strategic and International Studies. Likewise, cyber professionals can be guest speakers or lecturers in local cyber courses and classrooms to communicate the same diversification needs in the industry.

While some experts say it’s too late to try and diversify the workforce in thinking, skill, and background, we beg to differ. If we give up now in diversifying our workforce, our technology and tools will outpace our ability to use it effectively, efficiently, and innovatively. It’s not too late. It starts with an open mind and “take action” sense of conviction.

[1] CSIS, Hacking the Skills Shortage (Santa Clara, CA: McAfee, July 2016), https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf. 

[2] Crumpler and Lewis, The Cybersecurity Workforce Gap, Center for Strategic and International Studies, January 2019.

Photo Credit: https://unsplash.com/@rawpixel

Finding the needle in the cybersecurity haystack: Why gamification is the answer you’ve been looking for

To say we’re on an upward trajectory in the cybersecurity space would be an understatement. Cyber threats are increasing. Organizational spending is increasing. And the cost of a data breach is increasing—to somewhere around $3.62 million per breach according to the Ponemon Institute. With such exponential growth across the field, CISOs are actively looking for ways to strengthen their efforts. With the plethora of information available today, it is like finding a needle in a haystack. It’s hard to know whom to believe, what to believe and how often. With so many options available, CISOs are understandably stymied in making educated decisions for an optimal solution. Fortunately, our 20+ years in the gaming industry have led us to a valuable conclusion that can help CISOs professionally develop their teams—and protect their organization. The answer lies in gamification 

It’s a buzz word floating its way around the technology sphere for quite some time and is gaining momentum. It’s commonly defined as a process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. The term hit mainstream when a location-sharing service called Foursquare emerged in 2009, employing gamification elements like points, badges, and “mayorships” to motivate people to use their mobile app to “check in” to places they visited.  

The term hit buzzword fame in 2011 when Gartner officially added it to its “Hype Cycle” list. But we’re not recommending gamification because it is the new, shiny object on the heels of AI. We’ve seen gamification work for companies looking to train their cyber teams.   

How does it work 

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. It allows trainees to apply what they know to simulated environments or “worlds,” creating a natural “flow” that keeps them engaged and focused. And we’re not talking about simple Capture the Flag games, we’re referring to cybersecurity exercises inspired by game-like activities to effectively engage learners.

According to Training Industry, gamified training programs are customizable based on an organization’s needs; visually-driven through use of progress bars and milestones; and are usually time-bound to hold employees accountable for task completion. Further, achievements, points, badges, trophies, and rewards/recognition of progress gives users a sense of accomplishment, keeping them motivated and engaged. 

Why is gamification powerful?  

The next gen learner (born after 1980) has never known a world without video games so it’s a natural progression that cyber training incorporate a style of teaching that best suits today’s learner. Neuroscientist Eric Marr said the reason it works so well is because when an individual engages with gamified simulations, the brain releases dopamine, a chemical that plays a role in the motivational component of reward-driven behavior. He says “Dopamine helps activate the learning centers in the brain. If your brain releases dopamine while you’re learning something, it helps you remember what you’ve learned at a later date.”  

Studies like “I Play at Work: Ten Principles for Transforming Work Processes Through Gamification” outline the following benefits:  

  • Increased engagement, sense of control and self-efficacy   
  • Adoption of new initiatives  
  • Increased satisfaction with internal communication  
  • Development of personal and organizational capabilities and resources   
  • Increased personal satisfaction and employee retention   
  • Enhanced productivity, monitoring and decision making    

 

At Circadence®, we have taken these learnings and applied them to our own flagship product, our cybersecurity training platform Project Ares®. Recognizing the widening cyber skills gap and evolving threats, only the most productive and effective training mechanisms will do—and the latest research tells us that gamified environments are here to stay. An immersive training platform, Project Ares appeals to today’s learner—and gets CISOs and their colleagues excited about training again. In contrast to passive, traditional instructor-led courses, gamification provides an active, continuous learning, people-centric approach to cybersecurity skills development.   

For a more in-depth look at the Importance of Gamification in Cybersecurity, download our white paper here.

Cybersecurity & Artificial Intelligence Trends from 2018

Worsening employee cybersecurity habits and the need for organization-wide cybersecurity literacy.

A study conducted by SailPoint reported that nearly 75% of employees engage in password re-use across accounts, as opposed to just over half four years ago. Nearly half of people surveyed admitted to sharing passwords across personal and work accounts. Part of this is being driven by employees seeing IT practices as inconvenient, as they seek circumvention in favor of personal efficiency.

Public awareness of cybersecurity issues is increasing.

Cybercrime making it into mainstream news headlines has also raised public awareness of its challenges, dangers, and impacts. An increased prevalence of ransomware, such as “cryptojacking” software, has been spurred by the relative ease of orchestrating difficult to trace ransom payments and increasing malware availability.

Artificial Intelligence is being used to enable personalized attacks at-scale.

Attackers are gaining access to troves of personal data to use for increasing threat effectiveness. By combining increasingly sophisticated AI techniques for language understanding with the scraping of publicly available, indexed data, it is becoming far easier for malicious actors to generate increasingly authentic, personalized attacks. As a result, large-scale personalized threats have a lower barrier to entry than ever before.

Artificial Intelligence provides a force multiplier for offensive capabilities.

Machine learning models provide a general mechanism for organization-tailored obscuring of malicious intent, enabling adversaries to disguise their network traffic or even on-system behavior to look more typical to evade detection. In addition to enhancing data exfiltration capabilities, these techniques provide the capability to continually model and adapt to their environment even after deployment, enabling them to persist undetected for longer and potentially infiltrate deeper into organizations.

Artificial Intelligence provides a necessary force multiplier for defensive operations.

Increasing system complexity, endpoint vulnerability, and attack sophistication have expanded the available attack surface in a manner that has left traditional monitoring techniques ineffective. Particularly in a world of increasingly intelligent threats and well-resourced actors, the only cost-efficient and scalable mechanisms for detection and remediation are quickly becoming artificially intelligent systems with the ability to sift through largely unstructured data, identify malicious behavior over potentially long time horizons, and dynamically respond. We’re seeing proof that applications of AI to both local-machine and organization-wide event monitoring can correlate observations to provide root cause analyses and incident investigations beyond traditional analyst capabilities on superhuman timescales.

Perhaps the most important trend over the past year has been the industry’s continued realization and acceptance of a coming arms race between AI-enhanced dynamic threats and AI-enhanced adaptive defenses. 

Artificial Intelligence is not a cure-all.

While AI has deservedly received substantial hype within the cybersecurity realm and beyond, there still exists a substantial gap between algorithm deployment and successful application. To that end, continuing education is still critical for cybersecurity professionals to be able to leverage, collaborate through, and engage with these technologies to form a basis for effective defense: providing AI-enhanced tools with the knowledge and data they need to operate and engaging appropriate levels of trust and reliance in their capability (both in terms of detection and response) to make them a formidable component of a modern defensive cybersecurity strategy.

Utilizing Cyber Range Learning in Academia

Cyber ranges are virtual learning environments used for cyber warfare skills development.  A cyber range offers hands-on learning opportunities for cybersecurity professionals by marrying traditional classroom concepts with more ‘sticky’ experiential learning techniques.

By effectively preparing students to address real-world cyberattack scenarios now, academic institutions will increase their success rate of achieving learning outcomes pertinent to the cybersecurity profession. Further, the students benefit by applying what they’ve learned to realistic cyber situations they’d experience in the workplace.

While there are many cyber range solutions on the market today, there are several key learning capabilities missing on their platforms. Some examples of this are:

  • Game-inspired exercises for fundamental concept learning and skill-building with repetitive, hands-on activities.
  • Defense strategy teaching, which involves engaging in multiple cybersecurity job roles to problem-solve challenges.
  • Limited or non-existent scoring methods for learners to assess skills performance.
  • Lack of team play for collaborative learning and greater strategic work.
  • Infrastructure-only ranges with no pre-programmed learning curriculum.
  • Prescriptive, “check the box” approaches with fixed content (that, over time, will become irrelative and disengage learners).
  • The limited number of virtual environments.

To read more about cyber range learning environments for student skill building, download: 
“The Faces of Cyber Ranges: Tapping into Experiential Skill Building for Cybersecurity Teaching and Learning.”

 

To ensure your academic institution gets the most out of its cyber range investment, the following features and capabilities should be considered to best maximize student learning and skill building:

  • Ensure the cyber range comes installed with pre-existing content that is informed by real-threat scenarios and attack methods.
  • Look for cyber range content that is diverse, offering a mix of both concept-driven exercises and real-world, team-based activities for holistic learning.
  • Consider custom mission builders (like Circadence’s OrionÔ Mission Builder) to create scenarios that mirror the latest threats happening today. This can ensure the learning material is constantly evolving, just as threats are.
  • Assess instructor capabilities for reviewing and grading student performance to prevent tedious log review work.
  • Confirm that course syllabi and other learning materials can be integrated into the cyber range platform to tie learning objectives to actual student performance.
  • Consider gamified activities that encourage students to “learn by doing,” individually and in teams.

In order to address these glaring needs, Circadence created Project AresÒ, the face of the next generation of cyber ranges. Project Ares delivers learning and assessment opportunities to anyone from cyber newbies to cyber ninjas, with both individual and team-based engagements. It can be adapted to students in undergraduate and graduate university programs as well as Middle/High/Primary level schools. High engagement in cybersecurity education is critical because if students are not interested in learning new skills, and aren’t encouraged to think outside of the box, they won’t be adequately prepared to handle threats that are always changing and evolving in the workplace.

Academic institutions have an exciting opportunity in front of them – to lead the way with progressive, next-generation learning approaches that utilize cyber ranges to prepare students for the cybersecurity workplace. Don’t fall behind the times, look into learning through this exciting platform in order to better serve the future workforce.