As state and local governments shift operations to the cloud, it is more important than ever to stay on the front lines of cyber defense as cyber pros figure out how to secure cloud-based applications being used by employees.
Speaker Wade Walters will discuss:
- Why government agencies are adopting cloud computing
- What security challenges governments face when shifting to the cloud
- Top security strategies to consider to encourage persistent cyber skills development
What You’ll Learn
- Why cloud-based training is the future of cyber learning for government security professionals
- How the cloud shift will impact cybersecurity in the government sector
- How leveraging Project Ares in the cloud scales departmental security training
Who Should Attend?
Government sector cyber professionals, defenders, and team managers/leaders looking to embrace cloud-based cyber training to prepare against threats that emerge from rapid adoption of the cloud.
The dynamic world of cyber security is prompting a new shift in focus for security execs and frontline defenders as we head into a new year in 2020. Given the rapid pace by which enterprises have adopted Cloud computing services to improve operations, the frequency of threats and attack methods, and the widening skills gap facing many industries, we expect 2020 will finally be the Year of Preparedness & Cyber Proactivity—from the CISO, to the Director of Risk Management, to the Network Analyst professional—and we’ll tell you why.
A recent report from ICS2 noted that the cyber security industry now faces an estimated shortfall of 4.07 million cyber professionals. In the U.S. alone, the industry is expected to have more than 490,000 unfilled cyber positions in the coming years. While the great debate continues as to whether we really have a “skills gap” problem or if we need to loosen the reins on job requirements and lower candidate qualification expectations, one thing is for sure—today’s (and tomorrow’s) cyber professionals will need help in combatting imminent threats to harden cyber security in 2020. To facilitate their preparedness strategy, we envision proactive tools and resources will become more mainstream to help professionals do their jobs with greater efficiency leveraging automation, to support expanding security provisions, compliance requirements, and minimize the widening attack surfaces.
Automation will become the preferred way to support security operations
Whether a security manager has 1,000 defenders on their cyber team or one, automating certain administrative tasks for these individuals will be a goal focus in 2020. Directors, managers and cyber team leads understand that threats are getting so sophisticated that network defenders and security analysts need as much help as possible.
Our own Battle Room Design Team Lead Matt Suprenant anticipates enterprises will be finding ways to “automate responses to detections” observing at the Microsoft Ignite event in Nov. 2019 that Microsoft toolsets on display were designed with automation in mind.
“As we think about the future of cyber, we will see a combination of things start working together as we learn more about AI, SOAR, and other mechanisms by which we can augment today’s workforce.” ~ Battle Room Design Team Lead, Matt Suprenant
Cloud adoption will be growing across all security sectors
In 2019, we predicted more enterprises would shift to the cloud for a more seamless and elastic security experience. Reports indicate that about 90% of businesses today are using the cloud to conduct operations from simple file storage to sales transactions in the cloud. So what’s next? Security divisions will be leveraging the cloud to train their professionals on the latest cyber threats and attacks in 2020. Cyber training in the cloud will likely become one of the new ways Cloud computing will be leveraged in 2020 since teams need persistent and always-on access to training (moving away from the one-and-done on-site classroom-based training offerings of today). The future of cyber training will occur in the cloud.
Don’t believe us? Hear the benefits of training in the Cloud in our webinar.
Renewed focus on security awareness training for all employees
Human resource managers and risk and compliance managers will work more closely together to design their own security training programs to nurture incoming talent and existing staff. Another cyber security prediction in 2020 will indeed be around this topic, as HR managers and Risk and Compliance managers identify new ways to educate all employees (not just the IT staff) on cyber risks, attack methods, and how to spot suspicious emails (phishing attacks), links, website, and other digital assets related to endpoint security.
“I hope the prioritization of training and education continues to increase; I hope the prioritization of security as a pillar of someone’s organization continues to get recognition. I think we’re coming out of a phase where organization’s felt that could just ignore the elephant that’s stomping around their data center. I’m hopeful we’re moving into this position that people are being more generally aware [of their digital activity online], not just on paper, but that [cyber security readiness and training] needs funding and collaboration…The industry is moving toward recognition that this is where priorities lie.” ~ Megan Daudelin, Team Lead, Curriculum Development
Election Security will dominate discussions
Years ago, ballot fidelity was the issue to solve but now, election security is the hot ticket item to address in cyber security in 2020. The breadth and diversity of counties means election security isn’t managed the same way, putting all elections at greater risk of interference. Russian cyber criminals have been able to gain access to voting systems around the country, most notably in the 2016 election. As we head into an election year, election security pros will be understanding vulnerabilities in voting machines and (ideally) replacing such machines using congressional funds, which granted $380 million to upgrade old voting systems.
We also anticipate both election volunteers and frontline election security tally monitors and processors will desire more cyber training and education to ensure they’re doing their part to stay vigilant against any suspicious activity that comes in their purview.
Increased Attacks on IT/OT automated systems, state local governments
Municipal ransomware attacks on cities was a big occurrence in 2019 and we don’t envision it’s going to stop in 2020. A CNN news article reported that over 140 local governments, police stations and hospitals were held hostage by ransomware attacks in 2019. As more entities run by and are funded/informed by state and local government organizations, automated operations of network security will be more prevalent to streamline workforces and workloads, thus, increasing the chances of cyber attacks occurring on those systems. To prevent data breaches and make cyber readiness a top priority, live fire cyber exercises will be leveraged to bring together cyber security experts across departments and teams, divisions and functional areas of critical infrastructure and government operations.
We will continue to see a rise in targeted ransomware attacks, especially against small to medium size public entities like utilities, governments, and hospitals. Too many are just paying the ransom because it is far cheaper to do that than fix it, even if you have backups. ~ Paul Ellis, Senior Product Manager
What do we do to harden cyber security in 2020?
Educate, educate, educate. Train. Train. Train.
That is our recommendation for security leaders, managers, and frontline defenders who are heading into 2020 trying their best to anticipate the next threat vector or patch a vulnerability.
The more companies can educate their non-technical staff about cyber issues and suspicious activity while IT teams and security divisions regularly train/upskill their defenders the better off enterprises will be.
It’s important to remember that cyber security in 2020 and beyond is not a “do this thing and you’re secure” effort. Cyber security and hardening posture is a JOURNEY, not to be taken lightly or without concern.
For enterprise security teams who want to understand more about how Project Ares can support cyber learning in mission scenarios that address election security, ICS/SCADA systems, and experience learning against automated adversaries in the Cloud, schedule a demonstration of Project Ares today.
For HR managers and Risk and Compliance directors seeking ways to implement a company-wide security awareness training program using gamification, check out our inCyt platform (Available soon).
Circadence’s Keenan Skelly talks to Fifth Domain about the challenges an organization faces when training their workforce about cybersecurity.
Cyber Wire interviews Keenan Skelly about a career in cybersecurity, the gender gap and the importance of cyber training.
Circadence’s Keenan Skelly interviews with Fifth Domain about women in tech.
This post originally appeared on Microsoft’s Security Blog, authored by Mark McIntyre, Executive Security Advisor, Enterprise Cybersecurity Group
If you’re anything like me, you get really excited when the holidays roll around. The music is cheerful (the Hallmark Channel is on 24/7–high five!), the fireplace is roaring, and I can curl up with my blanket and mobile phone to SHOP ONLINE (of course). Ah, the spirit of the holidays…But the bah humbug part about the scene I’ve just set, is I’m not the only one feeling “festive.” Cybercriminals LOVE when surges in online shopping occur because people are looking for the best deals on gifts, bargain hunting, and planning for the biggest online shopping days of the year: Black Friday and Cyber Monday. This means adversaries can more easily manipulate our holiday spirits with cyberattack methods like phishing and social engineering, credit card fraud, and more.
So while you prepare your winter festivities and “add to cart,” consider these 12 tips to keep your “digital dwelling” safe and warm during Cyber Monday and Black Friday, especially.
Shop from websites you know and trust.
Don’t click on those flashy “hot deals” that are likely too good to be true. Scammers deliver ads based on your interests, offering sweet discounts or great deals to get the click. Now is NOT the time to experiment with new retail websites and apps.
Don’t go “public.”
Avoid public Wi-Fi when using the Internet, especially when accessing sensitive data like your bank account balance or emails. Your personal information isn’t a “gift” you want to give a hacker this holiday season.
Update your operating systems.
With a little more downtime during the holidays, take a merry minute to keep your operating systems as current as possible. This also goes for apps on your phone.
Refresh your passwords.
Enter into the New Year with stronger, more secure passwords—something that will keep a criminal out of your personal property and prevent identity theft. Things like symbols and numbers to replace letters add a layer of complexity that make passwords harder to crack. Consider using a password manager to store all your different passwords so you don’t forget them!
To ensure you are protected from any precocious cyber predator, check our security awareness game inCyt, a fun way to learn cyber concepts and attack methods while cozying up on your couch with a hot toddy. You can practice proactive cyber readiness during the holidays—and year-round with this sweet resource.
Don’t click on suspicious links.
Scammers, like the Grinch, will impersonate real online retailers and stores to get you to open an email and click on links while you are holiday shopping. Don’t! This phishing email tactic opens the door for them to install malware on your computer and before you know it, your data is stolen and compromised.
Look for the lock.
Secure websites will often have a lock icon in the browser address bar to indicate it is a secure connection.
Get creative with security questions.
Your mother’s maiden name or favorite food can most likely be found online somewhere, so try getting creative with your security questions to access your accounts. Choose a motto you live by perhaps or choose an answer to a question that is completely opposite of what you would select.
Watch your bank and card activity.
Hackers can see your financial activity when you’re sleeping and when you’re awake if you’re not careful. Diligently monitor your bank account, online transactions, and card activity and notify your financial services provider if you observe any suspicious activity.
Some devices will auto-connect to available wireless networks. Ensure you are only connected to wireless and Bluetooth networks when devices are in use or about to be used. Unknowingly being connected is the opportune time for hackers to cause damage right under your nose.
Store devices when away.
If you’re a busy traveler, criminals seek out meal times to check hotel rooms for unattended laptops and mobile devices. Be especially wary when attending conferences or trade shows as guest networks tend to be more vulnerable to attacks (and allows hackers to access lots of data from lots of people, who are all in one convenient location).
Activate double authentication.
If you haven’t done so already, ensure all your apps have a double authentication factor so every time someone tries to log in to your online account, they need a code or key that is texted to your phone or sent to your email to gain access. That makes unintended access to things like social media accounts more difficult for cybercriminals.
Practice persistent protection.
Hackers aren’t just looking to exploit individual data, they also target businesses knowing many take extra time off this time of year to spend with loved ones. Ensure your company has a strong cybersecurity response plan in place and key members of your threat intelligence, analysis, and fraud teams are consistently practicing responding to threat scenarios. Our Project Ares platform runs on Microsoft Azure, so professionals can practice cyber offense and defense from anywhere, at any time on a gamified cyber range.
It’s important to practice safe online behavior all year-round but the holidays bring about an extra level of digital activity hackers love to exploit. Make sure you are taking proactive measures to ensure you are having the most wonderful online shopping day of the year—and cybercriminals aren’t.
As promised, I’m back with a follow-up to my recent post on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun. Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris. I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft – Circadence joint “Into the Breach” capture the flag exercise. If you missed Ignite, we are planning several additional “Microsoft Ignite The Tour” events around the world, where you’ll be able to try your hand at this capture the flag experience. Look for me at the DC event, right after the Super Bowl, in early February.
In the meantime, due to the great feedback that I received from my previous blog (which by the way I do really appreciate, especially if you have other ideas for how we should be tackling the shortage of cyber professionals), I will be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape. I want to address the important questions of how a new employee would actually ramp up their learning, and how employers can prepare employees for success, and track the efficacy of the learning curriculum. Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, CO-based Circadence. Take a look a look at some of her recommendations:
Q: Keenan, in our last blog, you discussed Circadence’s ‘Project Ares’ cyber learning platform. How do new cyber practitioners get started on Project Ares?
The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched. It’s important to understand what kind of work roles you are looking to learn about as a user. What kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code, or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals, things like ports and protocols, regular expressions and the cyber kill chain. Then they can transition into Battle Rooms, where they will start to learn about very specific tools, tactics and procedures (TTPs), for a variety of different work roles. If you are a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does do some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.
In Project Ares, we have a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area that is based entirely on the work role. That aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you are a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that work role.
Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?
You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All of this practice helps prepare professionals to take official cyber certifications and exams.
Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning.
One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console, so we really tried to put a lot of gaming elements inside Project Ares. For example, everything is scored within Project Ares, so everything you do from learning about ports and protocols, to battle rooms, to missions gives you points, experience points—those experience points add up to skill badges. All these things make learning more fun for the end-user. For example, if you are a defender, you might have skill badges in infrastructure, network design, network defense, etc. and the way Ares is set up, once you have a certain combination of those skill badges you can actually earn a work role achievement certificate within Project Ares.
This kind of thing is taken very much from Call of Duty, or other types of games where you can really build up your skills by doing a very specific skill-based activity and earning points towards badges. One of the other things that is great about Project Ares is it’s quite immersive, so the Missions, for example, allow a user to come into a specific cyber situation or cyber response situation (e.g. water treatment plant cyber attack) and be able to have multimedia effects that demonstrate what is going– very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience. She, Athena, was inspired by the trends of personal assistants like Cortana and other such AI “bots” which have been integrated into games. So these things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It is so much more fun, and easier to learn things in this way, as opposed to sitting through a static Power Point presentation or watching someone on a on a video, trying to learn the skill passively.
Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness?
Project Ares offers a couple great features that are good for managers, all the way up to C-Suite individuals who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can actually jump into the Project Ares environment with the students or with the enterprise team members and actually do that in a couple of different ways. So for example, the instructor, or the manager can jump into the environment as Athena, so that the user doesn’t know that they are in there, they can provide additional insight or help that is needed to a student.
A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything, to maybe make it a little more challenging; and then of course, they can just observe and leave comments for the individuals. That piece is really helpful when we are talking about managers who are looking to understand their team’s skill level in much more detail.
The other piece of that is a product we have coming out soon called Dendrite. Dendrite is an analytics tool that looks at everything that happens at Project Ares so we record all the key strokes, any chats that a user has with Athena, the in game advisor, and any chatting a user may have done with other team members while in a mission or battle room. Cyber team leads can really see what’s going on, and as a user, you can see what you’re doing well, and what you’re not doing well. That can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is, in their particular skill path. It helps cyber team leads to understand what tools are being used appropriately and which tools are not being used appropriately.
For example, if you are a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how you are using tools in your organization optimally. Or, how you’re training your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they are really on top of their game.
Q: How do non-technical employees improve their cyber readiness?
Here at Circadence we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCytÔ. Now, inCyt is very fun, browser-based game of strategy where players have some hackable devices that they have to protect, like operating systems and phones. Meanwhile, your opponent has the same thing objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyber attacks. While they’re doing this, players actual get a fundamental understanding of the cyber kill chain. They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so that they can start to recognize that behavior in their everyday interactions online.
Some people ask why that’s important and I always say: “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.
It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial, after they have already clicked on a link in an suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we are all susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So you may demonstrate a very high aptitude within inCyt in which case we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity and see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy which is just a lighter version of Project Ares.
Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning from novice to expert cyber defender. You’ll be able to track all metrics of where you started how far you came, what kind of skill path you’re on, what kind of skill path you want to be on. Very crucial items for your own work role pathway.
How to close the cybersecurity talent gap
Keenan’s perspective and the solution that is offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want. We’re in interesting times, right? With innovations in machine learning and artificial intelligence, we’re increasingly able to pivot from reactive cyber defense to get more predictive. Still, though, right now we are facing a cybersecurity talent gap of up to 4 million people depending on which analyst group you follow, so the only way that we are going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.
Make it something that they can attain, that they can grow in, and see themselves going from a novice to a leader in an organization. This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout, with uncertain and undefined career paths beyond tactical SecOps. What’s to look forward to?
We need to get better as a community in cybersecurity, not only protecting the cybersecurity defenders that we have already, but also helping to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we are at today. This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning, to improve the learning experience and put our people in a position to succeed.
To read more about how to close the cybersecurity talent gap, please read this ebook.
For more information on Microsoft intelligence security solutions visit: https://www.microsoft.com/en-us/security/business