Train your SOC team – Now!
I
don’t need to tell you that it’s a tough time to be a cyber-defender. Attacks are
growing increasingly sophisticated, as are the tools needed to detect them. Multi-vector
threats that move laterally from IT to OT and IoT networks can cause
substantial physical damage. Time sensitive malware like ransomware or fileless
attacks crank the pressure up further.
CISOs
and SOC managers can’t combat cyberattacks without technology, and of course
they want the most advanced defense tools available. These tools, however,
require substantial expertise, but the teams who use them are usually understaffed
and underqualified. And rarely are SOC teams trained on how to deal with a live
cyberattack in a real-world setting.As a result, most SOC staff members will
experience a major incident for the first time on the job. Nevertheless, they
will be expected to understand the situation in a split second and manage it
flawlessly.
What
good is an arsenal of fancy cyber weapons if your team members haven’t mastered
them and even practiced the relevant playbooks? And how can we expect our SOC
teams to identify and respond to an incident which they’ve never seen before?
When
you consider how critical digital assets are to most organizations and how
prevalent cyberattacks are, it’s a no brainer that organizations should require
mandatory training for all security analysts. From fresh recruits to senior aces,
SOC staff that practices for cyberattacks will be prepared in advance for
the attack, and understand how to work TOGETHER as a well-oiled cyber security
machine.
This
is, in my view, the most troubling aspect of the cybersecurity skills “gap.”
“By
failing to prepare, you prepare to fail”
Problem
solving under pressure, when the stakes are high is a challenge experienced by
pilots, air traffic controller, doctors and first responders every day. These
professionals are required to assess situations in real-time, make split second
decisions against a ticking clock, and use – as a team and as individuals,
sophisticated technologies in highly distracting environments. The cost of
error is high and there is often no second chance to fix it.
These
industries also use experiential
learning
— hands-on training and simulation to minimize errors and ensure their experts
can perform as needed, before they even get to see a patient, aircraft, or a
control tower. Simulating day-to-day scenarios and crisis scenarios repeatedly,
enables trainees to correct errors and improve their performance – as
individuals and as a team, so when an actual crisis occurs it is handled
efficiently.
Cybersecurity
is already heading that way, but now that cyberattacks can cause physical damage,
we need to move towards it at a much faster clip. Why wouldn’t we want incident
responders to experience real-life attacks in a safe environment using their
day-to-day tools? Cyberattacks are
ATTACKS and should be treated as such. SOC analysts are an enterprises’ front
line defenders, and like any other first responder they should be required to
demonstrate their fitness for duty by completing required simulated training
program successfully.
This
approach can not only be used to certify and train cybersecurity experts, it
can also validate operational procedures and technologies. For example, new incident
response playbooks will have to be run in a simulated environment before being
approved. Just as all aircraft must complete wind-tunnel testing before
completing production, all security technologies can and should be field tested
and certified by an entity other than the vendor that made it. The same
simulation platforms used for training SOC staff can be used to validate and certify
new security products and assessing network resilience.
But
the real value of simulated training is its impact on people. It helps them
become more skilled at a given task, to acclimate and integrate new people onto
a team, even to help prioritize purchasing and technology spend. Given the
breadth and depth of the cybersecurity skills shortage, simulated training should
very well be the most high value line item on your cybersecurity budget.
I
often read about people being cybersecurity’s weakest link, but I beg to
differ. I’ve seen time and time again how simulated training for SOC staff and especially
full team training, transforms a company’s cyber defense capabilities. There may be some truth to people being cybersecurity
‘s weakest link, but with proper training, they are also by far, it’s
strongest.
Adi Dar is CEO of Cyberbit
Gloss