Downloaded 13 times
Uploaded byPriyanka Aash
(CISO Platform Annual Summit) Scaling Appsec Program With Cyber Range
The document discusses a simulation platform designed for cybersecurity teams to enhance their skills and manage workforce planning. It offers an engaging training environment that covers various security concepts, including secure coding practices and threat modeling. The platform allows for assessment of individual and team performance and helps in mapping learning paths to foster a security culture.
More Related Content
Similar to (CISO Platform Annual Summit) Scaling Appsec Program With Cyber Range
(CISO Platform Annual Summit) Scaling Appsec Program With Cyber Range
- 1. Ed Adams, CEO,Security Innovation Satish Janardhanan, Head of Application Security, Accenture Technology
- 3. A simulation platformthat enables cybersecurity teams to train and develop cybersecurity expertise and manage workforce planning
- 5.
- 6. • Attacker mindsets •Engaging and fun environment • Master by doing • Educational experience for all skill levels • Assess individual & team performance • Identify areas of improvement • Map learning paths • Create security culture
- 7. Sample - JavaDeveloper Fundamentals • Fundamentals of Application Security • Fundamentals of Secure Development • Fundamentals of Secure AJAX Code Secure Coding Concepts • OWASP Top Ten: Threats & Mitigations • Creating Secure Code – Java Foundations • Creating Secure Ajax Code – Java Foundations Advanced Concepts • Creating Secure Java Code • Creating Secure jQuery Code • How to Create an Application Security Threat Model 1st CMD+CTRL event 2nd CMD+CTRL event • Run Shadow Bank which spans vulnerability types and skill levels • Run additional team events to demonstrate and expand the skill set
Editor's Notes
- #2 Whose name should be first?? What is Satish title??
- #3 Start with WarGames movie, transition to Simulation game. As WOPR (War Operation Plan Response) was not able to tell the difference between simulation and reality, simulation tool has been widely used to predict the true behaviors in real world. In Cyber Security world, we call it Cyber Range.
- #4 Notes: What is a Cyber Range? A cyber range is a simulation platform that enables cybersecurity teams to train and develop cybersecurity expertise and manage workforce planning. - Gartner Simulated environment for hands-on security training and development More immersive experiences than other types of training Range of focus including Infrastructure, Network, Application, etc Often begin as ad hoc or organizational projects Increasing interest and adoption in public and private sectors Source: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1 CMD+CTRL Cyber Range Increased focus on application layer Adopt simulation and gamification to improve learning and retention rates Focus on learning to think like attackers by doing - identify, build and implement multi-faceted attacks like those encountered in real life Gamification has shifted into simulation much like flight simulators do. Result: Shift from machine guided learning to a free-formed, self guided experience that speeds learning and increases retention rate Source: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1
- #5 Why now? Emergence of cloud technologies allow for easier, cost effective development and deployment Ability to engage with disparate team members in real time to encourage active learning and community building Increasing cultural acceptance of immersive experiences for learning purposes Skills difference requiring exploration of non-identical and tailed training Source: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1
- #6 Previously limited to IT infrastructure/networks or security teams, now it is time to let the Dev Teams play too in order to train and equip developers to think and act with a security mindset every day. With attacker’s mindset, developers can be the first line of defense on their own coding, much earlier than security team jumps in Focus time and investment on building the product at earlier stage rather than fixing the issues at later stage Reduce the pain and improve relationship between Dev vs. Security team Build security culture across all software departments Identify security champion
- #7 Benefits of AppSec Cyber Range Benefits from both practitioner and leader sides: Practitioners Educational experience for all skill levels Engaging and fun environment Better understanding of security threats and attacker mindsets Immersive, real-time experience that helps teams and individuals improve abilities Leadership Reporting to understand performance at an individual and team level Map results into individual and team learning paths, enabling immediately actionable education opportunities Asses skills of team members and identify areas for improvement Streamline traditional training based on real life, demonstrated skills Gain knowledge from providers to understand what methods and approaches work best SOURCES: https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_3-0 https://blog.securityinnovation.com/hack-through-the-holidays-cmd-ctrl_1
- #8 Blended Learning: An enhanced and customized security learning solution that combines roles and technology focused courses with a hands-on Cyber Range to optimize training effectiveness for individuals. Overtime these will become ongoing practice that raise security knowledge across all team members. Educate Teams - Provide baseline security education to cover fundamentals before Cyber Range engagement Baseline Performance - Keep early stage events low pressure in order to accurately baseline performance of individuals and teams Coach Participants - In real time and after the fact. Break down the mindset of a mystical hacker culture through driving open discussions, sharing, etc Distributed Focus - It’s not just about score, number of issues found or methodology...it’s about all three. Make sure to focus on the hows and whys of attacking a site, not just the scoreboard. Understand Results to Inform Action - Various data points will arise and can be used to schedule specific training, inform career paths, etc Source: https://docs.google.com/document/d/1jOwvR1t7nTHnlF0sVWr2gmfYyUikid_vRMwM_PlNlBI/edit?usp=sharing
- #9 Surprises Much broader scope of users than expected (Execs, HR, Engineering, Marketing) Speeding security training ramp up for users Leads to improved security skills pipeline Self selecting Security Champions - Don’t steal talent, expand it Side Benefits Improved skills measurement Informed, results based training Demystification of hacker culture Improved team dynamics (fun, engaging events = better teams) Source: https://docs.google.com/presentation/d/1KitKSfzu6zsDvZEpNYAAADeIRUVPI6PLozMtnJUoD5k/edit#slide=id.p14
- #10 To do: get feedback from Accenture or SI CSM on content Image is from Accenture website: https://www.accenture.com/us-en/insight-disruptive-technology-trends-2017 Wordings are subject to change if it incorrectly reflects the roll out plan. ‘Start small, make progress’ is based on the understanding that Accenture will start with smaller group of players for CMD+CTRL for train the trainer, then pilot to couple of thousand players for always-on, before eventually expanding to much larger groups. ------------- Goal of slide: Introduce concept of a modern, application focused cyber range to a group who likely knows of them as cumbersome network tools Maybe make this a slide on “The shifting focus of Cyber Ranges”?