Training Corporate Security Teams in The Event of Cyber Attack

( via – – Thu, 24 Nov, 2016) London, Uk – –


Despite billions of dollars invested in antihacking technology over the past 10 years, companies appear to have little idea of how to respond to a cyber attack. When Target was hacked during the busy 2013 Christmas season, investigators found the company had missed early warnings that might have prevented the loss of data belonging to 70 million customers. When the news came out, lawsuits were filed, and Chief Executive Officer Gregg Steinhafel resigned. Sony Pictures Entertainment’s fumbling response a year later to North Korean hackers turned a bad situation into a terrible one, costing Amy Pascal, one of the most powerful women in Hollywood, her job as co-chairman.

IBM, which has spent five years buying companies to make itself the world’s third-largest cybersecurity provider, wants to train corporate security teams, CEOs, and PR departments to handle those kinds of crises. Shortly after Election Day, the company unveiled a facility that combines gaming techniques and millions of dollars of sophisticated hardware to re-create scenarios like Target’s and Sony’s in white-knuckle, stock-plunging detail.

The idea is borrowed from the Pentagon, which uses a similar approach to train soldiers for cyberwar. Instead of the pressure of combat, the facility at IBM’s security division headquarters on the Charles River in Cambridge, Mass., wants to re-create a postbreach pressure cooker that can move rapidly from a regulatory investigation to a call from the FBI to whatever else the range’s multimedia producers can conjure. “We don’t want to scare the crap out of people,” says Caleb Barlow, vice president of IBM Security. “We do want people to feel a little of the adrenaline burst and the pressure.”

By the time IBM’s cyber range is fully operational in January, it will offer 12 training programs. Think of them as plays, Barlow says, with settings, acts, and an unusually wide range of actors, including general counsels, marketing teams, and C-suite executives.

The staging area is a bit like a flight simulator built for two dozen. Theater-quality video panels cover the front wall, and the ceiling is studded with the same sensors that allowed Tom Cruise to manipulate data with his hands in the movie Minority Report. (The ceiling array, made by Oblong Industries in Los Angeles, is the most expensive thing in the room.) Racks of servers located a floor below simulate the data stream of a full-size corporate network.

During a recent afternoon demo, the training program began with a phishing e-mail sent to a fictitious HR rep. The hackers made off with a cache of data before the IT crew could isolate the source of the breach. Then an insider leaked news of the breach, and the pressure mounted. The U.S. Securities and Exchange Commission initiated an investigation. More pressure.
As the afternoon wore on, events spun out of control. The security team discovered that the hackers hadn’t just stolen information, they’d also altered the company’s financial data shortly before its quarterly earnings report. Uh-oh.

$200 million: IBM spending on its cyber range and teams for intel and incident response

All this realism doesn’t come without risks. The range is designed to test out some of the most virulent malware, so the whole thing is air-gapped, which means it’s not connected to the real internet. Instead, developers collected data from thousands of web pages to create a miniature, self-contained internet.

Like many of the range’s features, that idea came from Joe Provost, the project’s threat modeling and simulation architect and a former master hacker for the National Security Agency. Two days after hackers took some of the world’s most popular websites offline in October with a botnet of infected home routers, TVs, and other internet-connected devices, Provost figured out how to replicate the attack so he could add it to one of the range’s scenarios. In the simulations, he also plays the main bad guy.
The facility is expensive, and IBM wouldn’t say exactly how much it costs to run. Barlow says the company had spent a combined $200 million on the range and the development of cyber intelligence and incident response teams for on-site investigations of major hacks. He may be reticent to break out spending on the facility, because there’s no guarantee the investment will pay off. IBM says it’s not planning to charge people who come in for the training sessions; it’s more of a marketing tool, an effort to convince companies there’s enough value in IBM’s various cybersecurity technologies to make them worth buying. “This is in some ways a grand experiment,” Barlow says.

Roland Cloutier, chief security officer of payroll-services provider ADP, says that based on what he knows of the gaps in traditional cybersecurity training, IBM’s plan should work. “What IBM has been able to do is take two very different processes and combine them into a single training,” he says. “One is technology-based—I have an attack going on, and I have to stop it. But then you have crisis management, which is about leadership in tough situations. That’s a whole different skill set.”

The bottom line: IBM has built a cybersecurity training center to test corporate readiness. Now it has to persuade customers to buy its gear.

By Michael Riley

(Updated second paragraph to correct IBM’s global market position.)