Preparedness: The Key to Dealing with Cyber Threats and Reducing Risk
Preparedness: The Key to Dealing with Cyber Threats and Reducing Risk
Ed Amoroso from TAG Cyber interviews Cloud Range CEO and founder Debbie Gordon, who shares her thoughts on preparing security operations teams and highlights the importance of readiness when confronting cyber threats in enterprise security.
Key areas of discussion include: the expanding attack surface in both IT and OT environments, SEC regulations and compliance, and the impact of AI in cybersecurity. These factors make it critical for organizations to start using a team-based training platform that improves their technical proficiencies and soft skills like communication and collaboration.
Gordon explains how Cloud Range helps organizations fortify their defenses against cyber attacks through immersive live-fire simulation exercises and how this approach empowers security teams to be ready to respond effectively to threats.
Full transcript below, edited for clarity
ED: If you work in enterprise security, and in particular if you run a security operation center, then you're familiar with the concept of preparedness. That is absolutely essential to dealing with threats, reducing your risk, and really driving operational excellence. Today I have a discussion with a longtime friend of mine, an expert in this area. She runs an amazing company. I want you to stick around. I think you're going to learn something from our discussion today.
Hi, I’m Ed Amoroso from TAG Cyber. I want to welcome you to our discussion today. I have a friend and colleague who I've worked with for many years – Debbie Gordon. She runs a company called Cloud Range. They are, in my mind, the leader in preparing security operations teams to be ready, to be prepared, for who knows what is coming, and she'll share with you some insight that she's developed. Debbie, I want to welcome you to our discussion. It's nice to catch up. I'm looking forward to hearing how things are going.
DEBBIE: Thanks, Ed. I'm always happy to be here. It's nice to catch up with you again.
ED: You guys have grown like a weed the last few years. You just keep growing. As we run into companies, I see them using your service and always pretty pleased with the result. Give us a quick thumbnail on what you guys do, and then I want to talk to you about six factors that seem to be driving the push that so many people are experiencing to do SOC readiness, but tell us a little bit about the company.
DEBBIE: Sure. Cloud Range exists to help companies be prepared for forthcoming cyber attacks. As you know, we hear about them every single day on the news, and most large organizations spend an average of over $200 million dollars trying to prevent cyber attacks, yet we still hear about them. There's something that all of them have in common, and that is that the people who were paid to defend against those attacks and detect and respond to them simply didn't know what they were looking for or looking at. And it's not their fault – they had just never seen it before. So, Cloud Range developed a very advanced simulation platform that enables organizations to proactively prepare for a multitude of types of cyber attacks – so that when something does happen, they know exactly how to respond, so that we don't hear about it in the news.
ED: Let's go back to this threat, sort of, driver, because I think that's one of the main factors that explains the rapid adoption of your platform. Your team had shared with me, I think, a 114% increase [in the number of publicly reported data breaches in the US] just in the second quarter of this year. I was surprised it sounded that low. Is that what you're – I mean, fundamentally that's the problem, right? It seems like it never starts to wane, so the threat intensity keeps growing. Has that been your experience in talking to customers?
DEBBIE: Well, it has, and I think that – just industry-wide and globally – the bad guys don't rest. The bad guys don't rest when our government decides they might shut down. The bad guys don't rest on holidays. And so there are more and more ways to attack. The threat surface is getting significantly larger, there are more tools and technologies, there's more third-party software, and so the risks continue to increase. But at the same time, there's also a very grave talent shortage which leaves empty seats in organizations for people who are trying to defend or who need to defend, and those empty seats actually represent a vulnerability – no different than a vulnerability in a software that needs to be patched.
ED: Let's go back to the attack surface that you'd mentioned because it seems to me like that is – like if somebody says, “What's the issue, Why is this so hard?” – I think that's part of it right? As you're working with teams and training their SOC staff and team, does that theme come up a lot – this idea that it used to be a simple kind of thing to protect an enterprise and now there are sort of sprawling attack surfaces?
DEBBIE: It is – and it's expanding and we see it even more on the OT side. Organizations don't even know what assets they have. On the IT side they think they know. On the OT side they acknowledge that they don't know, and they're very surprised when they realize they have all these assets that can be attacked – and even worse they just don't even know how to defend against them.
ED: You've been talking about OT for a while, and you know in our practice at TAG we've started to work in the area of climate science. We're watching industrial control get completely redesigned around sustainability initiatives, so I have a feeling you're going to be pretty busy, you know as companies redesign. Let's talk about the regulators and the compliance requirements because that's another big thing right? As if it's not enough dealing with your point, the bad guys who don't sleep, now I think regulators – and obviously they're doing it because they have the right motivation, but boy as an operator sometimes doesn't feel like that. It feels like you're getting beat up on all on all fronts. For example, the SEC mandates and so on. How is that sort of driving customers to come and ask, “Hey Debbie, we need your help.”
DEBBIE: Boards are asking the right questions now. Because of some of the SEC mandates and regulations, the boards are asking the questions because they're required to have somebody with a cybersecurity background. They know what questions to ask and they're able to think critically. Where we come in, is when something happens and there's an attack and somebody on the board calls up the CIO or the CISO and says, “Hey are we prepared for this? We're really worried about it.” The CISO can say, “You know what, we just did a simulation on this, we're good.” And so we are developing those simulations based on what's happening out in the wild. We use different sources of threat intelligence – alerts from CISA, for example – we turn those into something that is actionable versus just words. And so boards of directors, now that they have a lot more focus on cyber – and not just because of the SEC regulations, but just in general, there's a fiduciary responsibility to the company and they realize that that can land on cyber – the questions are being asked now in a much more specific way than just crossing their fingers and hoping.
ED: The sort of personal nature of the liability with SEC, I think it's kind of concerning. I would imagine that where previously requesting an investment in your solution would be part of the day-to-day business’s usual ask, with your budget, I mean like a CISO asks for the cost for a vendor to support a license, but you guys do something a little deeper because now it feels like there's a personal liability there, particularly for the CISO.
DEBBIE: They need data, and they get that from Cloud Range because traditional training – and we don't we don't consider ourselves a training company. That's because we are about readiness for an organization, not just giving somebody some skills that they can take somewhere else. But everything that Cloud Range does with its customers translates into a reduction of risk. I'll put this very simply – the more types of TTPs that have been addressed and successfully completed in simulations, the more prepared an organization is for when those TTPs might come about. I'm being very simplistic about this, but at the end of the day we're able to show a measurable decrease in the operational risk, which the board likes to see, versus basic cybersecurity training which often is checking a box that every employee has gotten X number of hours of CPE credits. That doesn't tell how an organization is reducing its risk. But our customers really like the fact that we're able to translate their investment into a reduction of risk. We help them sleep better at night because they can see the impact of what we do and they can translate and communicate that effectively to their board.
ED: When I hear people talk about being understaffed in the SOC, I used to say, “Well, you know, just go recruit harder or come talk to some of my graduate students and offer them jobs.” But I remember you telling me, and it really affected my thinking, that by training a team as a unit and making them effective, certainly it's going to help with retention, but it's also going to help with effectiveness. Perhaps some of that understanding may be less of an issue if the team is operating effectively. Have you seen that effect?
DEBBIE: In any kind of teamwork, the whole is greater than the sum of its parts, whether it's sports or cyber defense. So a lot of leaders are acknowledging and taking action on the fact that they have to grow their own talent. You can't go and find experienced people. And if you do, you're plucking them from another company and you're not solving the problem, you're just perpetuating it – and then, the salaries have to go up, and it's an economics thing, it's supply and demand. I'm really pleased when I see and hear about security leaders, and you know most of our customers fall into this category, that they acknowledge that they have to find people who have will, and then they can give them the skill, and that includes working as a team. A lot of our customers are using Cloud Range to accelerate the onboarding of a new analyst, for example. They immerse them into simulations, not just as an individual but with a team. Imagine joining a football team – you can go do individual skills training, things that are measured in a combine – but once you get on the field with that team, things are going to change really quickly and you're going to know whether you can play or not and how well you play. The more that people are exposed to the different roles and functions and dynamics of a team, the better they're going to perform. So, one of the things that I have been pleasantly surprised by, and maybe enlightened is the right word, is the fact that the soft skills – communication, collaboration, confidence – all of these things are truly the weakest link in the chain if not effective. Technical skills – they need them, but if they don't have the soft skills they're not going to be successful. It's kind of funny because my formal education is in human behavior, small group behavior, and organizational development, and never did I ever expect that that and cybersecurity would meet in such an important way. The team is the most important part. There's tons of cybersecurity training out there for individuals, a lot of the labs companies, just a lot of them – but unless you train as a team with live fire, live traffic, live attacks, it's like learning to throw a football but you never actually play on the field.
ED: It's been transformational for me because when people complain to my team that, “We don't have enough folks in our ops environment.” I always ask, ”Have you taken the time to have them work together in a preparedness initiative?” And usually if they're not your [Cloud Range] customer, then it's usually no. And you think, “Don't you think you ought to do that? Wouldn't that maybe get them working and just produce a little higher level of harmonization?”
DEBBIE: Their answer probably is, yes they ought to do it, but you and I both know that important and urgent do not always coexist.
ED: I know. That’s why we’re talking.
DEBBIE: They know what they need to do, but if you think about the talent shortage, even security leaders can't keep up because they're managing people who are overworked and overburdened. They don't have time to think proactively and do all this. That's why part of our whole program is not only just our platform for simulation, it's ensuring that we do the heavy lifting to make sure that our customers are doing the simulations, not waiting for them to “have time,” because having time is about the same amount of time that I have time to go to the gym. I have to plan it. And if I don't plan it, I don't go. It's the same thing for proactive preparation and training. If it's not planned, if it's not scheduled, it's not going to get done.
ED: Has all the kind of attention around artificial intelligence (AI), has that affected people’s view of threat and attack surfaces and so on. Is that a theme that comes up as you're talking to SOC teams and to their management?
DEBBIE: It comes up every day. In any industry, AI is kind of the “hot topic.” There's a lot of discussion about it, and personally, the way I see it is, at the end of the day, it's a tool for both sides. It's a tool for offense and defense, and so the playing field is relatively equal. There are AI tools for analysts to use for cyber defense, and there's AI for the bad guys. It's just another way that we have to make sure we're staying on our toes. We use it in our platform in various ways, and you'll be seeing some more of that be released in the very near future. But it's like any technology. If you think about the internet, the internet gave us information and quicker access to information – and that's what AI does. It’s quicker access and so we all have that “luxury." I like to think of it that way.
ED: One thing your team showed me personally that I thought was super interesting was all the pre-integration that you do with different vendors. If vendors are listening to us right now, I hope they call you. It seems like such a natural thing that you'd want your platform embedded into a live-fire range. Are you usually reaching out to vendors on behalf of your clients or do you get a lot of inbound where they ask to be included in your platform?
DEBBIE: Probably both. And just to share with the audience what the context here is, our cyber range platforms are all virtual. So we don't touch anything on somebody's network. But we're able to mimic the relevant tools and technologies that they have, so that when they're going through a simulation they're using familiar tools. Whether it's you know – name your SIEM, name your firewall, name your EDR solution. We have partnerships with all of those companies that I'll refer to as the usual suspects that most enterprises have one of a handful in each of the categories. When we partner with those companies, they provide our solution to their customers. They're also using it in some different ways internally as well. Those partnerships are amazing. We continue to grow those partnerships both on the OT and the IT side.
ED: For people watching, again, if you're working as a vendor listen to what Debbie said – the usual suspects. If you'd like to be a usual suspect you probably ought to be [in the range].
DEBBIE: If you think about it, you know every technology's customers – they're using your tools already, so you want them to become more effective while using your tools. We're not teaching people how to use a firewall, you know a specific OEM brand. We are teaching them – or I should say our platform enables them – to learn what to do with those in a live environment. It's one thing to know how to write a firewall rule. But, when do you write it? Why do you write it? How do you make the decision to do that? With whom? All of the critical thinking that goes along with using the tools in a multi-vendor environment is so important.
ED: Debbie, I want to ask – assuming that across the different sectors – say commercial, federal, state, government, all these – probably working across the board, because any place there's a SOC, there's a need. Am I reading that right? I’m having a hard time thinking whether there would be an industry that would be more or less served here. It seems like all of them.
DEBBIE: I know. It's funny because investors never want to hear, “Oh, we apply to any company. We're useful for any company.” But there are industries that invest a little more – banking for example, financial services, health care. Critical infrastructure is something that is becoming more and more of a focus from an investment standpoint. Organizationally, a lot of those companies haven't quite caught up with the need. They know there's a risk out there but they don't even have their organizational act together to know whose job it is, whether it's the IT side or the OT side. But, yes, it's applicable really to any industry. We have customers in every vertical, some more than others, but you know that may be just a coincidence, but it is applicable to anybody.
ED: Debbie, for folks who may be watching and they think, “Alright I'm sold. I want to do this.” Do they just go on your website or what's the best way for somebody to reach out to set up a discussion about developing a relationship and getting your service into their SOC?
DEBBIE: Our website is www.cloudrangecyber.com. We have a process where we get to provide an actual simulation to customers and they will experience it – because this is a new thing. We've been around for five years and an industry leader, but at the same time there's a lot of companies who've never seen this. It's kind of like when the flight simulator was invented, people hadn't seen it, they hadn't heard about it, and so you have to show it to them. But once our customers start using this, we have a 97% retention rate, so it obviously is something that's extremely valuable to companies. You're never finished. There's always more to be prepared for, and they're continuing to make that investment because of that.
ED: Well, please keep up the good work. You know I'm a big fan of this area of cybersecurity. I can't think of a single reason why a security operations team would not be doing this. This is one where if you're not doing it, that's almost like the pilots not doing their training, and that's a big mistake. So if you're watching right now, listening to my voice, make sure you get in touch with Debbie and her team, and let me know afterwards what you think. Debbie as always, great to catch up and keep up the good work. We need you guys to be doing this in our industry, and I do appreciate everything you guys are doing for us.
DEBBIE: Thank you and you keep up the good work too. I appreciate it.
ED: And for everyone else watching, we'll see you next time.