Have You Put in Your 10,000 Hours of Cyber Security Training?
The Case for Cyber Ranges – Part 4
In his non-fiction book titled "Outliers", Malcolm Gladwell wrote about and repeatedly mentioned this rule called the "10,000 hour" rule. The premise was not new at that point however it was and continues to be very relevant.
The premise of the 10,000 rule is to become an expert at something, it takes a minimum of 10,000 hours of practice. But not just practice, but correct and precise practice. An example that Gladwell gives (among others) was Bill Gates. We all know Bill Gates as the former Chairman, CEO, and Founder of Microsoft. Many people do not realize that Bill Gates was a very skilled computer programmer. How did that happen? Was Gates born a programming prodigy? No, he practiced. He got his 10,000 hours when he got access to a high school computer in 1968 at age 13! Gates put the time in to become an expert and he did it right.
This 10,000-hour rule definitely applies to the people who are responsible for securing our enterprises, governments, service providers, and critical infrastructures. How many of these individuals actually have 10,000 hours of real-world practice? Very few. How many have access to an environment that can give them realistic hands-on experience with security threats? I would venture to say very, very few.
To gain the necessary expertise to become an expert, people need to have a place, and environment from which they can practice. This environment should be a completely safe and secure environment so that any security threats, malware, etc. does not threaten any other sites. Typically, these environments are called cyber ranges.
A cyber range can be almost anything, but should mimic the users production network. Most cyber ranges will be built on a completely virtual base with all (or most) components being virtual as well. There may be a case where physical devices must be used (no virtual image, performance, etc.). This range can then be used by those that need to continually practice and sharpen their skills. The range can also be used for many other uses, such as Red Team vs. Blue Team exercises, research into best security practices, patch management verification, etc.
Here is the most critical thing to consider when running a cyber range - how realistic is the traffic going through the range. This includes the legitimate application traffic as well as the nefarious security traffic. You MUST provide dynamic, realistic traffic so that the users have the look and feel of what they do on a day-to-day basis. This environment not only allows people to practice their skills, but to replay the latest security threats in a safe place.
I ask you again - where are you getting your 10,000 hours? Do you have a cyber range environment to continually practice your skills and practice what you do on a day-to-day basis? Greatness requires enormous time.
Read the previous blog posts in the series “The case for cyber ranges”: