Sean Donnelly is the VP of Product Incubation at SimSpace. Donnelly has over a decade of experience in cybersecurity, from serving in the US Navy as a cryptological warfare officer and blue team technical director, to working in cybersecurity consulting, to founding Resolvn—a subsidiary of SimSpace that provides security services to federal agencies.
Donnelly is a respected thought leader and innovator in the cyber space, recognized on the 2021 Forbes 30 Under 30 list for his contributions to cybersecurity education and training.
At RSAC 2022, we spoke to Donnelly to discuss how organizations can use a cyber range platform to analyze how effective their security actually is compared to how they think it is, identify vulnerabilities and shortcomings in their environments, and instill more confidence in their people, processes and technologies.
Could you give us an introduction to SimSpace and your typical customer base?
SimSpace provides a cyber range platform. The European Cybersecurity Organization, or ECSO, defines cyber range as a platform for developing, delivering and using interactive simulation environments. And there are a number of reasons why you would want an interactive simulation environment. Those environments ideally are designed and deployed to look exactly like customers’ production environments, their enterprise networks. The reason for this is to enable users to test and validate their security operations without any of the constraints one might have working in production, and do this without any risk to business continuity.
Our customer base is comprehensive across different sectors; on the commercial side, we have five of the top 15 US banks, we have insurance companies, health care providers, and we also partner with telecommunications companies, many within the Global 2000. And then on the international side of things, we work with a number of NATO countries as well as Japan. The US military is a large customer and partner of ours, US Cyber Command, as well as each service underneath there, such as Fleet Cyber Command, Army Cyber Command, and Air Force Cyber Command, not including the Marine Corps at the moment. So, it’s pretty broad across the government, international, and commercial space.
What are some of the challenges your customers are facing? And how can SimSpace’s adversary emulation help organizations address these challenges and more effectively identify security vulnerabilities?
So, depending on the customer, they’re going to have a different threat model. And what I mean by that is they will, ideally, have hypothesized who would want to get access to their assets. Also, what would they do with them? How would they go about getting access, and for what purpose? With that information, they will have a decent understanding of the tactics, techniques and procedures that they’re looking to be able to prevent, detect, and respond to.
So, when a potential customer turns to SimSpace, first and foremost, they want to be able to create a replica scaled down environment of their actual networks. They want to be able to put their security teams—their triage analysts, incident responders, threat hunters, intel personnel and detection engineers—into an environment where they can work through their playbooks and analytic workflows, and experience a battery of realistic attack life cycles to refine and identify gaps within their processes, as well as gaps within their people’s competencies, i.e., the application of their skill sets, and also identify gaps within the technologies they pay for. Just look at this conference, for example; the majority of it is security detective controls, and they put these in place and spend a lot of money on them, and they assume these technologies can do what they’ve been told they can do. But they also want to validate that, and they want to have confidence in what they’ve paid for. So that’s the technology side of things. Customers want to build this environment and validate their people across technologies and figure out where they actually stand, so they can start to make real progress.
Separate from that, they also want to build the in-house competency of their people. A lot of organizations have learned that, no matter how much money and effort they put to trying to find the right people to fill the roles that they have, the people aren’t out there. So, they have to organically grow these teams. And for a long time, there hasn’t really been a process for growing these teams. And then not only that, if you have these metrics and this insight you can measure people’s technical and professional competency level and make sure that they can actually do the work they were hired to do.
A lot of customers turn to SimSpace for both the individual- and team-level technical training, to be able to say, “Hey, this is our tool set that we use, these are the environments that we work in, these are our processes that we have, and we’re going to give you access to hundreds of asynchronous hands-on technical training that will get you up to speed so that you can operate effectively on our teams.” That’s the individual- and team-structured training, and then realistic environments where you can actually experience real-world attack life cycles and essentially validate and tweak your processes, people, and technology so that you know you’re as well prepared as you could be.
We feel, and it’s been validated many times over, that there is significant business risk in assuming that what you have in place is operating at 100%. Because the fact is, nothing operates at 100% of what you expect it to. So, we provide analysis of the gap between how your people, your processes, and your technologies are perceived to be operating versus how they actually operate, allowing you to progress and make informed decisions based off that information.
How often do you recommend carrying out these exercises, and what are some of the benefits of testing a business’ people, processes and technologies in this way?
These collective training experiences are typically periodic for our largest customers and at most quarterly. It’s not very easy to take a significant portion of your security team away from their day-to-day job. Security is a 24/7 job, especially when you think about those people doing detection and response within the SOC. So, quarterly is a palatable cadence and somewhere between four hours to three days is the window of time we’ve seen for the events that we execute, and there’s a lot of great insights that come out of those events.
But on a more frequent basis, we see the testing of their technologies. On a weekly basis, we see customers pulling their security tools into a simulated environment, running a set of attacks through it, and determining what coverage they have in terms of whether it detected or prevented what they expected it to.
And then on a odaily basis, we see a lot of individuals leveraging our content training library. They work an eight to 12 hour day in the SOC, and may take 30 minutes to an hour, one to three times a week, to train at their own pace and at the time they choose. And it could be on a topic that is highly applicable and relevant to what they’re doing that day. So, maybe they want to get good at detecting a specific lateral movement technique, or understand how to think analytically about what workflows to step through, depending on what tools they’re using. They can find that content, take it and do it.
Our cyber ranges—and specifically our replica, scaled-down environments—get used continuously for architecting new environments. So, security architects and engineers might say, “We have a goal to move toward a zero trust design principle,” or, “We want to implement a SASE framework.” Well, it’s not very easy to figure out how you want to do that in your production environment. You’re quite constrained in terms of flexibility; you have to deploy things, test things out, experiment, so they use our environments to say, “This is where our environment is now. We think we want to implement new networking principles in this way, and let’s build it out and see if that’s going to work for us or not.”
Finally, we see a lot of engineering use of our environment. Customers pay for technologies that have detection libraries—essentially, they identify and sometimes block or at least alert of malicious activity out of the box. But those technologies are never going to offer 100% coverage for every customer, not at the depth and breadth that they should be. Because when security technologies build detections, they have to build them for all their customers and then put them out to the masses. But the fact is, each unique enterprise has a unique environment. And so, they have to be building their own detections, their own analytics or signatures, whether they’re signature-based, behavior-based or anomaly-based detections. And doing that in an environment that looks like production gives them the leeway to launch a bunch of attacks with no risk.
When people use the environment to simulate threats or to identify vulnerabilities, is there anything in particular that you see coming up quite often? Are there any specific vulnerabilities that a lot of businesses seem to have?
When we talk about vulnerabilities or shortcomings in their protective and detective controls, it’s going to span their technologies, their people, and their process.
In terms of technology, we see a lot of customers learn that their tools can’t prevent or detect what they maybe thought they could. And being able to identify that allows them to fill in the gaps, make configuration changes, tune their tools to work in their environment and, in some cases, generate less noise or, in other cases, to have better coverage and be better integrated with other, previously siloed tools that they have.
From a specifically threat-focused thought process, not all tactics and techniques are equally valuable from the defensive side of things. Lateral movement, for example, is arguably the most critical and interesting technique across the attack lifecycle. The moment an adversary gets access to one device within a network, if they can’t move to a more interesting device with a higher criticality that’s more important to the business—maybe it stores certain proprietary information or has other accesses that they want to be able to leverage—then they’re somewhat constrained as an attacker. So, if you can detect and respond quickly to various types of lateral movement, you’re in a great place. I think customers figure out where they stand in the techniques and procedures that are most important to them with our products and the capabilities we provide.
Finally, what is your advice to organizations that want to assess their cyber risk and gain better confidence in their security processes?
My advice would be; remember that “cyber risk” is a pretty loaded term and there are a number of factors that it covers. So, ask yourself what vulnerabilities you have, what preventative and detective controls you have in place, and whether they work. You also need to know what assets you own at any given time, whether that’s in your software defined data center, your traditional data center, whatever you have hosted in cloud service providers, and whatever you might have in terms of SaaS applications.
A really important aspect that often gets left out is the fact that you as an organization hire a bunch of people to do pretty well-defined jobs. We know what a triage analyst does, we know what incident responder does, we have a pretty good grasp of what threat hunting looks like, etc. So, you hire these people, you grow them internally and, in most cases, you get them to the technical competency level that you want. But if you aren’t measuring how they actually perform versus how you expect them to perform, and then you are not identifying a key component of risk.
At SimSpace, we help you figure out across your people, processes and technologies, where you stand in comparison to where you thought you stood. We tell you where you’re at, at a very detailed, granular level, and we help you identify where you want to go in terms of your security strategy. We also help you develop and implement the plan to get there. It’s all about becoming more mature as an organization and making progress; if you’re not making progress, then you’re stagnating. At the end of the day, we want to instill confidence in the program that you have. There are risks that you are not considering and not taking into account, and a lot of those used to be very difficult to measure because they were complex, complicated, and ambiguous. But we feel we’ve cracked the code in terms of measuring those risks and helping you understand them. And that’s been validated across our largest customers.
Thank you to Sean Donnelly for taking part in this interview. You can find out more about SimSpace’s cyber risk management platform via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.