Making Cyber-Ranges Cloudy, Automated and DevOps-Friendly

QualiSys-Alex-headshotby Alex Henthorn-Iwane

Cyber-ranges are a case study for the challenges of converting from traditional to DevOps ways of doing IT. While cyber security labs and cyber-ranges are often mission-critical investments for organizations that find themselves to be high-value targets for cyber-attacks, too many times cyber-security testing processes are siloed and highly manual. It’s time for cyber-ranges to move towards more automation, cloudiness, and DevOps.

What, Why and Challenges of Cyber-Ranges
Cyber-ranges are essentially lab infrastructures that are used for a variety of security-related activities including point product testing, network topology-level testing, and training such as red team/blue team exercises. The benefits of cyber-ranges are that they address more than just point testing of products or software releases to certify them before integrating them into a network or IT infrastructure. In fact, since the running assumption is that increasingly mobile and porous IT boundaries will inevitably be compromised, the ability to respond rapidly effectively is critical. This means that beyond product testing, developing response skills and systems is a key function. Cyber-ranges can be used to develop those IT staff skills and procedures for effectively mitigating attacks. As a result, while cyber-ranges were originally built and used by government and military organizations, increasing numbers of business organizations such as financial institutions and utilities are building these infrastructures to ensure that they are as equipped as possible to anticipate, respond and thwart attacks.

There are two layers of challenges for organizations that want to have a functional cyber-range. The first layer of challenge is that cyber-ranges are highly specialized infrastructures that require a good deal of expertise to build and operate. The second layer of challenge is that it’s oh so easy to build a cyber-range in an isolated silo. It is very uncommon today for a cyber-range to be part of a broader continuous integration or continuous delivery testing cycle addressing applications and infrastructure. In fact, far from being part of a continuous process, it’s exceedingly common for cyber-ranges to be operated in a highly manual fashion, which means that changes happen slowly and painfully, productivity is low relative to the significant investment they represent.

How Cyber-Ranges Are Built and Operated Today
Given the expertise challenges mentioned above, the cyber-range market today is addressed by two main categories of solutions: bespoke deployments performed mostly by small to mid-size systems integrators, and expensive “cyber-range in a box’ solutions offered by large systems integrators that have packaged a set number of functions under typically, a monolithic management application that is driven by an operator GUI. The advantage of the latter obviously is that it makes it much easier for users to operate, but these “in a box” systems are built for a discrete, siloed set of operations and they typically rely on vendor roadmap-driven updates to extend functionality or update support for new infrastructure or tools. Ironically, that makes them less agile. As for the bespoke deployments, they are very manual in nature—just setting up a scenario for a test can take a week or more, which is right in line with the timeframes associated with non-cloudified IT infrastructure. One of the ways that Gartner describes DevOps is as a “pairing of agile methodology and systems thinking”. In both aspects cyber-ranges today are far from DevOps.

Cloud Automation is Key to DevOps-Friendly Cyber-Ranges
The path for cyber-ranges to follow to get into the DevOps slipstream is primarily an issue of cloud automation. Cyber-ranges are basically private infrastructure, because you have to utilize the actual networking and data center gear that you operate to truly understand how exploits are going to affect them, what symptoms will look like. Also, cyber-security issues really need to be worked out in realistic network topologies, which means that we’re talking about staging/delivery type testing environments. What’s needed is to turn these complex infrastructures and be able to rapidly stand up, tear down and revision these infrastructure environments in a private cloud fashion.

What does this mean practically? If you’re looking to establish a cyber-range, you should be thinking in terms of a private cloud type of operation that allows security teams to access network topologies for various purposes in a cloud-like manner (self-service), that automates as much of the provisioning and tear-down process as possible, and manages multi-tenancy to maximize productivity of that infrastructure across users, teams and use cases.

In DevOps like life in general, no person or organization including the security team, is an island. By moving towards a private cloud automation model, cyber-ranges can evolve from being a (very important) silo, become far more efficient and productive, and align with DevOps initiatives. The result is a far better ROI on cyber-range investments.

Alex Henthorn-Iwane is responsible for worldwide marketing and public relations at QualiSystems.


Leave a Reply

WWPI – Covering the best in IT since 1980