Cyber-security testing typifies some of the challenges of converting from traditional to DevOps ways of doing IT. While cyber security labs and cyber-ranges are often mission-critical investments for organizations that find themselves to be high-value targets for cyber-attacks, too many times cyber-security testing processes are siloed and highly manual. It’s time for cyber-ranges to move towards DevOps.
Cyber-ranges are essentially lab infrastructures that are used for a variety of security-related activities including point product testing, network topology-level testing, and training such as red team/blue team exercises. While cyber-ranges have typically been used by government and military organizations, increasing numbers of business organizations such as financial institutions and utilities are building these infrastructures to ensure that they are as equipped as possible to anticipate, respond and thwart attacks. Particularly when the running assumption is that increasingly mobile and porous IT boundaries will inevitably be compromised, the ability to respond rapidly effectively is critical. This means that beyond product testing, developing response skills and systems is a key function.
All this is of course good and very important stuff. So what’s the problem? Well, like many IT-practices, cyber-ranges most often live in their own silo. It is very uncommon today for a cyber-range to be part of a broader continuous integration or continuous delivery testing cycle addressing applications and infrastructure. In fact, far from being part of a continuous process, it’s exceedingly common for cyber-ranges to be operated in a highly manual fashion, which means that changes happen slowly and painfully, productivity is low relative to the significant investment they represent.
How Cyber-Ranges Work Today
The cyber-range market today is addressed by two main categories of solutions: bespoke deployments performed mostly by small to mid-size systems integrators, and expensive “cyber-range in a box’ solutions offered by large systems integrators that have packaged a set number of functions under typically, a monolithic management application that is driven by an operator GUI. The advantage of the latter obviously is that it makes it much easier for users to operate, but these “in a box” systems are built for a discrete, siloed set of operations and they typically rely on vendor roadmap-driven updates to extend functionality or update support for new infrastructure or tools. Ironically, that makes them less agile. As for the bespoke deployments, they are very manual in nature—just setting up a scenario for a test can take a week or more, which is right in line with the timeframes associated with non-cloudified IT infrastructure. One of the ways that Gartner describes DevOps is as a “pairing of agile methodology and systems thinking”. In both aspects cyber-ranges today are far from DevOps.
Cloud Automation is Key to DevOps-Friendly Cyber-Ranges
The path for cyber-ranges to follow to get into the DevOps slipstream is primarily an issue of cloud automation. Cyber-ranges are basically private infrastructure, because you have to utilize the actual networking and data center gear that you operate to truly understand how exploits are going to affect them, what symptoms will look like. Also, cyber-security issues really need to be worked out in realistic network topologies, which means that we’re talking about staging/delivery type testing environments. What’s needed is to turn these complex infrastructures and be able to rapidly stand up, tear down and revision these infrastructure environments in a private cloud fashion. A cyber-range that is turned into a private cloud can support both UI and API-driven programmatic self-service. Not only can cloud automation deliver tremendous short-term ROI benefits like a huge increase in productivity and resource utilization, but it also opens the way to tie cyber-ranges into a broader DevOps practice.
In DevOps like life in general, no person or organization including the security team, is an island. By moving towards a private cloud automation model, cyber-ranges can evolve from being a (very important) silo, and align with DevOps initiatives.
About the Author/ Alex Henthorn-Iwane
Alex Henthorn-Iwane joined QualiSystems in February 2013 and is responsible for worldwide marketing and public relations. Prior to joining QualiSystems, Alex was vice president of marketing at Packet Design, Inc., a provider of network management software, and has 20+ years of experience in senior management, marketing, and technical roles at networking and security startups.
Through his roles at QualiSystems, Packet Design, CoSine Communications, Corona Networks and Lucent Technologies he has acquired expertise in cloud computing and the opportunities presented through virtualization. He has written for Embedded Computing, Virtual Strategy Magazine, Datamation, SDN Central, Datacenter Knowledge and InformationWeek.