Cyber Education as a Service with Bash Kazi
Joining the podcast this week is Bash Kazi, CEO of Cyber Range Solutions. He shares perspective on the importance of experiential and continuous training across red team, blue team and threat hunting and creating real world environments to learn based on existing and emerging threats.
He also shares some stories from the field such as a voter hacking simulation won by a 15-year-old student as well as available resources and organizations that provide veterans a place to learn cyber skills for low or no cost.
Cyber Education as a Service with Bash Kazi
[01:11] Introducing Our Guest, Bash Kazi
Rachael: I'm excited for today's guest because we're going to get into an area that I'm not as familiar with. Joining us today is Bash Kazi. He is the CEO of Cyber Range Solutions, and I'm really excited to jump in our chat today.
Bash, I am really curious. We were talking a little bit before we got on the podcast and you had such a really interesting story, how you came to be here with Cyber Range Solutions. I would love you to give us your origin story here on how you got to where we are today.
Bash: Thanks, Rachel. I'm the founder and CEO of Cyber Range Solutions. My background is in engineering. And most of my engineering work was associated with my previous ventures where I ran a defense contracting firm. Here, we were doing systems integration, design, engineering, and manufacturing of various types of hardware platforms to assist the US warfighter in challenging and austere environments.
As I was, back in 2016, walking through the corridors of power at the Department of Defense. I was being guided by some of the contract officers and the subject matter experts that the US DoD's budgets were being moved substantially from the traditional platforms towards more of the information technologies and information technology-related security expenditures. Being an opportunist that I am, I started thinking about how to pivot my organization and not knowing anything about cyber, and not being intimidated by technology. I did what I would consider anybody else to do, and that is go and see subject matter experts in the industry, in the sector.
A Huge Problem in Cybersecurity
Eric: Okay. You're doing your research?
Bash: Yes. I went out to the largest cybersecurity exhibition, which was held at the Moscone Center every year called RSA. I remember walking for days and not stopping for more than a couple of minutes at every booth that I found interesting.
As I described to you earlier, Rachael, all I saw was every single vendor. Aand OEM was claiming to have the latest widget or gadget or appliance or software or tool to solve problems. But the glaring biggest issue that I saw or recognized was the fact that there weren't adequately trained individuals to use those appliances.
A software is only as good as the individual that's using it. A tool is only as good as the subject matter expert that is trained towards applying it.
I continued to investigate and I saw an article in the magazine that was handed out. This was written by the Gartner group where they were indicating that back in 2016, there were over a quarter-million unfilled cybersecurity positions in the United States alone. This is supposed to version to over half a million by 2019.
Eric: Yes. Which is way low because there are other reports saying one million shortage by 2021, so big problem.
Bash: Yes. There is a huge issue there. What I realized as my opportunity was how to bring all of this together in creating a solution that would allow for rapid deployment of cybersecurity personnel. Especially from my primary customer, which is the US government, the Department of Defense. The solution came to me from my research into this subject with some of our partners, especially overseas.
Shortening the Gap in Cyber Education
Bash: One of our partners was working with the Israeli Defense Forces to solve the same issue in Israel. What this partner had done was use experiential learning to help shorten the gap in training cybersecurity resources. Just like a young surgeon follows a surgical guide and practices on like 3D printed categories before using a scalpel on real flesh. Just like pilots train and flight simulators before the first real takeoff. And firemen encounter several controlled fires before they're trusted to enter a burning building. Or soldiers training in a simulated battlefield before entering the frontline of a civilian town. Just like these doctors, pilots, firemen, and soldiers receive training and real-world simulation scenarios, cybersecurity professionals require the same type of learning to prepare for their first jobs.
That, in my opinion, is all based on experiential learning. What is that is the process whereby knowledge is created through the transformation of experience. Where knowledge comes from a combination of grasping and transmitting experiences. This process of building a standard operating procedure using conditioned reflex actions, what we call muscle memory transformed using real-world tools that are being introduced by all of these OEMs that I saw at RSA, which is the origins of a cyber range.
Cyber range is a hyper-realistic simulation environment, which incorporates and integrates all of the necessary tools, the intrusion detection systems, the firewall monitoring systems, the sims to create a real-world scenario in a sandboxed environment. You're not putting your live production at risk to help you mitigate and thwart real-live risks while being in a completely sandbox environment.
Eric: Bash, you're not talking about on-the-job training and you're not talking about somebody goes to school and gets a degree in cybersecurity or whatever it may be.
A Hyper-Realistic Simulation Environment for Cyber Education
Eric: You're talking about a purpose build environment here where people can go and practice. They can test and then gain experience, so that then when they enter the real world or when they go back to their real-world positions, they're more qualified, more knowledgeable. Correct?
Bash: Very true. Eric, cybersecurity skills are very specialized. Just as I stated earlier. The cyber skills differ in terms of the ability for an individual to acquire them as compared to the skills learned through traditional textbook training. You can't train a fighter pilot purely in a classroom, how to commander an NF16.
You can't train a surgeon only in a classroom on how to conduct anything unless they've practiced on calibers before. Same way, you can't teach a cybersecurity subject matter expert about all the latest hacks and attacks and how to develop a conditioned muscle memory standard operating procedure for themselves, unless they are subjected to experiencing these attacks in a simulated environment.
Eric: Do a lot of schools use cyber ranges or is it primarily the government or what's your experience there?
Bash: At present, the initial use of cyber ranges was by large organizations, such as the Department of Defense and the DoD contractors. But we are starting to see introduction of cyber ranges at NSA Centers of Academic Excellence across the US. And it is being adopted by academia globally.
Eric: Which last I checked was, I think NSA was over 40 schools, weren't they?
Bash: I think it's probably more than that.
Eric: Okay. So they're taking off?
Bash: Yes. There are a lot of NSA Centers of Academic Excellence across the US. We work with about 18 of them. Cyber Range Solutions develops and delivers hyper-realistic simulation platforms, these cyber ranges.
Which Is More Effective for Cyber Education?: Textbook or On-Prem Environment
Bash: We also help in creating custom learning management systems and customized industry-specific cybersecurity training modules, scenarios. And allow for professionals and students to utilize them in either an on-prem or cloud-enabled environment.
Eric: These aren't tiny schools either? They're Dartmouth, Tulsa, NYU, I believe. These are brand-name schools, Rachael.
Rachael: That's awesome. Because that's something that we've talked about in the past, Eric, is getting the right curriculum, the right training. Cyber is so dynamic. If it's in a textbook, it's maybe too late. You know that time there's already sale by the time it got published. So how do you keep real-time skills because that's also something.
I follow a lot of folks on InfoSec Twitter, and it's one of the comments that they make a lot when they go into interviews, for example. That some people focus more on the textbook where others focus more on the actual experience. You don't need a college degree, but that hands-on experience, Bash, like what you're talking about, that's invaluable. Because you're getting in that real-world environment and the pressures that come with it, ostensibly.
Bash: Yes. We don't just provide the customized training. We also do some very specialized training for government organizations. For example, training programs that are for red teams, blue teams, threat hunting. I'll go a little bit more into that. A red team is an offensive team for security professionals who are experts in attacking systems and breaking into their defenses.
Eric: Attacking friendly systems to ensure that common vulnerabilities and openings aren't available.
Bash: Well, in some cases, in other cases, these are actual offensive teams taking out critical national infrastructure, an adversarial nation's critical national infrastructure.
Rachael: This is one of my big interests by the way, Bash, is the whole offensive strategy.
The Network Defenders
Eric: Rachael wants to take a small country down via keystrokes at some point in her life. But we're not going to go into detail on that just yet.
Rachael: Yes. We're not going to go there.
Eric: We've got the red teams.
Bash: Then, there are blue teams which are defensive security professionals responsible for maintaining internal network defenses against all of the cyber attacks and threats. A blue team typically consists of security professionals who have a really good view of an organization's network architecture. They're there to protect the organization's critical assets against any of these threats.
Eric: Yes. The network defenders, if you will.
Bash: Exactly. The network defenders and their objective is to strengthen the castle wall so that no intruder can compromise the defenses. What we typically do is we work with these red and blue teams to create exercises that provide a holistic security solution. Ensuring that the strong defenses are there while keeping in view all of the evolving threats.
We bring into this cyber range or range of ranges using all the various platforms that are available in assets and tools. Then inject the known hacks and malware into this sandboxed environment to allow subject matter experts or students to practice and hone their skills.
Eric: Bash, if I'm thinking of a flight simulator primarily right now, right? You're an existing pilot. You have some level of education about flying. You may know the plane or helicopter you're assigned to, and instead of flying real-time all the time, which is expensive, you get in the flight simulator periodically and people throw scenarios at you and see how you react.
[16:58] Continuous Cyber Education Is Crucial to Preventing Incidents
Eric: They train you to do things so that when you go into the real world and you lose an engine or you lose a control surface or something, you're okay. Same concept, right?
Bash: Exactly the same concept.
Eric: Will people go back? We're not just talking initial training. Even over time, will people rotate through a cyber range typically and deal with the latest and greatest threats or technologies or whatever it may be to keep their skills up or to improve on their skills?
Bash: Very good question.
Continuous training is crucial to preventing and resolving incidents. The number one ROI in cybersecurity is spending money on training for an organization. A cybersecurity career demands continuing education. I think it is imperative for managers, CSOs and leadership inside organizations to make education and retraining a top priority.
CSOs should encourage their staff members to join professional organizations and pursue advanced training courses. It is an urgent need for skilled resources to retrain in specific custom environments that mimic their specific network architecture without risking their live production systems. That is where the use of cyber ranges come in.
Eric: The cyber range will mock up the infrastructure that the defenders, in this case, are working in?
Bash: Correct. Cyber range, it's an interactive simulated representation of the organization's local network, their systems, tools, and applications that are connected to a simulated internet level environment. This provides you with a safe legal environment to gain hands-on skills and a secure environment to do product development and to do security posture testing.
In organizations, when they want to launch a new product, they want to do some network penetration testing and that cannot be done in a safe manner unless you're in this virtualized environment like a cyber range.
You Got to Build Security in From the Beginning
Eric: Well, I'm just getting more than half of our customers to think about cyber security as they launch a new capability. Let alone actually get out to a range, mock it up and play with it. Rachael, how many people have we talked about who said, "Build it in." Right? What did Sudhakar say? Remember his tagline on security? You got to build security in from the beginning.
We don't have customers who typically even think about cyber as they're rolling out a new platform. I love the idea of this cyber range, but how many people think about that, Bash? Security by design, Rachael.
Bash: You can include in this cyber range, actual hardware and software, and it can be a combination of actual and virtual components. Some of these ranges are interoperable with other ranges. Because each range uses a different software platform, and that interoperability is pretty critical.
We typically like to encourage our clients, customers to use different range environments in order to be able to experience all the tools that are available in the marketplace. The internet level piece of the range environment will include not only the simulated traffic. But it also replicates network services like webpages, browsers, and email as needed by the customer. We will help our clients develop that customized piece to ensure that the students or staff that is getting trained in this environment can hit the ground running when they go back to on-the-job application of the skills that they've acquired.
Eric: My organization, whether it's a schoolhouse in a training world or it's a business or government agency that wants to send its team through, we work out with the local cyber range that we're affiliated with or that we're aware of or whatever.
The Components of Cyber Range
Eric: How long are the people in the class, right? Is it a one-day, a one-week, a two-week class? What part of the class is it? How does that all work? I'm curious.
Bash: With the aid of a cyber range, we are able to develop modules, courses, content, labs, that can range from as little as 30 minutes or one hour on a specific topic to hands-on training for two to three weeks at a time.
Eric: Rachael, could you imagine this? You and I strapped in, we put our helmets on and we just descend into the range for 45 minutes? That would be a disaster.
Rachael: I imagine like a week, you're locked in a windowless room for a week. Right? You just have Mountain Dew to keep you going while you try to solve the problem.
Eric: I'd be looking for my personal keyboard. I'd be like, "Hey, where's my track pad?" That would be fun putting you and I in the middle of the range.
Rachael: That's exactly right. Solve all the world's problems too very quickly. It sounds like something like this could be very useful to hackers as well. If they wanted to bone up their skills or what have you, I know there's two sides of every coin. Do you ever get hit up by, I don't know, Konti Group?
Eric: The adversaries.
Rachael: Yes. Any of those guys who are like, "Hey, we like to get some new skills, Bash. Will you sell it to us?" Has that ever come up?
Bash: It hasn't come up yet, but I'm pretty sure no hacker is going to come in and tell us that they're a hacker and they would like to do cyber range.
A Cyber Hacking Incident in Las Vegas
Eric: Rachael, I love the way you're thinking and I agree with you with one small flaw. I personally feel like the whole world is for a hacker. The whole world is their range. That is their cyber range. If they want target a nation state or they want to target somebody, they can pick a lesser consequential target to practice on as they go. Maybe on very specific nation state activity, I could see them not wanting to make mistakes so they wouldn't get detected.
But the whole world is they're cyber range hack away. When you want to take that small country down for a few minutes, I don't know, pick Tanzania and practice on them. Nobody's going to do anything to you.
Bash: A few years back, we were invited to a voter hacking village simulation at DEF CON in Las Vegas. We ended up creating a simulation of the latest voting machines connected to a voter database, simulated it on the range. It was covered by CNN. I remember there was a 15-year-old girl from Florida, a high school student who was able to hack into the system that was simulated on the range in less than 15 minutes.
Eric: Hopefully, we learned from that and closed up some of the vulnerabilities that were discovered.
Bash: Yes. I think there was a National Governors Association led study that was done on how to defend against attacks on voter hacking machines. I think the results of that study were published back in 2017 and '18. Most of them have been actually taken care of in the most recent elections.
[26:43] We Need to Leverage the Latest Technologies for Cyber Education
Eric: That's the beauty of the range. I think you can train personnel, but you can also identify gaps, especially if it's mocked up relatively closely to your environment. You can identify gaps in your defensive posture as an organization that you can close up at the same time. Almost like you're red teaming your own organization as you're going through it. Bash, you're looking at me like that's not quite the way it works sometimes.
Bash: You know that is. I think some of this needs to be addressed with academia. Because I think we need to develop a comprehensive system whereby the academic world takes a look at how to take some of these workforce development requirements and adapts to the changing technological landscape.
I don't think that a typical two-year or four-year college degree is the most appropriate route for folks like cybersecurity professionals. And I think we need to develop programs that are adapted to the requirements in the industry. I think that is a greater need for public private partnership that leverages the latest technologies available to us in this arena.
Eric: I agree with you, and it's a lot better than the mandatory four or five or six hours of training you have to take once a year on cybersecurity, right? Don't pick a USB drive up in the parking lot and put it into your computer, or if you get a phishing email. I agree with you. To me, this is like a pilot doctor, police officer, where they have to qualify with their weapon at the range every couple of months.
Cyber Ranges in the US Follow the Framework of National Initiative for Cybersecurity Education
Eric: Six months, whatever it may be, where we can hone our skills, we can develop and hone our skills. I don't hear enough about the use of cyber ranges. I've been in this business for two decades now. I wouldn't even know where to go if somebody came to me and said, "Hey, I want to put my people through a cyber range." Well, before this podcast, of course, I didn't know where to go. Now, I know the expert who I would call. But I don't think we're getting enough exposure out there on the learning capability around cyber ranges.
Bash: One of the key areas for the framework, which is developed for cybersecurity education is to go and look at the work that has been done by the National Initiative for Cybersecurity Education, NICE. Which is led by the National Institution of Standards and Technology in the US Department of Commerce. This is a partnership between the government, academia, and the private sector focused on cybersecurity education and workforce development.
Most of the prevailing tools that are deployed for cyber ranges in the US follow the NICE framework. This provides a really good set of building blocks for describing tasks, knowledge, and skills needed to perform cybersecurity work. It's based on standards that are recognized by the industry.
Eric: Okay. I have one last question. What percentage of organizations put their people through a cyber range? Any idea?
Bash: A very small percentage.
Eric: Single digits? Low double digits?
Bash: I haven't seen the statistics on that. I get a lot of my statistics from cyberseek.org and from the Gartner group.
Organizations Spend on Products Not on Cyber Education
Bash: I would say even though most CSOs and organizations consider training to be their number one return on investment in cybersecurity, I don't think that the recommended amount of funds are allocated off your overall cybersecurity budgets on training. I think it should be close to between five to 8% of your total cybersecurity budget should be allocated on training. Or as high as 10 to 15%.
Eric: Bash, I agree with you. As a product vendor, what we see are people talk training and they buy product. They buy it all day long. Maybe they buy consulting to implement product and work with it, but we do not see hunting. We do not see training at the levels we need. We'll end the show there. Full agreement with you.
The more qualified our people are, the better capable they are. I think the better off we are regardless of the products out there. Rachael, you're in luck. When you decide to change your activities down the road one day. Unless we change something, we will not have the qualified defenders out there to revenge you from getting in.
Rachael: Yes, exactly. Well, thank you for the great work that you're doing, Bash, because this is really important. I don't know that it's getting talked about enough either in the security industry. It's definitely something that needs to rise to the top.
Again, following up us at Twitter, talks about the classes they're taking or you know what they're learning, but they don't know where to go as well. Where do you get the information you need so that you can get this training and be more effective?
Check My Next Move & FedVTE for Cyber Education
Bash: Well, one thing I do want to touch up on is a lot of cybersecurity jobs, especially with the government require some form of security clearance. One of the best groups of individuals that we don't spend enough time to promote cybersecurity as a field are our veterans who've already sacrificed a lot in their fight for our freedom.
They need our help in assimilating into society when they return back home. Since most of them already possessed security clearances, cyber is an ideal field for them to build skills in a short period of time and to enter the workforce. Because we've got such a massive shortage of cyber talent. I would suggest that any of the veterans that are listening in should go to the website, My Next Move to help identify how they can work and get examples.
They should also visit the Federal Virtual Training Environment, FedVTE, which provides free online cybersecurity training for US government personnel and veterans. We are part of some of those programs and a lot of those programs are funded and free of charge for our military personnel and veterans.
Eric: Yes. We're going to put it in the notes.
Rachael: This has been really great conversation. I've learned a lot. Again, thanks for the great work you're doing, because we need all the help we can get out there. I think a lot of people don't realize you don't need a degree. You just need some hands-on training, and interest and an aptitude. You can do really great things and save people from some really bad things happening to their organization. Hit the subscribe button, listeners and you'll get a fresh episode every Tuesday right to your email. Until next time, everyone.
About Our Guest
Mubashir G. Kazi is the CEO of Cyber Range Solutions. He has over 25 years of global experience with governments and Fortune 500 companies (3M, Exxon & Xerox) in the areas of engineering, security, Information Technology and program management. Mr. Kazi holds graduate and post-graduate degrees in Engineering from McGill University in Montreal, Canada and has extensive post-graduate research and training in Advanced Project, Risk Management and Program Management skills specific to the fields of engineering and technology management from Stanford University.
Mubashir has also served as a management consultant on several security programs around the world (Qatar, Israel, UAE, Pakistan, Afghanistan and USA). His expertise includes national border security, counter narcotics technology development & deployment, engineering management, cyber security training and international program management. Mubashir was the Architect and Program Manager supervising the design, management and execution for a program involving the deployment of several thousand personnel for the development of a National Data Repository, Border Security, Machine Readable Passport and Electronic Voter Registration system for the Ministry of Interior, Government of Pakistan.
Mubashir has architected the creation of one of the largest citizen data repositories and overseen the national census data gathering initiative to document over 100 million individuals.
Listen and subscribe on your favorite platform