Boston, Massachusetts – May 3, 2024, N2K CyberWire podcast hosted Allison Ritter, Senior Product Manager at Cyberbit, who shared her vast experience in crisis simulation. Below is the transcript of the interview. To hear the full episode, click here.
Dave Bittner: Alison Ritter is senior product manager at CyberBit. And in this sponsored Industry Voices segment, she shares her career journey off the bench and onto the court.
Allison Ritter: I have been working in different areas throughout cyber and a big draw that brings me back into cyber simulation are the people. After working for years managing and leading SOC teams, the most important part I found was making sure I had a team that I trusted and that trusted each other. They trusted their leadership, they knew how to handle and communicate during a crisis. And from this experience, the number one area to developing a SOC and IR team to me was really investing in our teams, the people. People might say, well, isn’t cyber always a crisis? My answer would be, if you’re handling it correctly, it should not be a day in and day out of crisis.
Allison Ritter: And if you prepare your team correctly, when a crisis does occur, it should not feel overwhelming and uncomfortable. Uh, you know, it should allow you to, your team to feel empowered to make the decisions that they need to make. during the time of crisis that they’re maybe going through. And I’ll tell you, I have worked with those that live for crisis. They want to escalate on a Friday evening. To me, with that attitude, you’re not building a strong team. You’re building a fearful and really resentful team who are now afraid to bring up issues when they do occur.
Dave Bittner: Well, tell us some more about your day to day. Like, I mean, what is it like working within that cyber range?
Allison Ritter: Yeah, to me a cyber range is really like a sports arena for simulating cyber attacks where players can test their skills against a number of different situations It’s a totally safe environment where you can walk up to the plate and hit hundreds of different ransomware scenarios Insider threats exfiltration and walk away with your team. No one gets fired for dropping the ball You All is fine, right? This is where you practice failing and you learn to fail as a team. And this includes both the C level executive team and the technical members. You know, I actually started this journey way back with Caleb Barlow, who’s our CEO at Cyberbit, when we were both with IBM.
Allison Ritter: And when I found out he was building a cyber range, that was something that I really wanted to dive into. Just the way that you really interact was a different approach to learning and in the cyber range, you practice the real world attack vectors and use real tools that you do every single day, you know, simulating the unexpected scenarios, the messages you receive from the team members, the interactive messages you’re getting from executives, how you communicate to clients and you can definitely see that there is an aspect of technical details needed, but a critical piece is for leaders in an organization to go through and have this learning as well.
Allison Ritter: You know, so it was really about creating hyper realistic scenarios where we give the players a chance to Experience the heat of the moment firsthand and dive in through those different actions, you know to me I always think right. Can you remember what you did? You know last monday, you know, can you think back to that memory? It’s hard to do that, but if you now thinking about like if when you hit a buzzer beater to win your middle school basketball game I mean no one forgets that right so it’s kind of creating these moments where You are now pinpointing some type of really key piece of critical thinking that you need to then apply during a crisis simulation.
Dave Bittner: Well, tell me about the transition then from a cyber range to wanting to work in a SOC. What motivated you to make that transition?
Allison Ritter: Yeah, I had been building cyber range events for years. I mean, we’re talking putting 17, 000 people through experiences from all industry backgrounds, public, private sector, as well as military governments and with that many live fire scenarios, I had seen it all, all sorts of unique and obscure ways really on response tactics and crisis handling. Literally seeing leaders throw their hands up in the air and say, you know what, that’s it. I’m done. I can’t I’d leave at this point. Um, or i’d have team members try and use social media to communicate with their team members during a crisis No judgment there, but maybe a bit of coaching and some backup plans adjusted Um, and you know an after action report needed that we can work through that, you know I probably experienced an analyst worst day. I don’t know a dozen times a week. So it kind of Got that chance to understand what it really means when you’re dealing with it.
Dave Bittner: Yeah, I mean that’s really interesting. It sounds to me like Uh almost being in a situation of being able to bring order to chaos.
Allison Ritter: Yeah. Yeah, you’re totally right there You know, and I I think one thing is really about I was practicing this game over and over. Um, and I really wanted to get a chance to play in a real sport and really get to it. I mean, have you, Dave, have you ever played a sport?
Dave Bittner: Well, I was much more of a theater kid, but I did have one season, uh, a very unsuccessful participation in my high school lacrosse team.
Allison Ritter: I mean, you were probably doing the practicing there and then maybe you thought, Oh, I want to get out. on the field to actually play the game. For me, that’s what it really was about, was sort of getting out and just really playing that and understanding what it would feel like to really get out and play that game.
Dave Bittner: Well, and I suspect, I mean, you were, you were then very well prepared because you had practiced this emotional place, you know, having a calm state of mind when everything is happening so rapidly around you, that must serve you well.
Allison Ritter: Yeah, you’re right. You know, and there were urgent fires that happened throughout my time. That’s always what we’re sort of dealing with things that do occur. Um, when you have alerts coming in 24/7, 365. Um, but it was about taking a step back and understanding those moments of how do you handle the critical situation and it did feel like that sort of riding a bike where you can just kind of get back on and go, because I’ve had that practice of going through, um, and rehearsing it multiple times.
Dave Bittner: Well, why do you suppose that simulations are really a useful tool here? What’s the advantage of taking that route?
Allison Ritter: Most SOC and IR teams really build their talent, it seems, in three different ways, learning on the job, taking cybersecurity courses and certifications, and then training in open source labs. Learning on the job. That’s a real tough one in our space right in order to actually learn to handle attacks. You have to be attacked and our goal is to avoid that. So in a cyber range, you get a little bit of a different stake in that that you can now get attacked several times a day with cyber security courses. There’s only really so much you can read about before you really need to sit in a seat and fully understand playing the game of cyber and cyber labs, I mean, those give hands on experiences, but you’re usually using open source tools and kind of like many challenges that are really meant for individuals. There isn’t really this aspect of team play, which to me is the critical component to working as a team in a SOC.
Dave Bittner: Can we dig into that? I mean, I think historically, lots of folks think of cybersecurity as having had this history of kind of individual rock stars, you know, but it seems to me like in today’s environment, the way that the industry has matured, it’s really important for these folks to be team players.
Allison Ritter: Yeah, team play. Oh, this is probably the most important part of incident response and sock work. Um, it really is a team sport. Uh, you know, it kind of seems cliche, but communication is key. Um, I’ve seen this so many times where tickets get Escalated and everyone’s expecting someone else to pick it up right to take that action and I’ve been leading and managing socks and I found the ownership of the issue and communication time and time again was just lacking their technical chops are solid. I mean, these are highly skilled members who spot pen tests and understand specific threat actors and their patterns, but the team members aren’t always willing to be the one to pick up the incident that pops up in the queue. You know, I’ll tell you a story. Often I’ve seen analysts pick up an incident and sit there for a while, right?
Allison Ritter: They have it in their queue, they’re researching, looking at it, but there’s no communication out to the rest of the team on what’s happening. And when I go and ask about it, it’s often, well, they aren’t exactly sure how to escalate or who to communicate these items to, right? They fully understand the details of what the alert was about, but getting the details written up, the escalation button pushed, that’s where they would freeze up and we have to be able to empower our teams during this part. We don’t want them to be afraid to push that big red button. They need to know both ways. If they push it and it ends up being nothing, they aren’t going to get in trouble. We have a process for handling false positives. In my world of simulation, that’s red herrings and they need to know the steps for getting a hold of the proper escalation channels and getting those issues over the finish line.
Dave Bittner: Well, let’s talk some about Cyberbit and the specifics about the types of things that you and your colleagues do there.
Allison Ritter: Yeah, Cyberbit is a skill development platform for cyber operators and executives. It tests teams in live incident scenarios, um, and helps security leaders build extremely high performing teams. Our approach is that performance is driven by ongoing simulation of real world scenarios, as realistic as it gets. So we put a lot of emphasis on including real attacks like APTs, the latest ransomware strengths and we have a team of researchers that are constantly looking for the next attack so we can simulate it and create it in an exercise for teams to go through and understand. And the product itself really does include three components hands on lab that prepares teams for fundamental skills, a cyber range for live fire team exercises and a crisis simulator where you can drop in the executive team like CISO, CFO, CMO and exercise them and even to collaborate with the technical team going back and forth.
Dave Bittner: Now, is this a type of thing where we have to, you know, put everybody on a plane and go to someone’s cyber range?
Allison Ritter: No, no. So at this point, we are actually 100 percent sass. So you don’t have to travel to the cyber range. In fact, we spin up these massive cyber range tools in minutes. So teams can run exercises from wherever they are their office home or like my previous team, which was around the world to follow the sun model. And I know as a SOC leader how hard it is to get your teams into training when you run a 24/7 operation and we took that into account and built these simulation experiences to support all different types of schedules. Our motivator is the people. We leverage cyber range technologies to cover simulation, competition, system testing of all kinds to support organizations and their goals.
Dave Bittner: What are some of the things that you see that, that folks are most interested in? I mean, the people who you interact with, what, what data have you gathered in terms of the, the things they want to focus on and, and also how they can go about building those teams?
Allison Ritter: The most popular domain by far is incident response. These teams are the last line of defense. They need to contain an incident that’s already in progress and their skills and readiness determine whether this remains just a small phishing or malware incident, or if it becomes a material breach. As far as topics, CEOs and CISOs are always circulating around ransomware because it’s just so in the news, um, and it keeps happening and they want to be prepared for that, right? CISOs just keep getting that question. Are you prepared for ransomware? And another one that I think is, Really a hot topic now is cloud security, and it’s becoming a critical skill. We’re definitely seeing a spike in the use of our live fire cloud attack exercises this year on cloud providers.
Dave Bittner: What about the folks at a higher level, you know, the executives, board members, CEOs? How do you get them involved in this process?
Allison Ritter: We’re seeing more organizations choosing to include executive crisis simulations, not just for the executive teams. I mean, most companies already do that, but in what we call a tech and exec exercising, it’s not surprising how hard it is for sock managers or CISOs to communicate with non tech executives like CFO and CMO during an incident and you really want to be prepared for that. And as a sock manager, that was probably one of the biggest takeaways. Communication is something that we’ve just really seem to overlook and leadership will spend money on new technology, but just so often the gap lies in the communication between leadership.
Dave Bittner: You know, I’m curious with your experience as a former SOC manager, do you have any, any tips, any words of wisdom out there for other SOC managers or CISOs, you know, things that, that really, uh, help you succeed along the way?
Allison Ritter: We’re putting way too much emphasis and budget on technology before people. When you look at people, process, and technology, it’s the people who drive the processes and create the impact of the technology we buy. One of the biggest problem areas I faced in managing a SOC was the communication between analysts and leaders and in a crisis, that communication needs to be ironed out. And you really need to trust your team. If you kick the ball to one player, you need to know they know exactly how and when to kick that ball back. I’ve learned time and time again that without investing in great teams, there’s no use for tech. So my tip is, build a great team, invest in your talent, and the rest will follow.
Dave Bittner: That’s Allison Ritter, Senior Product Manager at Cyberbit.
About Cyberbit
Cyberbit provides hands-on cybersecurity education and training and addresses the global cybersecurity skill gap through its world-leading cyber range platform. Colleges and universities use Cyberbit Range to increase student enrollment and retention, train industry organizations, and position their institutions as regional cybersecurity hubs by providing simulation-based learning and training. The Cyberbit Range platform delivers a hyper-realistic experience that immerses learners in a virtual security operations center (SOC), where they use real-world security tools to respond to real-world, simulated cyberattacks. As a result, it prepares students for their careers in cybersecurity from day-one after graduation and reduces the need to learn on the job. Cyberbit delivers over 1000,000 training sessions annually across 5 continents. Customers include Fortune 500 companies, MSSPs, system integrators, higher education institutions and governments. Cyberbit is headquartered in the US, with offices in Europe, and Asia.