CAMBRIDGE, Ma. – IBM cut the ribbon on its new global security headquarters Wednesday that will also serve as command center for its just announced X-Force Incident Response and Intelligence Services. The centerpiece of the new 153,000-sqft facility is the company’s Cyber Range which IBM bills as a first-of-its kind commercial cyber-threat simulator.
“This is a full-fledged cyber-security war room where we can put clients in the middle of a cyber threat and let them experience what it’s like and what it takes to defend against malware, APTs, DDoS and many other attacks,” Caleb Barlow, vice president of security at IBM, told Threatpost.
Wendi Whitmore, global lead, of the newly created X-Force IRIS, said her team and the Cyber Range was an attempt to boost readiness for clients and any company faced with the ever-growing number of threats. Citing statistics from a Ponemon Institute study sponsored by IBM released Wednesday, she said that 75 percent of organizations have no formal cyber security incident response plan.
“Cyber threats have been a reality for decades, but for organizations the risks have never been more prevalent. There are the actual risks and reputational damage that businesses face along with an increase in the regulations and notification requirements,” Whitmore told Threatpost. “The best way we see organizations maturing is practicing and testing and finding where security gaps are and closing them before companies actually have to face a real-life event.”
That was a sentiment echoed by Lucy Ziobro, a section chief with the FBI Cyber Division, who spoke briefly at the opening event. “I have to go to a (gun) range four times a year to qualify my weapon and that’s something corporations should consider. When you deal with cyber threats, you have to practice it and get better,” she said.
IBM’s Cyber Range consists of an air-gapped environment where participants take control of a fake Fortune 100 company. Over the course of a day-long simulated attack, clients are exposed to live malware, data exfiltration attempts and face real-world attack tools. The range consists of a dimly lit command center with three rows of 36 iMac workstations facing a massive 24-foot-by-6 foot LCD display. IBM says it has built a cloud, IoT, server and workstation environment for the mock company.
On the backend is a massive air-gapped physical and virtual server and desktop environment. With the push of a button, IBM says, it can place up to a petabyte of data simulating the mock Fortune 100 company’s activities that can scale to thousands of servers.
Barlow said the mock company can be easily morphed into a number of different sectors from banking, energy or manufacturing and can include firms with IoT devices and even supply chain partners. “In this environment we can control how much normal stuff is going on in the company,” he said. That includes events such as thousands of people sending and receiving emails, but also risky events such as employees losing passwords or having an iPhone lost or stolen.
Through the course of the simulation, IBM injects attacks that simulate what an APT gang might use, or a DDoS attack such as the latest variant of the Mirai malware.
“Based on the skill level of who is coming in, we can dial up or dial down the attack. But attacks play out based on the decisions the participants make. So if they make a bad call, we can see the consequences of that decision. On the same front, if we have a group of experienced operators we can throw a whole lot more at them as opposed to a bunch of C-level executives that have never had any exposure to a cyber threat before,” Barlow said, adding that this is the first at-scale simulator in the private sector.
“These ranges do exist in the military and with military contractors, but those are focused on testing military tools,” Barlow said. “Nobody has ever done anything like this.”
According to Barlow defensive tools aren’t limited to IBM solutions. “We can put any tools in there we want, including non-IBM tools. Clients can just as easily bring in a partners tool or a competitors tool. The reality is we all work in heterogeneous environments all the time and we want this simulation to be as real as possible.”
But some attendees were skeptical about IBM’s unbiased approach. “I have never seen a more impressive lab for raising cyber readiness awareness against attacks. But I’m less convinced it’s going to be a place to learn about non-IBM competitive solutions,” said an IBM customer and IT security professional attending the event that asked not to be identified.
Other security professionals said this will go a long way to convince C-level executives within organizations to understand the gap that exists between IT operations and their security teams.