DCInno | 06.19.15
On Wednesday, Columbia, Md.-based cybersecurity firm Chiron Technology Services secured a federal contract in excess of $10.7 million to help prevent and better detect cyberattacks levied against the U.S. government. Chiron, however, unlike a cohort of other federal cybersecurity software contractors and larger IT corporations, focuses on a different aspect of the security dilemma-the training of security personnel.
The multi-million dollar contract was specifically for the development of a secure IT system for the government.
Chiron's training program is part of a growing segment of the cybersecurity industry that, while talked about less, remains immensely important in reacting to data breaches like that of OPM. In the OPM attack, which reportedly breached the network in March 2014, the agency originally believed it had completely inhibited the attack.
Though Chiron offers some software services, one of the company's main focuses is on creating the next class of top-flight cybersecurity professionals. It offers specially tailored, multi-discipline off-site and on-site security training classes. At a base level, Chiron believes that software and hardware innovation can only go so far and that the skill of individual technicians will further dictate whether a hacker can successfully disrupt a network.
The company claims that its clients include the NSA, Department of Defense, U.S. Cyber Command and multiple Fortune 500 companies.
Training over tech
"There needs to be a proactive, not reactive approach to cyber security and that begins with relevant, operationally-focused training...Expensive hardware, software, tools won't do the job alone, it takes a human. A human with intimate knowledge of the adversary and their techniques, and most of all experience in head to head battle with them. That's what Chiron believes in...that's what we do. We train personnel to combat today's and tomorrow's threat," Chiron Technology Services Senior Partner Chad Carroll.
Carroll declined to comment on both the structure of the contract and if specific agencies would receive any training as part of it, saying, "the details of the contract are highly confidential." He only added, "we [Chiron] are utilizing virtual machines and network resources [to] create a secure enclave on the customer's corporate network."
When I asked Carroll about the curriculum that his company instates to train individuals, he described an eclectic system where students would face "real world attack scenarios utilized by attackers today." Rather than presenting static and designed cyberattack simulations, however, Chiron offers what may be considered a draconian approach where students are divided into two groups, attackers and defenders, and pitted against one another in high stress breach scenarios.
In these cases, the students - individuals that may be security personnel from the same agency - work from opposite ends with dynamically different goals to overcome their adversaries. Sometimes this will mean playing the assailant and other times it could mean becoming the defender, but the system is nevertheless created to efficiently and effectively prepare technicians to deal with real world attacks
By stacking realistic human-engineered cyberattacks in realtime, the idea is that personnel will be become better aware of both the strengths and weaknesses of individual actors.
Carroll told DC Inno that the scenarios are valuable in terms of "understanding how the attackers infiltrate the network and maneuver throughout."
"Defenders need to understand the depth of these attack techniques in an effort to prevent future attempts...and penetration testers and vulnerability assessment analysts work to emulate these attacks," he said.
Chiron Technology Services currently employees about 100 cybersecurity professionals and has a presence in Maryland, Georgia and Florida. "We have been a long term consultant for the government and this contract win further strengthens that relationship," Carroll said.
By Chris Bing