Orlando’s FS- ISAC Americas Spring Summit was an exhilarating experience with too many great speakers to count. For those who could not attend, I decided to summarize my own presentation “Securing & Accelerating Cybersecurity with Purple Teaming”
So, without further ado, here we go!
Purple teaming brings together two disparate teams into one.
In the past conflict model, where they were separate - Red Teams were often viewed by the Blue Teams as finding all the flaws but not subsequently effectively educating and prescriptively providing feedback on how to fix and remediate. Also, Blue Teamers often felt the Red Teams didn't truly understand the infrastructure they were testing well enough to be thorough.
By combining the teams in collaboration and in goals they can more effectively find all the flaws, gaps, and misconfigurations and more importantly optimize security defenses to reduce risk around them. Also, by doing such the security team becomes a more integral part of the day-to-day IT operations as a partner and an enabler.
Purple teaming combines the capabilities and knowledge of both blue and red teams. The information these two teams can gather with the right framework when collaborating can ultimately empower security professionals and leaders to manage, know and control their cybersecurity posture end-to-end and achieve near real-time closing of identified security gaps.
Purple teaming’s ultimate goal is to acquire the ability to visualize, understand and analyze all elements of your security posture. From both defensive and offensive perspectives, it should provide overarching confidence in making decisions about the optimal actions to take in order to solidify your security posture and prevent security drift, while allowing for business operation optimization.
Purple teaming focuses on hardening the security posture far beyond the basic requirement of checking boxes for compliance purposes. At its core, the purple team is combining the traditional reactive defensive methods of a blue team with the insights gained from proactive offensive validation techniques typically used by penetration testers and red teams.
The resulting assessments are far more thorough, and the blue and red team collaboration from the start promotes a smooth implementation of the uncovered required mitigations.
When run in tandem with continuous security validation techniques, purple teaming integrated with day-to-day IT and DevOps deployments acts as an enabler by accelerating business goals while simultaneously reducing risk.
To evaluate how relevant it would be for you to consider adding purple teaming capabilities, it might be useful to ask a few questions about the relevance of purple teaming for your organization, given your existing security infrastructure.
So, let’s start by having a look at the questions that might justify opting for purple teaming when looking at the security validation options.
Even if satisfying the regulators might limit the fines for non-compliance, it will not deter malicious actors from launching attacks, and, if successful, these attacks might carry heavy costs ranging from loss of IP to damages to users, and, of course, all the cost associated with business interruption, reputational damages, loss of clients, etc.
If your goal is to improve security, then periodic pen testing or red teaming exercises will only go so far:
As news of catastrophic breaches is becoming a staple of the regular newscast, awareness of the potential cost of such breaches resulted in a growth of the cybersecurity budget. The chronic shortage of skilled cybersecurity professionals is nowhere near being solved, it is tempting to rush to buy new tools, preferably with AI, ML, and lots of automation to shore up security. Yet, the problems with adding new tools are that:
So, defining which tool to add and why using the relevant data harmonized across blue and red teams, is critical to selecting the right tools. A bonus of focusing on optimizing and rationalizing the solutions array instead of adding more to it is that it might lead to eliminating overlapping tools and redirecting that budget to tools offering erstwhile undetected missing capabilities.
Security drift is what happens when you are not looking. When red teaming or pen testing are only performed periodically, the tendency is to rely on the estimated security posture at validation time, and assume it is stable until the next validation station.
Yet, as both the cyber-threat landscape and your environment architecture are in constant evolution, this reliance on static data is dangerously misleading.
In today’s constantly shifting reality, the risk of drifting from a secure security posture into a perilous one can only be avoided through continuous security validation and recalibration of security controls based on hard data.
Now we have a better idea of the underlying reasons behind the decision to adopt purple teaming. Next week, we will explore more in-depth the additional benefits derived from the purple teaming built-in effect of breaking the walls between cybersecurity, IT & DevOps, and Business/Executive teams.
Learn more about Pro-Active Purple Teaming. Get a free trial to see our open attack framework that allows you to craft and automate red and purple team exercises to leverage and scale adversarial expertise
Dave Klein is the Director of Cyber Evangelism for Cymulate. With more than 21 years of real-world cybersecurity experience, he works with Cymulate teams, customers and industry thought leaders to address the challenges of securing modern enterprise environments. Dave’s long career includes working on the NIST response to President Obama’s Policy Directive 21 on Critical Infrastructure Security and Resilience, leading some of the largest sales engagements for US Federal security solutions, and working with the City of New York post 9/11, helping shore up cyber defenses.