A few decades back, penetration testing was considered a highly effective control that CISOs would swear by.
It sounded simple enough:
Hire an experienced security professional to try and break your defenses once or twice a year.
Get a result and patch the findings in the report.
Rinse and Repeat
Unfortunately, the speed at which cybercriminals now operate has rendered penetration testing an almost obsolete control. While it is still being used, it is suitable only for ticking off compliance requirements for standards like PC DSS rather than an effective way of finding your security weak points.
CISOs have realized this and moved towards the concept of red and blue teaming. In this model, one team assumes the role of an attacker (i.e. the red team) while the other defends against the attacks (i.e. the blue)
By one team taking the offensive role using real-world adversarial attacks and the other defending, CISOs can get a much better position on their weaknesses and the effectiveness of their controls.
However, one problem that regularly crops up is the disconnect between the two teams. For most companies, the Red and Blue teams are separate entities, with an internal team assuming the Blue team role. At the same time, a third party might be hired to carry out the red team role ( this might be internal for larger companies). There is no continuous feedback loop, and thus no constant improvement. Additionally, they are not working together but against each other to meet their goals, i.e., breaching or protecting the network. The red beam is judged by if they were able to defeat the blue team and vice versa.
To maximize impact, red and blue teams must work together on an ongoing basis in the concept of a purple team.
Purple team - Taking security testing to the next level
As the name implies, the Purple team is a combination of Red and Blue teams in which they both work together and provide continual feedback to each other. Instead of trying to “one-up” each other, the offensive and defensive teams are both working towards a common goal which is to improve the security posture.
Some of the key benefits that can be realized with Purple teaming are:
Knowledge transfer: With both teams working together, the offensive and defensive teams can regularly switch roles leading to a knowledge transfer and lack of dependency on one team. This also helps in keeping the methods from getting stale, as one group might be able to discover attacks or responses that the other team needs to be made aware of.
Culture improvement: Purple team, as mentioned, fosters a collaborative culture that significantly improves the overall productivity of the security team. By removing the competitive elements, the teams can focus on improving the efficiency of the security controls in a fun and interactive way.
Cost-effectiveness: By combining both activities under one team, CISOs can make more effective use of their security budgets and reduce dependency on costly third parties. This also helps in succession planning, as turnover in one team can be compensated by the other.
Is purpose teaming the way forward?
Purple teaming can be seen as an evolution of pentesting into a lean, effective methodology that increases the effectiveness of security testing while enhancing productivity. Removing the competitive element fosters a collaborative culture giving both groups insights into how to improve their attacks and defenses. Cybercriminals do not operate in silos but instead share threat information between themselves to enhance their attacks, and cybersecurity teams must do the same.
If you are a CISO and still working on the pentest or red/blue team model, then purple teaming is the perfect opportunity for you to upskill and upgrade your security teams and processes.
Commentaires