Last week, we looked in-depth into why purple teaming may be a valuable addition to your toolset. Though that looked at the root causes that typically lead to a decision to incorporate purple teaming, it did not at all consider the many additional benefits implementing that decision will bring.
Today we discover the non-technological waterfall benefits that stem from merging the skills of the blue and red teams and adopting a proactive security posture management approach.
Breaking Down Walls Between Cyber Teams, IT & DevOps, and Business Executive Teams
Though at first glance, purple teaming seems to be the result of combining two teams, in fact, it is closer to reality to say that it combines three. Traditionally, cyber teams, IT & DevOps teams, and business executive teams work at cross-purposes. Let’s have a look at the typical priorities of each of the three-team:
- Cybersecurity
Cyber teams are blaring alert sounds at the dangers lurking out there and the need to stop everything and close all the security gaps. They expect the IT team to be gifted coding contortionists capable of bending in improbable ways and would rather slow business down to a crawl to protect business executives from having to face the aftermath of a catastrophic breach.
- IT & DevOps
IT teams love creating new software that works and would rather have their software deployed today without any “security equipment” rather than waste time in tightening Privileged Access Management, scanning images for vulnerabilities, or dot their i’s and cross their t’s when configuring security controls.
- Business/Executives
Business decision-makers and executives simply want everything to run smoothly with no business interruption and with ever-happy users and satisfied regulators. Despite their minimal mastery of the technologies involved, they are the ones tasked with arbitrating between the Cyber and IT/DevOps teams and risk getting influenced by the most articulate team leader regardless of the value of their argument.
In such a wobbly constellation, the decision-making process when it comes to security or agility depends more on the CIO and CISO’s respective ability to impact their audience than on deliberate, informed, and rational determinations.
Purple Team –– The Three-Legged Stool that Brings Success
To harmonize those conflicting goals, all teams must work together, which starts with purple teaming.
When red and blue teams work together and involve IT teams in the process, purple teaming effects are immediate and affect all three sides:
Cybersecurity
As the red and blue team merge their effort into purple teaming, the immediate effects are:
- Homogenizing cybersecurity data – with data stemming from a direct measurement of the blue team’s ability to preempt, stop or mitigate attacks, measuring cybersecurity posture can be harmonized and rely on hard data instead of the typical guesstimate of a purely blue team.
- Providing comprehensive, quantified, transparent, and up-to-date visibility of the security posture – When purple teaming is fully incorporated into the cybersecurity daily routine, the exact nature of the measurement yielded is ideal for measuring baseline and tracking trends and variance from baseline.
- Improved understanding of IT missions and pain points – When attacks are comprehensively emulated, identifying which attacks are detected and what corrective measures are taken facilitates the prioritization of vulnerability patching, as even high score vulnerabilities can be deprioritized when security controls are configured well enough to protect the infrastructure from the risk posed by that vulnerability. Conversely, lower CVSS scored CVEs can be pushed higher in the patching schedule if they are identified as posing a higher risk. When the IT team sees clearly the rationale behind an emergency patching request and knows that those are kept to a documented minimum, they are far more likely to react swiftly.
- Incorporation of IT priorities and limitations in mitigation strategy – Conversely, as blue and red teams work in tandem with the IT/DevOps team and executives, they become aware of the IT/DevOps team’s pain points and of the impact of security-based decisions on the organization operations and can incorporate these data in their decision-making process from the start, preventing frictions down the line.
The secondary, though critical, effects cover:
- Ability to visualize and explain risks in business terms – the precise metrics about security posture change the nature of discussions with executives, as they are based on measurable hard data rather than on fuzzy baselines
- Ability to demonstrate the value of both cybersecurity and IT spent – the data yielded by emulated attacks clearly shows which defensive tools are efficient, which need resources to improve configuration, which can be eliminated due to overlapping capabilities, and which capabilities are missing from the defensive tools array. The number of attacks effectively stopped or mitigated clearly demonstrates the value of cybersecurity to maintain business continuity and prevent all the costs associated with a breach. The outcomes are clearly understandable to all and viewed as valuable to the business.
- Streamlined and better-focused mitigation schedule – As emulated attacks draw attention to the ability of properly configured security controls to stop or mitigate attacks targeting specific vulnerabilities, the patching schedule can be streamlined to focus on the vulnerabilities actually increasing risk exposure regardless of their CVSS score.
- Improved collaboration between teams -As a direct result of the improved understanding of each teams’ priorities and pain points, collaboration replaces previously antagonistic siloed teams.
- Shifting further left of the security as it is incorporated into IT and DevOps processes – the combination of more accurate data, better prioritization, and goal convergence results in easing the early incorporation of security in the development process, which improves security and accelerates the overall development process.
IT & DevOps
As they are included from the beginning in the security posture solidification process, and as the red and blue teams’ collaboration translates into streamlined mitigation with a demonstrated effect, IT & DevOps teams:
- View cybersecurity as a business enabler
- Can leverage purple team data to prove the value of IT spend
- Benefit from prescriptive, accurate feedback
Business/Executives
With the cybersecurity and the IT department working hand in hand with tools that provide a comprehensive, quantified, and up-to-date overview of all security posture aspects, business decision-makers and executives can.
- Visualize and understand the risk implications
- Make informed decisions
- Ensure compliance
- Securely accelerate IT as a competitive differentiator
This gives a better understanding of the constitutive elements that enable achieving the Purple Teaming ultimate goal defined at the top of this document’s first part as creating “the ability to visualize, understand and analyze all elements of your security posture from both defensive and offensive perspectives, providing overarching confidence in making decisions about the optimal actions to take to solidify that security posture and prevent security drift, while allowing for business operation optimization.”
The next question, of course, is what is required to reach such a goal. If your curiosity has been piqued and, more importantly, your appetite for purple teaming has been wetted, come back next week to learn more about what is required to set up a purple teaming framework and reap maximum benefits.
—–
Learn more about Pro-Active Purple Teaming. Get a free trial to see our open attack framework that allows you to craft and automate red and purple team exercises to leverage and scale adversarial expertise.