Penetration Testing

How Purple Teams optimize security effectiveness

Today’s columnists Brian Contos and Evan Pena of Mandiant say the same way Henry Ford’s assembly line drove mass production, automation through Purple Teaming will improve security and threat intelligence. https://www.flickr.com/photos/31411679@N08;https://creativecommons.org/licenses/by/2.0/?ref=ccsearch&atype=rich

Throughout history, industrialization has transformed how we live and the way we build products by enabling mass production and cost-effectiveness. Examples of how industrialization has impacted the world include Joseph Jacquard’s automated loom that was invented in 1804, which used a precursor to computer punch cards to automate pattern weaving, and Henry Ford’s assembly line that when successfully deployed in 1913, reduced automobile production time from 12 hours to just over a half-hour per vehicle.

Today, we are witnessing the industrialization of cybersecurity as companies combat the onslaught of cybercrime – which itself has undergone industrialization in the form of specialized and scalable capabilities associated with malware development, bot herding, ransomware for hire, victim shaming, and money laundering. The industrialization of cybersecurity has become critical in an area that’s now a leadership imperative across organizations, where decisions on where to invest impact operations, risk, and shareholder value. This applies to how security teams measure and assess security controls, optimize performance, continuously improve, and report with empiric evidence on security effectiveness to business leadership. In other words, industrialization of the capabilities performed by Red and Blue Teams has become an important business requirement.

Industrialization and Purple Teams

Red Teams test security effectiveness to gain an understanding of where an organization’s weaknesses lie. Traditionally, this has been performed with penetration testing and attacker simulation solutions, which can miss a significant portion of security events and don’t always deliver accurate results. Blue Teams take the data provided by Red Teams and remediate where needed to optimize security effectiveness. However, when only a fraction of attacks are detected, Blue Teams can’t properly tune controls or discover gaps and vulnerabilities. Additionally, given that Red and Blue Teams have typically performed their functions in a siloed, manual fashion, the extra time and resources required have made the entire process inefficient and lengthy.

Now, with next-generation security validation platforms that automate many of the capabilities of both teams, Red and Blue Teams can work in a more symbiotic fashion, called Purple Teaming. They can handle more strategic security initiatives that minimize risk and strengthen operational competency. Much like how Henry Ford’s assembly line optimized automobile production and made Ford an automotive giant, validation platforms automate and optimize tests performed within the company’s environment through automation of validation tests and integrating detailed threat intelligence. This lets Red Teamers function in a more meaningful way, testing controls to gain a real-world understanding of how the security stack performs against the threats most likely targeting the company. For Blue Teams, automation delivers prescriptive analytics that determine what steps to take to optimize effectiveness.

Companies can realize the benefits of Purple Teaming by ensuring that five critical areas are automated and performed on a continuous basis:

  • Leverage threat intelligence to prioritize the most relevant threats.

Prioritizing how and what to test requires intelligence about what threats are most relevant to the company. Security teams should not make threat intelligence retrospective analysis, but data that informs what attackers will likely do next, who they will target and what methods they will use. As a first step in the validation process, threat intelligence reveals the threats security teams should focus on most and the behaviors against which the platform should be testing.

  • Measure effectiveness of controls against known adversaries.

Assessing how the security stack performs against those most relevant attacks requires testing across the full lifecycle of the attack kill chain. Real attacks executed safely in the environment are necessary to measure the true effectiveness of security controls. This includes evaluating how people, processes, and technologies work together against both adversary techniques and technical attacks.

  • Improve effectiveness through optimization.

Consider optimizing controls based on the gaps and shortcomings that are revealed in the measurement stage an ongoing process. Once controls are optimized, continuous testing will maintain a good baseline and deliver quantitative results to demonstrate the value of security to the company’s operations and risk posture.

  • Rationalize security investments to demonstrate value.

By rationalizing security investments, security teams can demonstrate with proof how the addition or removal of controls will impact performance and the company’s risk profile. Once controls are optimized, security leaders can use testing data to demonstrate an improvement in value over time. Equally important, companies can pinpoint where overlaps exist and find ways to cut costs without impacting risk.

  • Continuously monitor for environmental drift.

Changes naturally occur in the IT environment which may affect security performance. To ensure cyber defenses are not weakened, it’s critical to continually monitor and measure effectiveness. The completion of steps one through four gives security teams a baseline by which to conduct ongoing testing to ensure optimal effectiveness as these changes occur.

Industrialization has improved our lives and how businesses operate for centuries. As we in the cybersecurity industry continue to work together to make the world safer and more secure, industrialization of various functions and capabilities through automation, specialized tools, and process improvements is critical. Security validation and the collaborative work of Red and Blue Teams is one area where industrialization, or the culmination of Purple Teams, delivers tremendous value.

Brian Contos, vice president and CISO, Mandiant; Evan Pena, director, Global Red Team, Mandiant

Brian Contos and Evan Pena

With two IPOs & eight acquisitions Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.

Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler, and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA, and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, GITEX Global & BSides.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.