Purple Team: The Meeting Point of Red and Blue Teams Meet

by Maya Schirmann, VP Marketing, XM Cyber

“If you know the enemy and know yourself, you need not to fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

― Sun Tzu, The Art of War

For millennia, military strategists around the world have recognized that thinking like the enemy is one of the best ways to anticipate what they’re going to do and so defeat them. With the numbers of attacks rising year-over-year, traditional lines of defense just aren’t good enough anymore. Breaches appear everywhere, with attackers steadily advancing, and no organization should neglect approaches that look at their defenses from the viewpoint of the attacker.

Proactive security strategies

A large number of organizations are coming to see that a proactive security strategy is one of the best defenses. You need to see where the threats are coming from, how they can move within your network, where the vulnerabilities in your defenses are, find them and close them before cyber attackers take advantage of them.

To become proactive on the security front, it’s vital that you identify in advance the vectors of attack that will be utilized and remediate security issues as they are created and before they are exploited. For that, you need a continuously running campaign of tests running against your current defenses with simulations in your real environment: that’s where breach and attack simulation comes in. Generally, an organization won’t realize where exactly it was vulnerable in terms of its defenses until the attack comes, by which time it’s too late to fix these vulnerabilities. If you are continually testing your security, you can uncover the attack paths and remedy these failings before attackers find out about them. Proactive vs. Reactive.

Modern militaries have been known to galvanize opposing forces during defense- offense exercises to increase a unit’s success rate. The U.S. Air Force, for instance, works with fighter squadrons, the red team, that use Tactics, Techniques, and Procedures (TTPs) of an attack force.

Cybersecurity, for many firms, has started to resemble a military drill. It really is a war zone out there, and only the latest proactive practices and processes will keep you from defeat. The military keeps their soldiers on their toes by continuously running wargames; cybersecurity experts should be doing the same by running simulated cyber-attacks.

Entering the automated purple team era

By mimicking enemy tactics, the red teams make the blue teams better at defense. At least, that was the idea. The red/blue approach fits well with a structured, episodic win/lose paradigm of defense—like an air battle. One side attacks. The other defends. Then, it’s over and there’s a discussion of what worked and what didn’t. The blue team gets busy improving their defenses for next time.

A new approach, known as a“purple teaming” has emerged as a middle ground solution. A purple team blends the activities of both red and blue teams. The purple team enables both attack and defense to exchange ideas, observations and insights more productively than is possible with the “us vs. them” ethos of the red/blue battles.

An automated purple team truly accelerates the advantage of this approach: it can continuously simulate attacks such as Advanced Persistent Threats (APTs). This automated platform can also validate and provide a remediation plan to thwart an attackers’ path(s) to critical assets. It never stops performing the red/blue cycle and helps augment the team’s tool kit. This is helpful, given the constant changes in user activity, network infrastructure, network settings, and patches that characterize IT in real life.

Vulnerabilities open and close round-the-clock. It’s best to detect and respond to them in a timely fashion. It is inhuman to do this manually, but machines and software (built correctly) can and should perform these tasks to aid in the fight against APTs.

With an automated purple team running continuously, organizations will finally be able to follow prioritized remediation guidelines and know as soon as an issue has been resolved. The move to automation empowers organizations with the ability to gain a worm’s eye view into new back doors and blind spots as soon as they appear and move to remediate them immediately without delay.

Combining the best of all worlds, an effective automated purple team can ameliorate the security of all critical assets through 24×7 real-time exposure, and automatically deliver prioritized and actionable remediation without disrupting networks and users’ day-to-day activity. Addressing real user behavior, security vulnerabilities and shadow IT, it can deliver the big lift in digital hygiene. By doing so the automated purple team enable organizations to bolt the windows, as well as insert a lock on the cyber door.

About the Author

Maya Schirmann is the VP Marketing of XM Cyber With over 15 years of extensive experience as a marketing, strategy, and sales executive, Maya Schirmann has a proven track record in creating markets and guiding technology corporations to market leadership positions. Prior to XM Cyber, Ms. Schirmann served as CMO of a cybersecurity company Deep Instinct. She also held various senior strategic marketing and sales positions with Amdocs and Comverse, where she led the launch of innovative products and services and oversaw large complex deals with global telecom operators. Ms. Schirmann originally hails from France, where she worked for telecom operator SFR, leading the successful launches of numerous innovative services including the first mobile email, MMS, and Vodafone Live. She holds an M.Sc.  in Mathematics from Jussieu Paris 7 University. Maya can be reached online at maya.schirmann@xmcyber,com and at our company website https://xmcyber.com/