What will it take to close the gap between the red team & blue team?

And why it’s time to harness the power of purple team automation

Modern militaries have been known to galvanize opposing forces during defense-offense exercises to increase a unit’s success rate. The U.S. Air Force, for instance, works with fighter squadrons, the red team, that use Tactics, Techniques and Procedures (TTPs) of an attack force.

In a world where win or lose are the two sides of the spectrum, these exercises create a classic offense – defense paradigm. In theory, it’s supposed to help the defending blue team improve their defense in the face of an enemy. In practice, well, that’s another story.

Red teams – blue teams exercises gaining popularity in the enterprise world
In the enterprise world, simulated red team – blue team cyber exercises are common place and have been growing in popularity for over a decade. Similar to militaries they harness opposing forces to dramatically increase an organization’s cybersecurity posture.  A hired red team, in theory, is supposed to create training exercises for the blue team for continuous improvement. They are supposed to improve blue teams’ competence and strengthen the security stack.

Red team – blue team dissonance
In reality, red teamers are usually more ‘hard core’, and find it hard to collaborate with their blue partners. Secondly, although they could boast success at exposing some threats, they often fell short of delivering an ongoing offensive-defensive strategy for diffusing threats due to a problematic time gap in between completed tests. Even organizations strapped with budgets for internal teams, found it hard to administer the right TTPs.

Enter the purple team era
To diffuse the tension and round out the polarized points between the red and blue teams, a middle ground was created. The Purple Team emerged to make it possible for ideas, observations and insights to be traded between the teams. Purple teams are ideally groups that aimed to maximize the effectiveness of red teams and blue teams. They offered a framework for collaboration and support to the blue team during offense defense exercises and guidance, based on red team recommendations.

Beyond a nice idea, purple teams are becoming a necessity. They’re needed for protecting critical assets against threat attacks that can work around security control systems, in particular APTs (Advanced Persistent Threats).  To get them to work synergistically, a purple team can focus both red team and blue teams’ efforts into one fluid process that runs in a continuous loop.  But for a purple team to do its job correctly, it is not just enough to combine the efforts of both teams. To create the optimal security flow it needs a 360-degree view of its environment, in real time, 24×7.

The only option is an automated purple team working constantly 24×7, beyond the guiding hand of a human mediator.

A case for automated purple teaming
For a purple team to do its job correctly, it is not just enough to combine the efforts of both red and blue teams; it needs a 360-degree view of its environment, in real time.  The only option is an automated purple team that runs constantly 24×7, beyond the guiding hand of a human resource.

With an automated purple team running continuously, organizations will finally be able to follow prioritized remediation guidelines and know as soon as an issue has been resolved. The move to automation empowers organizations with the ability to gain a worm’s eye view into new back doors and blind spots as soon as they appear and move to remediate them immediately without delay.

Combining the best of all worlds, an effective automated purple team can ameliorate the security of all critical assets through 24×7 real-time exposure, and automatically deliver prioritized and actionable remediation without disrupting networks and users’ day-to-day activity.  Addressing real user behavior and exploits, it can deliver the big lift in digital hygiene. By doing so the automated purple team will enable organizations to bolt the windows, as well as insert a lock on the cyber door.

End.