Red, blue, purple – what is it all about? We’re not talking about color theory here, but about the cybersecurity approach needed to withstand and protect an organization from increasingly sophisticated threats.
The "color palette"
Depending on how mature a company is in terms of security, the “color palette” can vary. Companies that have security somewhere on their agenda typically have a blue team. Those that take security and cyber threats seriously also have a red team. And companies that view security as an integral part of their processes and mentality have these two teams working together. This collaboration is so essential that one could almost consider them a single team. It is this “purple” team that makes an organisation more protected and resilient to cyber threats.
Understanding red and blue teams
For those not familiar with the terminology, the blue team is a technical security team responsible for taking measures to protect an organization from cyber threats. This includes segmentation, segregation, detection, monitoring, responding to security incidents, and essentially everything that helps build a defense against cyber threats.
In contrast, the red team is tasked with simulating attacks to identify vulnerabilities and weaknesses in an organization’s defenses. Think of it as an in-house hacking team that helps identify risks before they can be exploited by criminals. Red team activities can include phishing simulations, penetration testing, and other exercises designed to uncover weak spots in an organization’s infrastructure.
Purple teaming for proactive cybersecurity
In fact, both teams are critical to an organization’s security strategy. While blue teams are more common, red teams are often deployed from an external company to conduct annual security testing. Although third-party assessments are beneficial, having a red team embedded within the organization provides much deeper insights on a continuous basis. This also means a company can simulate a scenario of a persistent attack when hackers try for weeks or months to break through security defenses.
Integrating both teams into the organization’s security strategy is a good first step. However, many companies view these teams as working towards opposite goals. When this happens, the teams work completely separately and only report to each other as necessary. It’s a common mistake that doesn’t harness the full potential of these teams to develop a robust defense system.
In reality, their goals are the same. Blue teams aim to bolster security and red teams work to break down those defenses. And yet, both must ensure an organization can withstand the constantly evolving landscape of cyber threats. As such, the ideal approach is one that closely aligns blue and red teams – also known as a purple team with one common goal.
Getting to a "purple" team
For many companies, getting these teams to work together is easier said than done. At Levi9, however, we have made it work, and any company can achieve this by following certain steps:
- Unified goal: It should be clear to both teams that their goal is the same—protecting the organization from cyber threats and making it more resilient. This goal can only be achieved through collaboration.
- Transparent communication: Clear communication and feedback are essential. Whatever the red team discovers should be shared with the blue team, and any changes implemented by the blue team should be communicated to the red team. Establishing a shared communication channel, conducting regular meetings, or using another effective method are crucial.
- Joint involvement: Both teams should be involved in key security-related activities, such as external and internal penetration tests, red teaming exercises, setting yearly security objectives, security events, and competitions. Engaging both teams will help them see themselves as part of one larger team.
- Shared processes: Both teams should have a role in crucial security processes, like incident response and tabletop exercises. Input and actions from both teams will enhance incident response capabilities and help prevent or minimize damage.
- Mutual challenge and learning: Both teams should embrace a mentality of challenging and learning from each other. Continuous improvement is vital for keeping up with new types of threats, as criminals are also constantly learning, evolving, and innovating.
- Shared pride: Both teams should take pride in their achievements, not just as separate entities but as a joint security team. This sense of joint accomplishment will make collaboration more attractive and demonstrate that they can achieve more together.
The benefits of collaboration
Companies that successfully transition from separate red and blue teams to a unified “purple” team gain numerous benefits. Here are just a few:
- Enhanced cyber resilience.
- Reduced time to detect and respond to incidents.
- Better understanding and readiness for different attack vectors.
- Continuous improvement of organizational defenses.
- Higher motivation for both teams.
- Accelerated learning for both teams.
The downsides of teams working together
What about the downsides? External penetration tests might become too routine with fewer findings, and the adrenaline rush from real incidents would be a rare experience. However, these are trade-offs one can likely accept.
Conclusion
So, start with “blue,” add “red,” and aim for “purple.” It requires effort and passion, but in return, you get a highly motivated, continuously growing professional team and a better-protected, more resilient company.
