Purple teams confuse me.
To be more precise, small cyber teams thinking that they
need some separate purple capability is what actually confuses me.
Purple teams seem to be necessary because cyber team and
their leaders have forgotten that blue team and red teams are actually the same
team with the same objectives. Not sharing the same goals would seem to
indicate a deeper issue within the cyber team’s leadership.
In my own experience, I’ve seen in-house red teams often
seem more focused on outwitting the blue team with “gotcha” being the end goal
rather than translating successful exploitation into not only a list of vulnerabilities
but also a series of artifacts and indicators that the blue team can use to
better tune their defenses.
"Gotcha”
doesn’t push cyber programs forward.
Ultimately, leaders own how blue teams and red team
activities fold into the cyber program and how those activities push the cyber program
forward. Imagine how the cyber skillset and hiring landscape would be changed if
blue teams assumed much of the critical thinking and threat modeling for their
controls instead of needing a purple team.
At some point, a purple capability makes sense once a team
grows over a certain size (maybe 20?). Prior to that, it only dilutes from what
should be the a growing blue/red value-add as cyber maturity improves.
While purple may have some cool factor, effective leadership makes it unnecessary for most organizations.
Let’s leave coordination of blue and red teams on small
teams as a cyber leadership function.
Like what you've read enough to follow me on Twitter?
@Opinionatedsec1.
SEE ALSO
No comments:
Post a Comment