The industrialization of red and blue teaming is a concept that I will be discussing at Black Hat Las Vegas 2018 on Thursday, August 9th. Our Black Hat presentation is titled The Industrialization of Red and Blue Teaming.”
Thur, Aug 9 | 12:10 pm - 1:00 pm | Oceanside E
When we think of industrialization and the industrial revolution, images of smoke stacks, purpose-built machinery, and automation come to mind. Some examples are the Jacquard Machine, pictured below. This machine simplified the process of manufacturing textiles in the early 1800s and some consider it an early example of computer punch cards and punch tape, if not one of the earliest examples of a working computer.
About a century later in the early 1900s came Henry Ford’s moving assembly line, pictured below. Ford’s assembly line allowed for much quicker and more reliable automobile manufacturing. By using the moving assembly line, Ford was able to reduce manufacturing time for a single automobile from 12 hours to just 90 minutes, and about a decade later, Ford facilities progressed to being able to collectively build a Model T every 24 seconds.
In cybersecurity – especially regarding red teaming and blue teaming – the use of specialized tools and a level of automation is commonplace. From vulnerability scanners and exploit kits to firewalls and SIEMs, we invest vast amounts of money, time, and manpower into solutions we assume will secure our environments. Then, once in a while, we attack our environments (or hire someone else to attack them) to see if there are holes left by our security tools that nefarious actors can exploit.
However, despite our red and blue teaming cybersecurity tools and processes, we still base our security effectiveness on assumptions. We assume our preventative controls for network, endpoint, email, and cloud, for example, are stopping bad things. We assume that nefarious activity will be detected by our intrusion detection solutions and we assume that alerts and logs will make it to the right place for correlation and analysis. We further assume that our people and processes are taking full advantage of the assumed-to-be-functioning security tools. That’s a lot to be guessing about.
What we lack is evidence and quantitative data about our security effectiveness. We lack a purpose-built solution that leverages automation to help determine what’s working, what’s not, and how to fix it.
We need a perspective solution beyond patching to actually measure and improve the efficacy of the security tools protecting our assets. And most critically, we need an automated platform that will alert us to environmental drift. Environmental drift is when a security tool drifts from known good state (successfully blocking, detecting, correlating, alerting, etc.) to a degraded state (which happens all the time, everywhere, and for a million different reasons).
Cybersecurity needs to be industrialized to be effective. With evidence-based results, red and blue teams can benefit almost instantly with greater symbiotic mutualism: purple teams. At the vanguard of the industrialization of red and blue teaming is a new and different approach to measuring, managing, improving, and communicating security effectiveness: Security Instrumentation Platforms or SIPs.
SIPs aren’t yet another security tool. SIPs are business platforms for security that, because of their evidence-based model with zero false positives regarding your security effectiveness, are equally valuable for red teams, blue teams, and purple teams, as well as CISOs, CIOs, CFOs, CEOs, and even boards.
By leveraging SIP, the industrialization of red and blue teaming can be realized, saving time, money, and resources and allowing security teams to greater align with business imperatives. Be sure to check out our “Industrialization of Red and Blue Teaming” talk at Black Hat Las Vegas 2018 on Thursday, August 9th.