Purple teaming — can anyone recommend best practices for getting your org started?

2.7k views4 Comments

Director of Network Transformation, Self-employed
New term for me.  Interested in everyone's comments.  Let's discuss!  
Director of Cybersecurity Data and App Protection in Healthcare and Biotech, 10,001+ employees
I managed our purple team here for about 2 years. The first step is understanding the threat actors and their tactics, techniques, and procedures (TTPs). We then started to apply our red team members to build out some tests that measured our ability to detect and prevent those attacks with a partnership from the blue team. When the red team was successful, we developed action plans to improve our defenses and then re-tested things. The overall outcome you want is to continuously improve your defensive posture by enhancing your people, processes, and technologies.
VP Information Security Assurance, 10,001+ employees
Here's my take
In the spectrum of color based identification for cyber teams, the blue is on the defensive/monitoring/respond side, While red (a universal indicator of danger or harm) is on the attack/penetrate/exploit side. Both are for organizational benefit, and are working towards the purpose of enhancing the maturity of the security program

Somewhere in the middle is the purple (try mixing red and blue pastel/oil  colors at home ). What this means is that the cyber team works as a team to be better prepared from each other's perspective. Here transparency and willingness to proactively share- being symbiotic is KEY.

A defender needs to do better at gaining understanding of the "attackers mind", the technique and tricks used and those nuances that attackers may be using that the defender may not be aware. Likewise an attacker is usually focused more and more on "attacking", some of the defenses or its weakness may not be fully aware. A crucial piece of info s/he can leverage for crafting more intuitive attacks. 

So together they foster a mechanism of continual loop of feedback and improvements, helping the team and the company's objective

for me here are the next steps:
> if the capability, like that of Red team doesn't exist get a strong partner under NDA
> ensure the team understands what blue/red/purple mean and why we wish to go for the purple mode

> use team alignment models to clarify goals/share responsibilities and drive to goals
(like in defensive forces, irrespective of the discipline of army, navy or airforce, the mission objective is under a unified objective and sometimes a command. (hierarchy is not important)
> make the team and objective formal and well aligned. i see the purple team as an added benefit for 
_ cyber talent rotation/upskilling/cross skilling
_ possibility for future state - all-hands-on-deck situation
_ expanding on the perspectives may uncover additional security controls to be implemented
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
plz have look the doc. May help you


Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41.1k views131 Upvotes319 Comments