It takes an entire team to keep a business’s infrastructure safe. Most businesses today have security teams protecting their systems against attack, whether they outsource it to the cloud or handle it all in house in their SOC. That team is most effective when it is comprised of multiple people, each holding a very specific role in securing the organization’s data and assets.
Chris Tillett, Exabeam senior security engineer, spoke at Spotlight 19, where he described the separate, but vital, duties of red teams and blue teams. In his talk, “Train Harder Than You Fight: How Exabeam Helps Blue Teams Counter Red Team Attacks”, he explains the separated but connected roles these teams play. Although red teams test security systems and blue teams focus on defense, he demonstrated how vital it is that both teams work in collaboration.
What are red teams?
With more than a decade of experience in IT security, Chris has developed a respect for red teamers. They go beyond penetration testing to testing a network’s security on an ongoing basis. These are full-time employees who have made a career out of showing organizations exactly where they need to invest their security resources.
“It prompts the leadership to ask, ‘Where do we need to shore things up and to justify budget?’” Chris says. “We all know that the hardest thing to justify in any organization is our budget. It’s really hard. By being able to show [value] via the red team by saying, ‘Hey look, here’s this exercise we performed and here’s where we’re weak,’ businesses can more effectively direct spending.”
What are blue teams?
Chris considers himself a blue teamer. He doesn’t know how to code or hack into security systems, but he can put the work in to ensure that vulnerabilities are repaired before they become problems. Feedback is an essential part of identifying those vulnerabilities, though. In order to act on issues, blue teams must first know that they exist.
The challenge that blue teams face is that people are still using processes from years ago, a situation he sees often. For example, an expert is hired to build a certain process and the team follows the process without truly understanding the principles behind what they are told to do. When the expert leaves, the process still goes on for years while the tactics and technology the adversary uses change.
Blue and red work together
Ideally, blue and red teams will work together. Unfortunately, in some environments, blue teams feel defensive when the red team points out weaknesses in the security they’ve established. These teams are doing themselves an injustice, though, he says because blue teams can learn from red teams. Over time, they’ll begin to identify behaviors that are sure signs of a breach based in part on what red team members have discovered.
“I remember dropping in on a tabletop exercise and this organization has a permanent red teamer,” Chris recalls. “He has no login on the network, no email address. You know how he gets in? Usually over phishing links or on LinkedIn to the systems administrators. He gets their credentials and then he’s able to pivot around the network. The great part about it is we’ve learned his behavior. We’ve seen his behavior and now he lights up like a Christmas tree when he’s in the network.”
The value of communication
As the industry evolves security professionals know their technical skills will change. One thing that never changes, though, are those soft skills that are essential to success in the field. Communication is among the most important of those, especially when it comes to keeping your network secure.
“You need soft skills just as much as technical skills,” Chris says. “The technical skills are going to change. The tools, tactics, and procedures are going to change.” For example, the MITRE ATT&CK framework is public so adversaries are going to modify their activities to circumvent the defenses.
The purple team misconception
Many security organizations identify a third type of team, called the purple team. Whether they’re consultants or employees, purple teams do both testing and security, allowing them to handle the duties of both red and blue teams. But Chris believes that purple teams should serve as a function, not a job role. Security groups that have set aside a purple team likely have a serious breakdown in collaboration.
“If you have a separate purple team, that means politics has destroyed your security team, right?” he says. The analogy he uses for the purple team is that of a mediator, it’s a functional use. It solves the issue in the short term but is not sustainable.
How Exabeam helps
Exabeam provides support for organizations using three different types of behavioral data models, each having its own unique purpose for keeping systems safe:
- Behaviors across the organization. Exabeam’s technology monitors what’s going on within your organization to identify any anomalies.
- Reviewing your peer group. In order to build a comprehensive data model, Exabeam monitors an organization’s peer group. This ensures the data model hasn’t learned bad behavior.
- Once Exabeam has taken a thorough inventory of an organization’s systems, a data model is built that will begin working hard to keep things secure.
“Peer group modeling is often how we catch systems administrators,” Chris says of tracking unusual activity. “Because they’re always moving around, they’re typically the noisiest. They may not touch the data center for three months and next thing you know they’re going to do a whole rebuild in there.”
Exabeam’s solutions bring the power of machine learning to user and entity behavior analytics. The more information Exabeam has to work with in the form of data logs, the more robust its findings will be, so it’s important to include as many log sources as possible when configuring the platform for your business. Exabeam can help your teams better prevent and manage threats.
With Exabeam teams will be more equipped to detect threats. But as Chris points out, it’s essential that team members work together to locate vulnerabilities and repair them before outsiders find them. Watch his full talk here.