Red vs Blue – the security response war room

From the 2013 AISA conference

It’s no longer enough to operate your information security model solely in breach prevention mode. Recent penetrations of large companies like Google, RSA, Adobe and others highlights that even with all the best resources and people at your disposal, your business can be attacked and compromised by well-resourced and skilled technicians.

John Walton, the Microsoft Office 365 Principal Security Manager, says that it’s time to move from an operating mode of preventing breaches to assuming that you have been breached and to change your operations accordingly. This mindset shift is critical in a constantly changing threat landscape.

Attackers are very well resourced now, with toolkits for exploiting system weaknesses readily available.

Walton’s approach is to pit two teams against each other designated as the red and blue teams. The red team is tasked with penetrating production systems - test systems aren’t used as they rarely reflect or mirror production systems accurately and “attackers target production sites” according to Walton. The blue team acts as the threat response team, trying to detect and remedy the damage caused by the attack.

Tasking a group of experts with breaking into corporate systems is not a task to be taken lightly. Walton’s team usually ends up with access to data considered to be sensitive.

“There are risks that come with this. Make sure that the people are trustworthy as they are going to be exploiting your systems - they’re going to break in. This means background checks and audits,” said Walton.

In the red corner

The red team’s focus is on using multiple techniques to break through a business’s protective layers and to extract and leverage data. The success of the red team’s work is measured by Mean Time to Compromise (MTTC) and Mean Time to Pwnage (MTTP). These highlight deficiencies in security monitoring, recovery and where there are gaps.

The aim is prove the need for the organisation to assume an “assume breach” posture with its security and to enumerate business risks so that resources can be invested appropriately.

In the blue corner

The blue team is tasked with detecting the attack and penetration, and to respond appropriately. These are measured as the Mean Time to Detection and Mean Time to Respond. It also gives the business an opportunity to practice its incident response so that when a real-life breach occurs, everyone understands their roles and responsibilities and the business isn’t scrambling to work out how to react.

These activities allow the business to establish baseline measures of how they might perform should a real breach occur. It allows the business to understand how long it will take to detect, contain, fix and recover from a security incident. They can also develop a framework for assessing damage and develop appropriate response plans.

The takeaway

In Walton’s view it’s critical that companies resist anchoring their security strategy on an assumption of static attack scenarios or assuming that the enemy will only come from one fixed position.

He says that they should utilise defense-in-depth layers of complimentary security controls with effects that are cumulative. The number and distribution of security controls is more important than the individual efficiency of each one.

The aim is find and detect breaches as quickly as possible so that you can respond rather than prevent an attack. In his view, you will suffer a security incident - the real test is how you respond.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags 2013 AISA conference

More about Adobe SystemsCSOGoogleMicrosoftRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts