Red vs Blue – the security response war room

From the 2013 AISA conference

It’s no longer enough to operate your information security model solely in breach prevention mode. Recent penetrations of large companies like Google, RSA, Adobe and others highlights that even with all the best resources and people at your disposal, your business can be attacked and compromised by well-resourced and skilled technicians.

John Walton, the Microsoft Office 365 Principal Security Manager, says that it’s time to move from an operating mode of preventing breaches to assuming that you have been breached and to change your operations accordingly. This mindset shift is critical in a constantly changing threat landscape.

Attackers are very well resourced now, with toolkits for exploiting system weaknesses readily available.

Walton’s approach is to pit two teams against each other designated as the red and blue teams. The red team is tasked with penetrating production systems - test systems aren’t used as they rarely reflect or mirror production systems accurately and “attackers target production sites” according to Walton. The blue team acts as the threat response team, trying to detect and remedy the damage caused by the attack.

Tasking a group of experts with breaking into corporate systems is not a task to be taken lightly. Walton’s team usually ends up with access to data considered to be sensitive.

“There are risks that come with this. Make sure that the people are trustworthy as they are going to be exploiting your systems - they’re going to break in. This means background checks and audits,” said Walton.

In the red corner

The red team’s focus is on using multiple techniques to break through a business’s protective layers and to extract and leverage data. The success of the red team’s work is measured by Mean Time to Compromise (MTTC) and Mean Time to Pwnage (MTTP). These highlight deficiencies in security monitoring, recovery and where there are gaps.

The aim is prove the need for the organisation to assume an “assume breach” posture with its security and to enumerate business risks so that resources can be invested appropriately.

In the blue corner

The blue team is tasked with detecting the attack and penetration, and to respond appropriately. These are measured as the Mean Time to Detection and Mean Time to Respond. It also gives the business an opportunity to practice its incident response so that when a real-life breach occurs, everyone understands their roles and responsibilities and the business isn’t scrambling to work out how to react.

These activities allow the business to establish baseline measures of how they might perform should a real breach occur. It allows the business to understand how long it will take to detect, contain, fix and recover from a security incident. They can also develop a framework for assessing damage and develop appropriate response plans.

The takeaway

In Walton’s view it’s critical that companies resist anchoring their security strategy on an assumption of static attack scenarios or assuming that the enemy will only come from one fixed position.

He says that they should utilise defense-in-depth layers of complimentary security controls with effects that are cumulative. The number and distribution of security controls is more important than the individual efficiency of each one.

The aim is find and detect breaches as quickly as possible so that you can respond rather than prevent an attack. In his view, you will suffer a security incident - the real test is how you respond.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags 2013 AISA conference

Show Comments