As someone whose eyes cannot distinguish properly between colors, I always shudder at the thought of mixing up red and blue teams during a cyber exercise. And now, with the advent of purple teaming in the enterprise, I surrender all hope that my cones can keep up. That said, I heartily endorse this new purple strategy of evaluating cyber control effectiveness to detect intrusions, bot activity, malware actions, lateral movement, and data exfiltration.
I recently spent time with the XM Cyber team to better understand purple team exercises and how they can improve the cyber posture of an enterprise organization. XM Cyber is part of a new category of security companies offering improved, continuous evaluation and validation of controls. I am 100% in favor of this new capability, and I hope every security professional reading these words has a plan to implement such functionality immediately.
XM Cyber supports automated purple team objectives with a platform that provides continual simulation, validation, and remediation of breaches across the enterprise. This is done by executing realistic attack scenarios selected from a cloud repository of hacker techniques. Security teams obtain a clear picture of their security posture and are provided with prioritized recommendations on control improvement and vulnerability mitigation.
The XM Cyber platform, called HaXM, involves sensors being strategically deployed across the enterprise, which can be either traditional premise or a hybrid mix of cloud services. Placement of these sensors is dependent on the local team accurately identifying which organizational devices, data, and networks are considered to carry the most consequential risk. The whole idea is to develop a posture assessment for those assets that truly matter.
Once sensors are in place, the HaXM server begins the on-going simulation, where the suite of attacks is executed automatically, including many advanced persistent threat (APT) scenarios. Care is taken to ensure that attack simulation is done safely, without producing any consequence to live assets. This is an important consideration, because security teams must ensure that the simulations be trusted in critical production environments.
An important component in the attack simulation lifecycle involves support for remediation of discovered vulnerabilities and other weaknesses. An automated report is created, based on the simulations runs, to help security teams identify key findings and assign priorities to recommended mitigation actions. Without such back-end focus, closing the loop on identified posture weaknesses might not be done properly.
Despite the obvious advantages of continuous breach simulation, this method of control validation is not uniformly applied in every enterprise context. This gap is easily justified by the relatively recent introduction of this risk management method. But modern cyber security strategies must move quickly to keep up with advanced threats, so the grace period for consideration of breach simulation has expired.
From TAG Cyber's perspective, it is highly recommended that enterprise teams of all sizes create a roadmap to review, assess, and deploy a breach simulation system. Such actions are obviously more urgent in higher risk environments such as critical national infrastructure. XM Cyber provides one of many excellent choices in this regard, given their flexible deployment options and vast assortment of hacker simulation methods.
Finding budget for breach simulation might be a challenge, simply because so many allocations follow a year-over-year mapping based on existing line items. If this is your funding situation, then consider focusing your internal budget pitch on how simulation optimizes existing investments, thus precluding the need for new control deployments, which can save money. I hope that works.
Regardless of your strategy - please make this a priority for the remainder of 2019. There are many wonderful commercial vendor options available to you today, so you have no excuses. I suspect you'll be glad you moved on this one.