Arguably the biggest barrier to cybersecurity is cost. Many companies, regardless of size and age, find themselves priced out of cyber defence tools and services. Implementing tools and support services often come at the expense of investment in Security team training, and the constant requirement to justify every penny spent on Security forces InfoSec managers to burn through political capital. These things, coupled with a vendor market that focuses on revenue rather than protection, leave the holders of Security budgets fighting an up-hill battle with senior business leaders to justify such a ‘high spend’.
When your department is seen as a money drain, and success is measured in terms of attacks that haven’t happened, how do you negotiate your budget? How do you optimise the budget you already have without compromising on your defensive security? Good questions…
Let’s take for instance a successful, national retail company, let’s call them ‘BigShop’, hit arguably disproportionately, compared to other market sectors, by covid19. BigShop finds itself in the unfortunate position of needing to downscale, following a message passed down from the CEO to their executive leadership team.
The CTO, let’s call her Eve (I don’t know why, but it’s a really lovely name), is a diligent CTO, with a number of technical teams, including CyberSecurity carefully placed in the hands of the CISO, Dave, (everyone knows a Dave). Eve tasks Dave with cutting his budget by 20% ASAP, without weakening any security controls.
Rather than see this as an unwinnable challenge, Dave has an opportunity here to test and improve his defences while tactfully uncovering not only weaknesses in his security, but also weaknesses in his people, processes, and technology. Poor performing team members are the right team members to let go of; manual processes that can be automated should be automated; technologies that aren’t serving you need to be abandoned.
Rather than a single-phase penetration test, PurpleTeaming involves a number of highly valuable and interlinked phases. You’ll note in the below image a red square in the ‘Round 1’ box, this is to symbolise the sheer scale of PurpleTeaming in comparison to isolated penetration testing, which makes up just a small piece of a subsect of the overall engagement.
Where penetration testing involves agreeing a scope, testing a scoped environment and reporting on findings; PurpleTeaming involves 6 key areas.
- Threat Intelligence & Information Gathering
Relevance is key to saving money. Is there a part of your business which serves as critical national infrastructure (CNI)? Do you supply to CNI? What could someone do to bring your company or customers to their knees and why would they want to?
PurpleTeaming enables budget optimization by being specific to you. Don’t waste time, money and resources on threats that just aren’t applicable. If you’re an arts and craft reseller in the north of Canada, maybe don’t worry so much about insecure medical devices in Egypt. Work like the attackers work: if your most likely adversary targets food distribution chains in the western world, they aren’t going to waste resources on you if you manufacture picture frames in China. Relevance is key to keeping those costs down.
2. PurpleTeam Scenario Build and Playbook Creation
The beauty of PurpleTeaming is that it’s entirely an open book. There is little point in testing something without preparation. Ensuring that the tests are adequately explained and understood is key.
All of those adversaries you identified in the previous step have their own ways of working, their own tactics, techniques and procedures (TTPs). By using open-source documentation from previous studies of various threat actors, we can determine likely methodologies an attacker would use if they were to compromise your environment based on their past behaviours.
Attacker TTPs, target systems, accounts and motives are all woven into a scenario-based on the environment. Every step serves a purpose and the point here is to test that defences are adequately prepared, trained and tuned to detect, respond and eradicate threats.
3. PurpleTeam Exercise, Round 1
This is the first round of active testing. During this phase, the defence team(s) must be engaged, as they have the most vital role to play in this. Picture the penetration tester and the blue team/SOC in the same room (or virtual room), for once working on the same team. Each has access to the playbook and each keeps track of exactly which section, of which stage the testing is on.
In the below example we’ve identified that visibility is good, but endpoint protection and incident response capabilities have some fundamental flaws.
PurpleTeam lead: “Bob just ran this PowerShell script on the Active Directory server, Alice, can you see that?”
Alice: “Yes, it hit a rule, which triggered an alert, I saw that in the SIEM… but I can’t actually do anything about it”
Arguably the most valuable part of a PurpleTeam engagement is the remediation phase. This does what it says on the tin, it’s a period of time spent addressing the issues found in the previous phase.
It’s important to get change control, or the change approval board (CAB) onside from the get-go as to not slow down the overall process. If your explanations are thorough and business impact has been effectively communicated, usually CAB isn’t as big of a problem as many may assume. Not every single issue is going to be rectified in this time period, but in a standard PurpleTeam activity you can use this as an opportunity to kick-off security improvement projects.
5. PurpleTeam Exercise, Round 2
By this point, you’ve tested your environment against your most likely adversaries, pinpointed vulnerabilities and mitigated risks. It’s now time to re-test, following the same plan you did in round 1, it’s time to make sure the hard work of remediation and mitigation successfully improved the defence your organisation. It’s almost impossible to do this and not see a significant improvement in your cyber defences.
6. Executive Presentation
Normally an executive presentation showcases the state of the environment before and after, evidencing value to the CISO. However, with budget optimisation PurpleTeaming this can be further detailed, explaining where cost savings have been made, and how they are projected to be saved over the next 12–18 month period.
The PurpleTeam Engagement in Action
A budget optimisation exercise should have a PurpleTeam leader involved in every step of the engagement, it benefits no one if the technologists have to fracture their concentration trying to weigh up cost savings, they shouldn’t be expected to report back budget optimisation opinions to senior leaders. A PurpleTeam lead should understand the scope of work as they apply to both cyber defence and financial impact on the business as a whole.
Your financial focus should apply to three core areas; People, process and technology. Employee hours and salary, operation times, licensing fees and support contracts should all be counted as potential areas of cost-saving.
It’s in this section of PurpleTeaming that we start to identify team members who may not be strong contributors to the team. I ran a PurpleTeam engagement previously, the customer had a star employee in their SOC. The CISO sang this person’s praises highly. It soon became apparent that this person didn’t actually do much work, one mid-tier team member did approximately 80% of the work! This shocked the CISO on the final report, but had we not conducted this test, the CISO would have gotten rid of the best SOC member they had because his work was regularly credited to someone else!
It’s not the nicest thought but it’s a fact of life, companies make cutbacks. Isn’t it sensible to make sure those cutbacks are well informed? PurpleTeaming can uncover people problems and cultural issues which promote poor performance among teams.
A table not dissimilar from this snippet shown would be kept to keep track of all cost-saving potential throughout the PurpleTeam exercise.
Sometimes the people are skilled and the tools are fit for purpose but there is something else that just isn’t working.
Looking at the WAY in which the business operates, the way the people are expected to interact with their role, technology and each other can highlight significant bottlenecks, roadblocks and identify quick wins. Areas of much-needed automation can be identified here too, which is a sure-fire way to streamline activities.
It came to light with this particular customer that thought they had good visibility in terms of the capturing of Syslog data they hadn’t created a way to view that information away from manual searching. So, where a fancy dashboard with alerts may come to mind if I say SIEM (security incident and event management) they hadn’t configured it. Analysts were searching raw log data, using up crazy amounts of system resources and time to load the results of crude searches. That one hard-worker I mentioned, who had gone under the radar, had made a dashboard filled with a number of useful alerts. This wasn’t used though because every dashboard panel burnt resource and the SIEM tool has not been set to scalable sizing.
In a nutshell, they had a tool they were underutilising because they felt not allocating more resources to the virtual server was saving them money, but it was actually costing them way more in analyst time, loading time and ultimately proving the SIEM useless. In addition, they were also massively underutilising a member of their team who was able and willing to build use cases into their toolsets.
Many vendors make a habit of selling companies technologies that are not a strong fit for the buyer’s environment. We’ve all come across immature architectures with super fancy, expensive, over the top pieces of kit which are underutilised and will likely never be fully adopted. On the other hand, there is often an overlap of tool functionality.
Aside from the underutilised SIEM identified, this company had duplicated their antivirus (AV), vulnerability scanning tool AND deployed User behavioural analytics (UBA) when they weren’t actually mature enough to benefit from it. UBA’s over sensitivity meant they’d abandoned tuning it, it was too time consuming and costly to manage so it sat there ignored, firing off many of the alerts that the far cheaper SIEM (that they already had) could have been doing if that had only been tuned properly, all the while paying crazy money for all of it.
An evaluation of the tools they had in place brought us to the conclusion that keeping, maintaining and re-directing a SOC analyst as a SIEM engineer, after a training course with the vendor, proved significantly cheaper than keeping the UBA installation, which was approaching a contract end anyway. Coupled with the projected time saved from tuning the SIEM meant an anticipated overall cost saving of approximately £250,000!
When it came to the duplication of AV, it wasn’t just duplication of tools it was a duplication of processes and work. The AV which performed worst when we threw malware at it was set to be abandoned, the vulnerability scanner which picked up the most usable data became a core tool in their cyber defence strategy, with processes we helped to design.
Now I know some of you will be thinking about how AV and vuln scanners often pick up different things and if you can use multiple, of the same tools, maybe it’s a better idea to keep them. I absolutely understand and see the value in this argument, however realistically one of each serves the purpose, coming at this from a security budget optimisation angle we have to look at quick wins and finding duplication of tools, one of which may outperform the other can have a huge benefit on the budget, which in future, during more certain times can be re-evaluated. The task here is to optimise the financial distribution of a business security function without compromising security, that’s the task, that’s the scope, so that’s what needs to be prioritised.
Give it a go!
I want to finish up with some stats, in 2015 Grant Thornton LLP and the American Productivity and Quality Center (APQC), surveyed Chief Financial Officers (CFO’s) and found some pretty startling results;
- A whopping 83% of CFOs think their organization’s approach to annual business budgeting needs to be optimized.
- 62% say their staff are too buried in basic financial management to improve financial planning and analysis.
- Only 37% of CFOs and finance leaders say their organization’s approach to annual budgeting is valuable, and, of those, all think it needs improvement.
Bear in mind the majority of CIO’s and CTO’s have to negotiate budgetary spend with a CFO, isn’t the sheer fact that 83% of CFO’s think budgets need to be optimised pretty solid ground to give this approach a try?
To summarise, PurpleTeaming your corporate environment will uncover a multitude of cost-saving areas; whether it’s identifying problems with underperforming teams and team members to enable the enforcement of slim teams, or uncovering process bottlenecks and manual tasks, or seeing what pre-existing tools you can make more of, there are going to be cost savings to be uncovered.