Mike Saurbaugh, Manager of Information Security at Corning Credit Union and Kevin Johnson, CEO of Secure Ideas presented "Security by Collaboration: Rethinking Red Teams versus Blue Teams” at CUISPA 2015. Mike represented the Blue Team side, as the internal guy who works with Kevin, as a hired-gun third party Red Team. Red Team focuses on adversarial probing of security at companies. The talk centered on the benefits of Blue Team working with and collaborating with Red Team. They emphasized that there should be no secrets between Red and Blue - Red Team should share their findings proactively so that Blue Team can start making improvements right away.
The worst situation Kevin finds is that he will do Red Team engagements, then come back a year later and find that the issues identified have not been addressed. When he asks IT why, he hears "we never got the report - Security told us to look at the log files and figure it out ourselves." Kevin emphasized that this is the wrong approach. Collaboration of Red Team and Blue Team is the way organizations can get the most out of their Red Team engagements in order to enact process improvements and improved security controls.
Blue Team staff spend so much time maintaining the operation and adhering to compliance that keeping pace with the adversarial mindset can get left be behind. With the scarcity of security blue team talent, we need to find a way to accelerate their learning and become more adept at securing against a relentless adversary.
Some important takeaways include:
- Allow the Blue Team to work alongside the Red Team during the assessment (don’t just sign the letter of engagement and walk away until the report is delivered)
- Break it and fix it together
- Validate Blue Teams can identify what the Red Team is doing
- Tie the exercise into business goals to be able to ensure the competitive advantage of the company is at the forefront of the effort
- Let’s not forget about our end users. They need to be part of the process, too. Being more overt vs. covert helps to ensure education is at the forefront and is not an exercise seen by employees as trying to trick them.
- Incident response is crucial and it’s important to ensure the helpdesk is receptive and accommodating to the incidents reported. If there is resistance from the helpdesk then employees may take matters into their own hands and not report. We need this reported data for the sake of better incident response and linking it back to the business and the success of the program.
With a large audience of Credit Union security professionals ranging from InfoSec managers, to security engineers, to CIOs, there was great interest in this talk.
AlienVault exhibited at CUISAP 2015
The complete deck can be found below.
It was kind of sad, Austin’s weather didn’t cooperate with the CUISPA event – it was freezing cold. Hopefully this will not prevent participants from enjoying 6th Street and the rest of Austin, however.
Here are Mike and Kevin's Twitter handles: