Which is more important in #infosec ?
— Kate BlockChain Curious Brew (@securitybrew) December 10, 2017
However, it was a trick question! Both are necessary, as pointed out in this reply.
A false question. Fire fighters vs. fire safety inspectors. Both are essential. If the inspector were completely successful then the fire fighter would get bored. Fortunately, complete success is impossible for either. Keeps us all employed.
— C J Czelling (@CJCzelling) December 10, 2017
I gave the third option for those unwilling to choose sides. However, given the choice of only one, the majority of people chose Blue Team. It does make sense, if you only have one or the other, you had better have the defenders rather than more challengers than the already-existent bad guys attacking your company on a regular basis. If you're a small company, you might have only one person or one person part-time in the role of InfoSec, so when constrained - Blue Team is where you'll invest. Marcus Carey, a noted Blue Teamer, summed it up nicely.
Blue team all the way. Add a dash of red to make it purple.
— Marcus (@marcusjcarey) December 10, 2017
The fact that both are necessary was a consistent theme in the replies. There were several very specific comments around Purple teaming. It made me go back and re-read Haydn Johnson's blog on Purple Teaming from early 2017. Haydn makes the excellent point that Red Teamers benefit greatly by using some Blue Team tricks. Blue Teamers tend to know what really works, and the Red Team benefits from learning the Blue Team's Defense - Security Controls / Applications / Response.
Here's a sampling of the Purple Team themed responses:
Teamwork ��
— Nathan (@NathOnSecurity) December 10, 2017
Purple obviously
— Travis (@pinedtree) December 10, 2017
While I voted Blue Team, I have to say that I honestly feel as though a mixture of Blue and Red (Purple) is the best for #inforsec. Red team only has to be right once.
— Nicholas Houston (@Nich0lasH0ust0n) December 11, 2017
PURPLE! pic.twitter.com/LC0WCcuA4b
— itgrrl ������✨������️���� (@itgrrl) December 10, 2017
Holiday Cheer!
Since the poll was right before the holidays, I even got a lttle holiday cheer in one of the replies.
Jingle bells, infosec smells, blue team all the way! (offence wins games, defence wins championships)
— Matt Hawkins (@hawko2600) December 10, 2017
The Existential Approach
Unfortunately, here is the answer no one wants to hear. There is no red team without the blue team. Red team cannot find holes in a non-existent network.
— Bryant Mitchell (@Bryant_Mitchell) December 10, 2017
So, there are some strong feelings in the InfoSec community on the Red Team / Blue Team / Purple Team issue. it was a fun poll, provoking all kinds of thoughts in great replies. Twitter didn't let me vote in the poll. If it had I would have voted Blue Team. Red Team is tempting - far sexier and Red Teamers always have great stories and interesting fodder for talks. However, Blue Team works so hard and under pressure every day, often with little praise. So I would have voted Blue Team.
If you have any other ideas for neat polls, please let me know on Twitter!