Blog

Why You Should Purple Team Your SOC Analysts

Purple teaming typically focuses on measuring the performance of a SOC’s cybersecurity technology and processes. But that leaves a gaping hole: Are your SOC analysts, your frontline defenders, fully trained and prepared to take on adversary activity? Do you know where the gaps are? Are you addressing them?

Watch the video below for an inside look at the full benefits of purple teaming by finally getting validation and insight into analyst performance as they face current threats. You’ll have hard data on how your people, processes, and technology are working in concert, or not, when under attack.

Learn More:

Cyber Attack Risk Assessment

Cyber Attack Risk Analysis Module

Video Transcript

Timestamps
0:00 Intro
1:00 Purple Teaming Your SOC Analysts
1:29 Purple Team Engagement
2:01 SightGain Readiness Platform
2:45 Benefit’s of the Purple Team Approach for SOC Analysts

Before Top Gun, we would send pilots straight from pilot training over to Vietnam. So the first time they experienced adversary tactics would be in real combat, and the results were not encouraging.

So in order for pilots to do a better job, the United States created Top Gun so pilots could practice against adversary tactics in a safe way before they had to experience them in real combat. In so doing, we saw dramatic improvements in overall combat effectiveness and survival rates through the Top Gun program. We continue to use this in our military today, and we think it’s time to bring that same approach to cyber.

When we focus on personnel performance, Sightgain can increase the speed and accuracy of soc analysts up to nine times, dramatically improving the ROI of your cybersecurity spend on the personnel.

1:00 Purple Teaming Your SOC Analysts

Typically, when there’s a purple team, they evaluate the technology performance. Sometimes they evaluate the processes between different technologies from firewalls and endpoints up to the scene. However, we typically don’t go beyond that into how is the processes leading to automated responses and hardly ever do we touch on how well are the personnel responding in their role to those adversary activities that the red team is generating.

1:29 Purple Team Engagement

So for the first time, we’re able to incorporate personnel into the purple team, and really understand how the overall system, not just the technology, but the overall system from technology, to process, to people are responding to those red team activities.

And then take a purple team approach to make improvements across the whole system and generate better performance across the technology, the process, and at the end of the day, the personnel that are responsible for responding to these adversary activities.

2:01 SightGain Readiness Platform

So how do we do this using the SightGain readiness platform? Well, we start with the threat. We know a lot about what the adversary tactics are doing, and we’ll pick and choose from a number of tactics across the MITRE attack framework, just like any purple team is doing today. We’ll test our actual production systems against the performance of those actual techniques. And then we gather telemetry from the technology, get data from the processes, and then look at the actual personnel response to understand how everything is working against the threats across the MITRE attack framework, and then be able to make improvements just like a purple team would on the technology side and apply that to the personnel.

2:45 Benefit’s of the Purple Team Approach

So using these inputs by executing techniques across technology we can understand what technology is preventing activity, what processes are integrated or not, and what the actual analysts are doing in their response, right? It’s the system that serves those analysts, providing them the information that they need to make a good decision. And is it a training issue, or is it a technology or process issue that’s holding them back?

And in so doing, just like in any normal purple team response, we can make improvements where those improvements are required. We now for the first time have the hard data and telemetry to really unpack. Is it a technology issue and solve that technology issue? Or is it a process issue that needs to be better ironed out and tuned in order to serve those personnel and the analysts at the end of that whip in a better way?

In addition, we’ll provide supplemental training and reference materials that analysts and engineers can make updates to their systems to give them better information and enable them to make better and more accurate responses to the adversary threats that they face.

So we’re excited about how SightGain, for the first time, can enable purple teams to dig into not only technology performance, but the process. And finally for the first time, personnel performance and evaluate the overall system to make the improvements that are necessary to be successful against today’s threat environment.

If you like the content in this video, click the link to check out our others. Or subscribe to our YouTube channel to get automatic updates whenever we make our innovations available to the public.