Blog

Go Beyond Technology and Systems: Why You Need to Purple Team SOC Analyst Performance  

Purple teaming in cybersecurity is an important way to measure how prepared your security operation center (SOC) is to prevent, detect, and respond to cyber-attacks. However, when most people take advantage of purple teaming’s benefits, they typically focus on measuring the performance of a SOC’s technology and processes. That leaves a gaping hole: Are your SOC analysts, your frontline defenders, fully trained and prepared to take on adversary activity?

Before Top Gun, we would send pilots straight from pilot training over to Vietnam. So, the first time they experienced adversary tactics would be in real combat, and the results were not encouraging.

For pilots to do a better job, the United States created the Top Gun program so pilots could safely practice against adversary tactics before they had to experience them in real combat. In so doing, we saw dramatic improvements in overall combat effectiveness and survival. We continue to use this in our military today, and we think it’s time to bring that same approach to cyber.

Typically, when there’s a purple team, the focus is on evaluating technology performance. Sometimes they evaluate the processes between different technologies from firewalls and endpoints up to the scene. However, we typically don’t go beyond that into the processes leading to automated responses. Hardly ever do we touch on how well personnel responds to those adversary activities that the red team is generating.

Purple Team Engagement

Taking a purple team approach to make improvements across the whole system generates better performance across the technology, process, and people. This is especially important for the team members that are responsible for responding to adversary activities.

BENEFITS OF THE PURPLE TEAM APPROACH

Just like in any normal purple team response, we can identify areas that need improvement with the hard data and telemetry.

Benefits of purple teaming include:

  • Strengthening overall cybersecurity
  • Improving the ability to detect attacks
  • Provide continuous feedback loops between red and blue teams
  • Improve collaboration, coordination, and innovation

The benefits are many, but zeroing in on the underlying reason for shortfalls can be complex. Is it a technology issue, a process issue that needs to be better tuned to serve analysts, or analyst performance?

By purple teaming your SOC analysts, you can help close the loop and identify shortfalls anywhere in your cyber defense strategy.

The Atomic Foundation

Your use of atomic threat emulation testing (or breach and attack) lays a strong foundation for purple team exercises. It provides your red team with the capability to safely execute relevant attacks across the production environment. It also helps the blue team, since they will be responding to these test scenarios using the exact same technology stack that they use for real-life threats.

The latest threat intelligence also helps the blue team become more familiar with preventing and detecting recent attacks for which they need to fortify their defenses. Since threat intelligence tracks the threat landscape as it changes, your purple Team exercises can evolve with the threat landscape.

The foundation of atomic testing puts the technical and threat intelligence parts of a successful purple team program into place. However, executing relevant tests is only part of the picture.

This is where SightGain comes in.

The SightGain Threat Exposure Management Platform

The SightGain exposure management platform starts with threats. We know a lot about what the adversary tactics are doing, and we’ll pick and choose from several tactics across the MITRE ATT&CK® framework.

We’ll test actual production systems against the performance of those actual techniques. Then, we gather telemetry from the technology, get data from the processes, and look at personnel response. This helps understand how everything is working against the threats across the MITRE ATT&CK framework and identify areas for improvement just like a purple team would on the technology side, yet applying the lessons learned to personnel.

Often, the biggest challenge that we’ve overcome in using the SightGain readiness platform is an attitude of not wanting to use the production system.

Using the production system is critical to understanding and evaluating how your overall ecosystem is going to respond to real-world threats. Unless you’re testing your personnel, you’re assuming that their classroom training or range training is going to work when needed.

With SightGain, you can put your team to the test as if they’re experiencing it in the wild to evaluate performance and improve their skills. The SightGain readiness platform helps teams prepare proactively and comprehensively now for when an adversary attacks.

Optimize Your Purple Teaming With Real-time Threat Exposure Data

SightGain works with several threat emulation providers to make your purple team assessments more effective than ever. With live-fire training exercises, detailed analyst data, and individualized training capabilities, this is a new frontier in training focused on increasing your cyber preparedness.

By pressure-testing your operating procedures, tech, policies, and team performance, you can pinpoint weaknesses and potential exposure. You can validate solutions that are optimally tuned and configured while measuring the effectiveness of detection and response across your entire cyber defense strategy.

SightGain enables you to:

  • Quantify Business Risk Exposure with Hard Data
  • Conduct Live-Fire Tests in Your Real Environment
  • Measure Efficacy Against Threats
  • Evaluate Technology, Processes, and Team Performance
  • Understand Investments and Divestments Based on Proven Performance

SightGain provides empiric data about the function and efficiency of your teams, quantifies risk exposure and gaps, and delivers a roadmap to improve performance. Live-fire training puts analysts to the test and then assigns individualized training exercises based on their results. Interactive training modules are designed to address any analyst skill gaps with training scenarios designed for your mission and team. Rather than confining training to a lab, you can train where you fit. SightGain safely runs these attack sequences so analysts can see how they appear on your systems using real-world threats and real payloads in a secure environment.

See for yourself how SightGain can help you strengthen your information security through effective and practical purple team exercises with unparalleled analyst visibility. Schedule a demo today!