Respondents list threat detection, incident response and flexibility in changing work environments as the top areas blue teams must work on
Exabeam, the Smarter SIEM™ company, today released new research, revealing that 62 percent of blue teams have difficulty stopping red teams during adversary simulation exercises. Respondents named threat detection, incident response and flexibility/openness to change while working remotely as the top three areas that blue teams must improve upon. This indicates an increase in technical and adaptability challenges since the same study was performed in 2019, where the focus fell heavily on teamwork and communication.
While 37 percent of blue teams always or often catch these ‘bad actors,’ more than half (55 percent) say they only succeed sometimes, and 7 percent rarely or never achieve this feat. On a positive note, these numbers indicate a trend in the right direction compared to last year’s study, which showed one-third rarely or never catching red teams.
However, the fact that less than half of blue teams are stopping bad actors a majority of the time demonstrates the priority organisations must place on constantly evaluating and adjusting their security investments to keep up with today’s digital adversaries.
The study indicates that many companies are consciously taking these steps, with 50 percent increasing security investment and 30 percent adding to their security infrastructure as a result of these exercises. Seventeen percent have done both, and just 2 percent have not adjusted their security tools or budget in response.
Interestingly, the frequency and approach to red team/blue team tests vary widely. On average, organisations conduct red team exercises every five months — breaking down to just over a quarter (26 percent) once a month, another quarter every 2-6 months, nearly a third (32 percent) every 7-11 months and 8 percent once a year. Just 7 percent don’t utilise red teams at all. Blue team exercise frequency understandably reflected similar percentages and averaged out to every six months.
This year, Exabeam found that many companies use the ‘purple team’ approach, in which the red and blue teams come from their own staff and work together to determine security preparedness. One-third run these simulations every 2-6 months, while 50 percent perform them every 7-11 months, and 12 percent report yearly tests. Again, only 7 percent do not have purple teams in place.
Also new to 2020’s report, 92 percent of respondents tap external red teams without prior knowledge of their internal security systems to help their teams prepare for real-life cyberattacks. However, 54 percent found internal and external red teams equally effective, with a slightly higher percentage (24 percent) citing internal red teams as more effective than external (19 percent).
“An additional study recently reported that more than 80 percent of businesses have experienced a successful cyberattack since the start of the pandemic. Paired with the fact that just over a third of respondents are frequently stopping simulated attacks, these trends illuminate the security fallout caused by the remote work shift, tighter budgets and increasingly sophisticated attack techniques,” said Steve Moore, chief security strategist, Exabeam. “These red team/blue team exercises can be valuable proof points when presenting budgetary and technological needs to the C-suite and board to help keep up with these changes. While there is always room for teams and security postures to mature, it is extremely encouraging that so many companies are regularly performing these tests to identify their weak spots and shore up their defenses.”
In addition to threat detection, incident response and flexibility, communication and teamwork (41 percent), knowledge of threats/tactics (38 percent) and persistence (20 percent) were also listed as valuable skills blue teams should focus on.
To learn more, visit https://www.exabeam.com/security-operations-center/2020-red-and-blue-team-survey/.
*This study is the result of a survey of 307 cybersecurity practitioners, conducted by Censuswide