sb-eu logo
Story image

More than 60% of security 'blue teams' struggle to stop the 'red'

19 Aug 2020

Red teams and blue teams are common ways of exploring cyber adversary simulation exercises, but it seems that the red teams may still end up on top.

New research from Exabeam found that 62% of blue teams (defenders) have trouble stopping their red team (attacker) counterparts, while only 37% are successful in catching the red team. Further, 7% say they never catch the red team at all.

According to the 307 respondents, there are three key reasons for this lack of defence, including threat detection, incident response and flexibility/openness to change while working remotely.

On average, organisations run red team simulation exercises every five months. Some 26% of organisations conduct exercises once a month, another quarter conduct exercises every 2-6 months, 32% conduct exercises every 7-11 months and 8% conduct exercises once a year.  Seven percent don’t utilise red teams at all. Blue team exercises reflected similar percentages and averaged out to every six months.

This year, Exabeam found that many companies use the ‘purple team’ approach, in which the red and blue teams come from their own staff and work together to determine security preparedness. One-third run these simulations every 2-6 months, while 50% perform them every 7-11 months, and 12% report yearly tests. Only 7% do not have purple teams in place.

But are red and blue teams effective? According to the report, 92% of organisations leverage external red teams without prior knowledge of their internal security systems. This is to help their teams prepare for genuine attacks. Despite external contracting, 54% of respondents found internal and external red teams equally effective.

Organisations should take heed of warnings that they should constantly evaluate and adjust their security investments, particularly as today’s digital adversaries evolve at a rapid pace.

“These red team/blue team exercises can be valuable proof points when presenting budgetary and technological needs to the C-suite and board to help keep up with these changes. While there is always room for teams and security postures to mature, it is extremely encouraging that so many companies are regularly performing these tests to identify their weak spots and shore up their defences,” comments Exabeam chief security strategist Steve Moore.

Only 50% of polled organisations say they are increasing security investment and 30% are adding to their security infrastructure as a result of these exercises. Further, 17% are undertaking both measures, and only 2% say they have not changed their security tools or budget in response. 

Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Bitglass receives US patent for SAML technology
Bitglass designed its SAML relay to allow a cloud access security broker (CASB) to be inserted into the traffic flow between users and cloud services during the login process.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
Emotet malware is on a rampage after months of silence
CERT agencies around the world are reporting a surge in cyber attacks related to the Emotet malware, which is being distributed by email.More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More