Why so Blue? (hint: it could be your mindset)

It's Fall and much of the country is wrapped up in #collegefootball season. Living and dying by their team's results. Planning weekend trips to their alma maters to catch up with old friends and see their team play in person. There's nothing quite like that on campus game day experience.

Visiting favorite restaurants from the college days, being sad to find some have closed and glad to try new ones. Overeating at tailgates is all part of the fun and a key requirement. Meanwhile, all of this is in preparation to watch a violent set of events set to occur when the two teams clash on the playing field. The time is set. It won't be long now.

Starting with the opening kick, teams quickly find out if their week of preparation was adequate in the face of their #adversary . Offenses test defenses, defenses attempt to stymie offenses, and one thing happens every single game, every single Saturday...one team finds out that they were not prepared well enough, or were simply outmanned, and they lose.

The question of "Why so Blue?" occurs to me often when dealing with businesses from the smallest on up to enterprise levels. You see, one thing that I KNOW FOR CERTAIN about these college football teams is that as they practice week in and week out they do so with BOTH the offense and the defense on the practice field.

In defensive preparation, coaches go so far as to try to find players on their roster who can mimic the traits of the best offensive players that they know they will face on the upcoming Saturday. That may be finding a mobile quarterback to go against their defense in practice in a attempt to have their guys prepared to defend against an attack. Other times it means second teamers have to learn an entirely different offense to give the defense a chance to face it (think Georgia Tech and the triple option under Paul Johnson) and prepare.

One thing is CERTAIN. Not a single college football team that is serious about seeing their defense be successful during the upcoming game is practicing WITHOUT involving an opposing offense to measure their readiness and preparedness.

However, when it comes to business and cybersecurity, all to often I see businesses who are consistently adding defensive tools and playbooks, but NEVER testing them. They are completely focused on #blueteam activities and never engage in any #redteam testing to understand how they truly stack up against potential adversaries.

This issue is prevalent in the small and medium business space, however, even in large enterprises, the percentage of their attack surface that gets tested regularly can be incredibly small. This begs the question why?

My experience is that often businesses see testing as an "extra" thing to do, not an imperative. In reality, you are only as secure as your last test. If you are testing less frequently than annually, you are setting yourself up for a blowout when your offensive adversary takes the field. The most unfortunate thing about this game is that you don't know the game time until your adversary decides to start it, and even then you are subject to the efficacy of your #detection and #response tools and your ability to use their features. For all the defensive precautions you can take, you don't know if they are effective until you test!

Often this problem starts with a faulty mindset. Let's take a look at a few of the common reasons that people don't do #redteam activities:

• Spending fatigue: We've bought so many security things that we just can't justify spending any more. Reality: Your whole security spend should not be on Blue activities. A good security program has a healthy amount of Blue and Red team tools and activities.
• Misplaced trust in defensive tools/overconfidence: I assembled the best set of tools I could afford, I trust my vendors, and if that isn't good enough then I don't know what else to do. Reality: You can have the perfect defensive toolset for your organization but that doesn't ensure that they are properly configured, consistently applied and that they really DO all the things the vendor promised. I've worked many breaches where a tool failed to perform as expected due to misconfiguration, misunderstanding of capabilities, or simply not being installed throughout the organization.
• Failure to implement a framework based #cybersecurity risk management program: Risk assessment is just something that you do if someone makes you (regulators, etc.). We don't have time for all of that. Reality: If you don't understand your organizational risk, there is a very good chance that you have vulnerabilities that you have no idea about, that are targets for threats you've never considered. Building a risk based cybersecurity program puts you in the driver's seat. There is no substitute for having a risk register that feeds a plan of action and milestones. By measure of ANY framework, lack of #redteam testing would find its way into the risk register and be properly addressed by the POA&M.

Hopefully, if you are one of those businesses that heretofore considered #redteam testing to be an extra rather than an integral part of your security program, this article will help you see things in a different light. As with all your #cybersecurity needs, Pileum Corporation 's Security Risk and Compliance team is here to help you. We make #cybersecurity achievable, understandable, and #affordable .