The CISO’s Guide to Purple Teaming

Executive Summary

Moving Toward the Color Purple

In art, mixing mellow blue with aggressive red yields a vibrant purple. What happens, though, when the same palette is combined in the realm of cybersecurity?

Blue and red security teams typically live in separate organizational silos. This is partially a matter of organizational structure and partially a reflection of each group’s intent. Blue teams are the guardians of the corporate network; they are focused on defending key terrain, meeting regulatory requirements, and ensuring cybersecurity effectiveness. By contrast, red teams are, essentially, tasked with conflict. Their purpose is to lay the groundwork for a threat-informed defense, which entails developing a deep understanding of attackers’ “tradecraft and technology.” Red teams must get into the mind of the enemy in order to test the company’s carefully planned controls in the same ways that an actual attack would.

Because of the stark differences in attitudes and tactics, it is understandable that many organizations’ blue and red teams keep their distance from one another. Still, an emerging security best practice involves bringing them closer. “Purple teaming” is a relatively new security team structure in which members of blue and red teams work together collaboratively. They align processes, cycles, and information flows — and, as a result, they overcome the competitive or even adversarial dynamic of the traditional siloed security approach.

What Even Is a Purple Team?

Although the name implies elimination of blue and red teams as distinct entities, purple teaming does not typically involve integrating those groups on the organizational chart. Instead, the red and blue teams continue to operate independently. For companies that have their own security team (vs. an external managed security service provider), the blue team is in-house, while the red team is in many cases external. Large, well-resourced organizations — like global banks or the U.S. military — are more likely to have internal red teams. Either way, a shift to purple teaming means that the still-distinct red and blue teams develop highly communicative, supportive, and cooperative relationships across the functional boundary.

Such a structure is ideal, because each group has gaps in capabilities that the other can fill. Purple teaming simultaneously optimizes the skillsets and minimizes the limitations of both red and blue, paving the way for a threat-informed defense.

Download the full whitepaper to find more.