New Exabeam research shows that 62 percent of blue teams have difficulty stopping red teams during adversary simulation exercises.
Respondents named threat detection, incident response and flexibility/openness to change while working remotely as the top three areas that blue teams must improve upon. This indicates an increase in technical and adaptability challenges since the same study was performed in 2019, where the focus fell heavily on teamwork and communication.
While 37 percent of blue teams always or often catch these ‘bad actors,’ 55 percent say they only succeed sometimes, and 7 percent rarely or never achieve this feat. On a positive note, these numbers indicate a trend in the right direction compared to last year’s study, which showed one-third rarely or never catching red teams.
Companies increasing security investment
The fact that less than half of blue teams are stopping bad actors a majority of the time demonstrates the priority organizations must place on constantly evaluating and adjusting their security investments to keep up with today’s digital adversaries.
The study indicates that many companies are consciously taking these steps, with 50 percent increasing security investment and 30 percent adding to their security infrastructure as a result of these exercises. Seventeen percent have done both, and just 2 percent have not adjusted their security tools or budget in response.
Interestingly, the frequency and approach to red team/blue team tests vary widely. On average, organizations conduct red team exercises every five months – breaking down to 26 percent once a month, another quarter every 2-6 months, 32 percent every 7-11 months and 8 percent once a year.
Just 7 percent don’t utilize red teams at all. Blue team exercise frequency understandably reflected similar percentages and averaged out to every six months.
Many companies use the ‘purple team’ approach, in which the red and blue teams come from their own staff and work together to determine security preparedness. One-third run these simulations every 2-6 months, while 50 percent perform them every 7-11 months, and 12 percent report yearly tests. Again, only 7 percent do not have purple teams in place.
Internal and external red teams equally effective
Also new to 2020’s report, 92 percent of respondents tap external red teams without prior knowledge of their internal security systems to help their teams prepare for real-life cyberattacks. However, 54 percent found internal and external red teams equally effective, with a slightly higher percentage (24 percent) citing internal red teams as more effective than external (19 percent).
“An additional study recently reported that more than 80 percent of businesses have experienced a successful cyberattack since the start of the pandemic. Paired with the fact that just over a third of respondents are frequently stopping simulated attacks, these trends illuminate the security fallout caused by the remote work shift, tighter budgets and increasingly sophisticated attack techniques,” said Steve Moore, chief security strategist, Exabeam.
“These red team/blue team exercises can be valuable proof points when presenting budgetary and technological needs to the C-suite and board to help keep up with these changes. While there is always room for teams and security postures to mature, it is extremely encouraging that so many companies are regularly performing these tests to identify their weak spots and shore up their defenses.”
In addition to threat detection, incident response and flexibility, communication and teamwork (41 percent), knowledge of threats/tactics (38 percent) and persistence (20 percent) were also listed as valuable skills blue teams should focus on.