Purple > Red + Blue - Sans Hackfest Hollywood, October 2024

Transcript

1. Sans Hackfest: 2024-10-28 Purple > Red + Blue Presenter: Mark

   Hillick

2. Sans Hackfest: 2024-10-28 Agenda Integration The Industry My Past 01

   02 03 04 05 whoami Wrapping Up

3. Sans Hackfest: 2024-10-28 whoami

4. Sans Hackfest: 2024-10-28 whoami timeline (purple/red/blue) XXXX I was born

   in Derry, Ireland. First computer was an Amstrad CPC 464, favourite game was Shinobi but preferred sports over computers, and still would today. 2000 Graduated from college and started working on an Internet Infrastructure team, learning about firewalls, dns, anti-virus etc. 2016 Moved to the US Owned all “player security”, including “anti cheat” where we built my first “purple” team. 2008 Final requirement for GSE - proctored GSEC, and met Steve Sims for the first time :) 2021 Joined Brex Led all of Security, now the CISO. Integrated purple into how we operate 2013 Took on my first security leadership role @ Riot Games - building a team and program from scratch, making every mistake in the book. 2000 2013 XXXX 2010 2016 2021 2024 2024 Sans Hackfest Los Angeles

5. Sans Hackfest: 2024-10-28 Why get into Cybersecurity? Constant learning &

   challenge Lucrative salaries Diverse career paths 01 02 03 04 05 High demand & job security Stopping bad guys

6. Sans Hackfest: 2024-10-28 This is not a technical talk, itʼs

   about something more difficult ….. People, building & serving the business Well…

7. Sans Hackfest: 2024-10-28 Iʼm realistically assuming that youʼre not working

   at a 3-letter agency or government with nation state attackers on a daily basis Assumption

8. Sans Hackfest: 2024-10-28 I leveraged ChatGPT/Dalle for all of my

   diagrams/images. Thank you AI <3 Disclaimer

9. Sans Hackfest: 2024-10-28 Preparation

10. Sans Hackfest: 2024-10-28 The Industry

11. Sans Hackfest: 2024-10-28 What? What about a blue team? 01

    02 03 So what is a red team? A purple team?

12. Sans Hackfest: 2024-10-28 What? The defensive team that analyzes attacks

    and develops ways to prevent and mitigate them. Blue Team members monitor systems, detect suspicious activity, and respond to incidents. 01 02 03 The offensive team that simulates cyberattacks to identify vulnerabilities and test incident response. Red Team members are experts in offensive security, such as ethical hackers and penetration testers. Facilitates communication and collaboration between Red and Blue teams to improve an organization's security posture. Huh???

13. Sans Hackfest: 2024-10-28 My Past

14. Sans Hackfest: 2024-10-28 Recruited from the industry - referrals &

    official job ads Evolution to include a “red” team Not really purple - why? 01 02 03 04 05 SOC -> Blue team Created sub-teams :ugh:

15. Sans Hackfest: 2024-10-28 “Versus” right?

16. Sans Hackfest: 2024-10-28 Goal of making your colleagues look bad

    Sending the report to the boss rather than the blue team Simply disconnecting / removing accounts 01 02 03 04 05 Not sharing TTPs or IOCs Different roadmaps Disconnects

17. Sans Hackfest: 2024-10-28 Donʼt be an a**hole Rule #1

18. Sans Hackfest: 2024-10-28 Everyone building Hired from the community Breakers

    defending 01 02 03 04 05 Same North Star Everyone together - builders, breakers etc Purple Anti-Cheat

19. Sans Hackfest: 2024-10-28 Wins Increased player numbers & enjoyment Vanguard

    High game integrity 01 02 03 04 05 Packman More revenue

20. Sans Hackfest: 2024-10-28 Itʼs ok to operate as an attacker,

    but the end goal is to: • secure your company • improve the security of the company not “hack” your employer Remember

21. Sans Hackfest: 2024-10-28 Integration

22. Sans Hackfest: 2024-10-28 Why do Security teams exist? Ensure products

    are shipped securely Reduce security risk to the business and the customers Make the secure way, the “easy” way, i.e. the default behaviour 01 02 03 04 05 Serve the business Enable the company to pass the various security compliance standards, and continue to operate

23. Sans Hackfest: 2024-10-28 Integration @ Riot SPL Transparent, public RCAs

    Integrate red teaming into security review & launch process 01 02 03 04 05 RFCs Iterate, iterate, iterate

24. Sans Hackfest: 2024-10-28

25. Sans Hackfest: 2024-10-28 Integration @ Brex Integrate red teaming into

    security review process Same rituals together (demos, stand-ups) Encourage red and blue teamers to have 1-1s 01 02 03 04 05 Same team, i.e. same reporting structure below CISO Share - reports, code, alerting configuration, tooling etc

26. Sans Hackfest: 2024-10-28 SPL @ Brex Pen Test Design docs,

    Slack Channels, Same Tooling Secure code reviews 01 02 03 04 05 We go to where our engineers are Vuln Mgmt Process - Red Team & GRC own

27. Sans Hackfest: 2024-10-28 Wrapping Up

28. Sans Hackfest: 2024-10-28 What? What about a red team? 01

    02 03 So what is a blue team? A purple team?

29. Sans Hackfest: 2024-10-28 Itʼs not a team, itʼs a way

    of operating. Purple

30. Sans Hackfest: 2024-10-28 Wrapping Up Build into rituals & default

    Donʼt be an a**hole Audience focused 01 02 03 04 05 Security is here to serve the business Share & iterate, share & iterate

31. Sans Hackfest: 2024-10-28

32. Sans Hackfest: 2024-10-28 The End