Understanding the Real Cost of Pen Testing, Red Teaming and Blue Teaming

The void in the cybersecurity workforce is compounding the level of risk faced by enterprises. The global shortage of skilled security workers could reach 1.8 million in the next five years according to the Center for Cyber Safety and Education. Contrast this with plans to boost security teams hiring by at least 15 percent in the same time frame - the numbers don’t add up. This is exacerbated by the increasing volume, variety and veracity of widespread cyberattacks like WannaCry, NotPetya, Locky, and other blockbuster ransomware.

As a result, the lack of readily available cybersecurity personnel has forced companies to turn to security services outsourcing, penetration testing for hire and vulnerability assessment via red teams (attackers) and blue teams (defenders). However, these services are generally limited in scope, not always reflective of real world threats and environments, difficult to scale, and costly.

There is the perpetual challenge of translating between nerd and business speak. IT comfortably speaking in their native tech which does not help the business understand the requirement, risk, or impact. So when faced with the decision to hire a relatively expensive penetration testing service, it’s not uncommon for internal security operators to be hit by budgetary restraints by their executives.

Penetration testing can cost $10k - hundreds of thousands, while the average cost of a data breach exceeds $3.5 million, according to the Ponemon Institute. Enterprises also need to balance the cost of cybersecurity with the the cost/risks of IP Theft, even cyber insurance. While its difficult to pinpoint the exact cost of IP theft to a specific enterprise, some industry groups, such as Jon Huntman’s Commission on the Theft of American Intellectual Property, put the global cost to US businesses in excess of $300 billion each year.

There are even more factors that need to be accounted for to determine the real costs of outsourcing security testing and vulnerability assessment vs. hiring additional internal staff to perform such functions. For example, an organization will only get the true value out of a red team engagement if there is a full time blue team for them to test against - you have to have someone on the other end of the penetration test to find the vulnerabilities being uncovered. An organization will need more than log aggregation & firewall automation capabilities - operators need to analyze this data in order to make it meaningful and actionable. That, again, is a difficult and costly task when the volume of log data in a 1,000 seat enterprise can reach upwards of 200 GB of data per day.1

Empowerment is another critical factor. In order to succeed, security operators must have the authority and empowerment to to make changes to an IT environment as vulnerabilities are found. Otherwise, systems go unpatched, hygiene wanes and breaches of Equifax proportions become more likely to occur. The vulnerability that attackers exploited to access Equifax’s system was in the Apache Struts web-application software, a widely used enterprise platform. A patch to correct this vulnerability had been issued roughly two months before Equifax was infiltrated.

An un-empowered red team is practically DOA. While most red teams will catch low hanging enterprise vulnerabilities, remediation capabilities will always be limited if the team does not have the administrative authority to triage threats as needed. It’s also a recipe for financial disaster. Outsourced quality red teams cost roughly $250 an hour and most engagements require testing on consistent, scheduled intervals over a period of time in order to be successful. This requires a large number of “hands on deck” and long term engagements which quickly escalate the cost of such penetration testing exercises.

Most enterprises, at this point, will turn to their existing security operations team to develop vulnerability assessment capabilities internally. This creates additional pitfalls. Training is expensive and time consuming. Plus, adding additional roles and responsibilities on top of an already tapped IT team creates an even greater propensity for catastrophic breach. Splitting the job descriptions of your IT operators take away from their core competencies.

This is not to say that organizations should forego security testing and ongoing vulnerability assessment. At its core, vulnerability assessment should be a critical function of any mature cyber operation and the red team/blue team methodology can bring immense security value to organizations that have the necessary resources to follow it. However, it’s not realistic for most enterprises and IT teams, which has left a major gap in the capabilities of security operators.

The answer to this conundrum lies partially in automation to create regularity and consistency in testing efforts. The other piece is finding the right tool to supplement the technical expertise of a seasoned penetration testing team. CROSSBOW, SCYTHE’s flagship security assessment platform, was developed with the direct input of a Fortune 50 company to solve this exact problem. It provides security operations teams with a force multiplier that allow them to validate their organization’s defenses without the need for costly training or complex setup that is required in most red team/blue team assessments.

CROSSBOW offers the ability to setup, customize, and run adversarial campaigns in a matter of minutes and receive granular reporting about an organization’s production environment and degree of compromise quickly and effectively. On top of its powerful, out of the box capabilities, the platform can be custom developed for advanced penetration testing teams. CROSSBOW is the most advanced solution that delivers the power to continuously assess the security posture of an entire organization to detect and mitigate risks before they inflict damage. To learn more about how CROSSBOW can help your organization or request a demo, contact us for more information.

  1. http://content.solarwinds.com/creative/pdf/Whitepapers/estimating_log_generation_white_paper.pdf [return]