Purple teams with wings: measuring detection efficacy in the cloud

Alfie Champion, Detection Lead, and Nick Jones, Cloud Security Lead
October 2021

In the cloud, a collaborative approach to attack detection capability development pays even greater dividends than on-premises. With cloud environments evolving just as rapidly as the TTPs being used against them, and analysts monitoring and developing detections for unfamiliar technologies, an iterative, adaptive, and continuous approach is necessary for detection to remain effective.

We’ve been delivering on-premise purple teaming since 2015. And our first cloud purple team was delivered in early 2020. Since then, clients in 5 countries have used the process, and the thinking behind it has been shared publicly at conferences, globally. This eBook describes our learnings and approach to measuring and developing attack detection efficacy in the cloud, and presents the approach in 5 phases for you to adopt in your own organization.

Get the paper

What you’ll learn:

  • The benefits of a highly collaborative purple teaming approach (in contrast to traditional, objective-led exercises)
  • The differences between detection on-premise and in the cloud
  • The 5-phase purple teaming approach we use to measure and drive further cloud detection efficacy
  • The background of this approach

Related resources

WithSecure_people_meeting

Cloud security: striking the balance between risk, speed, and cost

Your organization’s risk profile will impact how you approach cloud migration. Learn how to balance your security needs with speed and cost efficiency.

Find out more

The Microsoft Azure Security Framework

Inspired by Scott Piper’s roadmap for building cloud security in AWS, our MS Azure security framework provides the building blocks required to harden your Azure platform from the ground up.

Download now
WithSecure-office-working

How the cloud has changed detection

The cloud may have moved the goalposts for cyber detection, but the rules of engagement can still be understood and mastered by those moving from on-premise security.

Find out more