The Blue Team is a Losing Man’s Game

Some things live forever in your head rent-free. For me, one of those things is a comment that one of my security researcher friends said after coming off a stint at a big company, as he was joining a red team organization. He said to me, "The Blue Team is a losing man's game." That phrase has rattled around in my brain for almost two decades. I think he's right, and I think he's wrong.

‍

Before I start, let’s define what I think he meant. I think what he was saying is that the defenders are at a severe disadvantage. Defenders are not at all playing with the same hand, or even the same rules, as the adversary, and he believes that the adversary can win any time they want. So, in an attempt to muddle through it, here is what I think made him right at the time, before I discuss why I believe he could be wrong going forward.

‍

The Blue Team has to juggle the business’s need for uptime and continuity with the demands of security, rarely able to take actions that put the business at risk, but sometimes at odds with security’s ideal. They have to QA patches or wait for patches or hold off entirely on patching in favor of business needs. For example, during blackout season before and after Thanksgiving, most retail companies won’t push code, because the risk is millions of dollars. That means patching will likely never be a panacea no matter how much work we put into it.

‍

Regulations pile on each year, turning compliance into a maze that consumes resources without necessarily improving security. Also, don’t forget the increasing number of new local regulations, sanctions, and general Balkanization that is stifling companies. For instance, even though it might be safer to host in one location, Balkanization says you have to host in Europe for European organizations that cannot host in the United States. Worse for security, better for compliance. Budgets are increasingly stretched thinner as teams are forced to pay for compliance-driven tools rather than those that would meaningfully reduce risk.

‍

As companies grow and acquire others, the surface area explodes, bringing heterogeneous systems and code that must be defended with effectively the same finite resources. Do more with the same people.

‍

The burden of vulnerability reports from security vendors floods Blue Teams daily and lacks meaningful prioritization. Or if it includes prioritization beyond CVSS, it’s almost always still erroneously telling the teams to fix issues that don’t matter at all to the adversary. Meanwhile, the cost of scanning goes up because the number of assets increases with normal company growth and acquisitions.

‍

Without any ability to show return on security investment, security leaders are relegated to the kids’ table when they present to the board, overshadowed by other revenue-producing priorities.

‍

There is also a lot of turnover, which chips away at the continuity and expertise needed to keep up with evolving threats, because institutional knowledge disappears. This happens through firing, attrition, etc. It also means that there is less and less true understanding of how the systems work.

‍

So my friend wasn’t wrong. But I know that not all of these issues are set in stone. Some will get worse (compliance/regulations) while others can get a lot better (prioritization and cost of scanning). Meanwhile, the adversaries have issues of their own to deal with. For example, the cost to exploit machines might be going down conceptually, but in practice, evading the existing security apparatus used by the average company is only increasing in fidelity over time, which increases the cost to evade. People are getting busted, and they flip, or they hand over evidence for bounties. They can never make any mistakes with OPSEC because that’s all it takes to get busted, and those busts happen frequently! That adds cost and danger.

‍

This is an economic game. We need to depress the cost of security significantly and increase the costs to the adversary if we want to be effective. My friend might be right, but I see a path through, and it all begins with finding and fighting bad incentives, increasing the utility of our tooling, and fighting a battle of economics. With the right weaponry and tactics, economics is the tool by which we can win the war.