A Purple Teamer’s Insights on Collaboration, Relationship Building, and Vetting Tools | Maril Vernon
Interested in sponsoring an episode like this with your target buyer?
→ Reserve your sponsorship here. ($2,575)
Purple, red, orange, green, blue teams - there's this whole security color wheel.
We need to realize that we all play a part in the same cycle and we could all work together a lot more effectively than if we work against each other.
So when everyone's collaborating, talking and understanding their part - all the colors combine.
This is one big, beautiful security utopia called white teaming.
Brutally honest insights from Maril Vernon aka SheWhoHacks, COO of Teach Kids Tech and Co-founder/Co-host of The Cyber Queens Podcast.
In this episode of Audience 1st, Dani Woolf had a conversation with Maril about her challenges as an offensive security engineer and purple teamer, her goals, what vendors do that piss her off, and the alternatives.
Guest at a Glance
💡 Name: Maril Vernon
💡 What she does: Maril is currently the Senior Application Security Architect and Aquia, COO at Teach Kids Tech and Co-founder/Co-host of The Cyber Queens Podcast
💡 Where to find Maril: LinkedIn
How did Maril get into the cybersecurity industry?
Almost four years ago, Maril embarked on an exciting journey into the cybersecurity industry.
She found her niche as an offensive security engineer and, more uniquely, as a 'purple teamer'.
Ethical hackers often operate as part of red teams, and Maril was no exception to this. But as she ventured deeper, she discovered an evolving role called purple teaming - a dynamic blend of both offensive (red) and defensive (blue) security measures.
This niche role resonated with Maril's passion for ethical hacking and she found her true calling.
But, why the shift into security?
Maril was working as a social media manager for a hospitality brand when she felt the need for a new challenge. She craved something that would push her intellectual boundaries and put her creative thinking and problem-solving skills to the test.
Her professional transformation didn't happen overnight. It was a phased progression, a journey of self-discovery and learning.
Maril first dipped her toes into the tech industry by engaging in penetration testing (pen testing) - a crucial stepping stone from her marketing role to cybersecurity.
She then transitioned into red teaming, immersing herself in proactive cybersecurity measures. And, almost immediately afterwards, Maril found herself smoothly transitioning into purple teaming, thus paving the way to her current role and newfound passion.
Is having a creative background (or even a business background) helpful working in the tech industry?
In today's digital age, we see an impressive array of individuals from creative backgrounds - be it artists, painters, graphic designers, or musicians - making their mark in the tech world. And it's nothing short of phenomenal.
But how does a creative background facilitate the journey towards technical careers?
The answer lies in the way creative individuals think.
Creative thinkers vs linear thinkers
Creatives are, by nature, abstract thinkers. They tend to approach problems from various, often unconventional, angles. This unique problem-solving ability makes them particularly valuable in tech roles, where innovation and out-of-the-box thinking are prized.
It's important to note that this doesn't undermine the importance or utility of linear thinking. In fact, linear thinking has its own advantages, especially in technical careers.
Individuals who lean towards technical careers often possess a strong inclination for linear thinking. They usually grasp concepts faster, making sense of complex information quickly and efficiently. They dive headfirst into the field, applying their understanding and building on what they know.
In essence, both creative and linear thinking have their places in the tech industry, offering different perspectives and problem-solving approaches.
So, whether you come from an artistic background or a business background, there's room for you in tech. Your unique skill set and thinking style can be a valuable asset.
Why is providing diversity so important in the tech industry?
Diversity in the tech industry is not just a trend, but an essential component for the cybersecurity industry’s growth and development.
It goes beyond gender or ethnicity; it includes people from different professional backgrounds and areas of expertise as well.
This principle is exemplified by professionals like Maril, who entered the tech industry from a creative background. Creative thinkers morph into a different breed of technical professionals, harnessing their existing skills and passions to offer innovative solutions.
Maril, an advocate for diversity in cybersecurity, highlights this perspective on the 'Cyber Queens Podcast', co-hosted by Maril, Amber DeVilbass, and Erika Eakins.
Maril emphasizes the power of diversity in thought and background, crediting these aspects as the driving forces behind some of the most successful cyber professionals.
Many of these professionals, particularly women, have embraced cybersecurity as their second career, bringing with them rich experiences from fields as varied as law, marketing, business, teaching, and even the arts.
In Maril's words, “diversity is not just a goal but their collective mission.”
Expanding on this mission, the Cyber Queens Podcast is designed to draw more women and LGBTQ minorities into the cyber domain.
The objective goes beyond creating an inclusive community - Maril, Amber and Erika aim to inspire and attract more young women into the field.
By offering insights into the various career paths, the day-to-day work environment, required skills, and potential for career progression, they hope to entice more individuals to join the ranks.
In their quest for diversity, they're on a mission to 'suck them in', creating a more diverse and enriched tech industry.
“We love our friends, but we also want to inspire more young women to want to join us here in these ranks,” says Maril.
What does Maril hate most about the cybersecurity industry?
The industry's propensity to hastily jump onto trends without a thorough understanding or plan.
As with any other field, cybersecurity is not immune to the allure of buzzwords. The moment a new term emerges, it tends to create a frenzy.
Maril states, “we're like in any other industry, a buzzword comes out, we all freak out. ‘We're behind the curve!’ And we seek to implement the new buzzword or the new tool or the new solution too quickly.”
Concerns of being "behind the curve" lead to a hurried implementation of the latest tool or solution, often without due diligence.
But, as Maril points out, this approach comes with its own pitfalls:
- The hasty implementation of new tools is often not done effectively.
- The adoption isn't always comprehensive, often failing to consider all the necessary facets.
- The industry sometimes forgets to evaluate the real need that these new tools are supposed to address.
This reactive approach can lead to an overwhelming tool overload and an overshoot of the budget.
Consequently, the budgets are scaled back, leading to resource constraints and teams that are both understaffed and overworked.
Maril wishes for the industry to recognize the immense value that security departments bring.
She advocates for empowering these teams to carry out their tasks effectively. She believes that security departments should be given more credibility within organizations and allowed to work in the manner they know best, rather than following the business's perception of what is optimal.
“I just wish that most people realize that security departments can provide so much value, but you have to empower us to do it. And I wish that we were given a little bit more credence in the org to do so and to do it our way, the way that we know how and not the way the business thinks is best.“
Maril’s bleeding neck challenge as an offensive security engineer and a purple teamer:
One of the primary challenges Maril faces as an Offensive Security Engineer and a purple teamer is the lack of understanding about defense in depth.
Many organizations tend to gravitate towards flashy, heavily marketed solutions, seduced by their attractive promises.
However, Maril strongly emphasizes the need to start with the basics. She advocates for the importance of building a solid foundation before adding layers of complexity.
In her words, "We need to baseline. We need to know our gaps. We need to know how the defenses are actually working and not just how we hope they're working."
According to Maril, it's crucial for organizations to have a thorough understanding of their security infrastructure, to be aware of their vulnerabilities, and to know how their defensive measures are genuinely functioning.
Maril also identifies resistance towards remediation management and vulnerability management as a significant challenge. The lack of acceptance and implementation of these value-added strategies is concerning.
Additionally, another hurdle that Maril grapples with is the pervasive "us versus them" mentality.
She highlights that everyone within an organization is on the same team and shares the same end goals.
“We all work for the same company. If we go under because of a breach, I'm screwed out of a job too. I want to help you. So, I have to help people see me as an ally and not as an adversary.”
This change in perception is a challenge she actively works to overcome in her role.
What's Maril’s ultimate goal as an offensive security engineer?
Maril's overarching goal as an Offensive Security Engineer is to proactively test defenses so she knows realistically where she and her team stand and how well they might stand up to an adversary.
In her view, an organization's cyber resilience cannot be truly understood until it has been put to the test through offensive measures.
Her objectives aren't solely focused on testing. Maril also aims to address the issue of internal silos within the tech environment.
“As a purple teamer though it is my goal to collaborate, to break down silos. It's my goal to make myself a person and a coworker and an ally and someone you can come to.”
How does Maril vet solutions as an offensive security engineer?
Maril's process for vetting solutions is comprehensive and methodical. It starts with the understanding that marketing personnel and technical experts often operate on different wavelengths.
Therefore, when engaging with a vendor or tool, she goes into every conversation with a predefined objective. She already has an idea of the information she hopes to extract or a preconceived notion based on preliminary research.
Maril gives vendors the chance to sway her initial impressions or provide the information she requires to make an informed decision.
She asks probing questions to evaluate the tool thoroughly. If the vendor responds honestly, she appreciates that, and even if their product isn't the right fit for her company, she doesn't hesitate to recommend them to others for whom the product might be suitable.
For Maril, the vendor's ability to answer her technical queries is of paramount importance. She places significant emphasis on their knowledge, honesty, and willingness to provide valuable insights.
Triggers to evaluate a new solution:
When Maril was asked to evaluate a new tool for testing defenses, her company was considering implementing a new Endpoint Detection and Response (EDR) solution.
The decision was triggered by the tool's popularity and apparent efficacy.
The Chief Information Security Officer (CISO) assigned Maril the task of assessing whether the tool would indeed add value.
Maril acknowledges the crucial role of engineers in such processes.
Often, CISOs don't have the time to dig into the details of each tool, so the engineers undertake the investigation and vetting process. Maril firmly believes in baselining and conducting gap analyses.
For her, talking to someone technically proficient who can engage in a meaningful tech stack discussion is vita
“Let me do my own vetting.”
Maril also stresses that she doesn't just take marketing promises at face value. She needed to understand which actual security gaps the tool was addressing.
She asked pointed questions about various technical aspects of the solution and its functionality. Upon evaluating the responses and the tool's offerings, Maril concluded that, while the tool was popular and appeared effective, it didn't meet her company's specific needs.
“Unless you're getting something you need from these vendors, from these tech support people features-wise, I don't recommend moving to a new solution; or if you think there's value add in migrating.”
Questions an offensive security engineer may ask in their buying decision-making process:
- What practices do you have in place to maintain routine security hygiene?
- How do you ensure that outdated or unnecessary data is properly disposed of?
- What kind of user access controls do you have in place, and how are they managed?
- What types of data do you collect, and for what purposes?
- How is the data stored, and what measures are in place to protect it?
- Who has access to the data, and under what circumstances?
- What is your policy for data retention and disposal?
- How do you handle security incidents?
- Do you conduct regular security audits or penetration tests?
- What compliance certifications do you hold?
- How do you handle patch management and vulnerability remediation?
- What kind of data do you collect, and how is it stored and transmitted?
- How are user roles and permissions managed?
- What third-party services or components are integrated into your product?
- Can you provide a clear data deletion process once the contract is terminated?
- Do you have any form of security breach notification protocol in place?
- Can you share examples or case studies where your system was tested against cyber threats? Is your product or service compatible with our existing security infrastructure?
What kind of tools could you pitch to a purple teamer? What kinds of things do they look for to make their job easier?
- Adversarial Emulation Tools: These tools mimic the behaviors of threat actors in order to test the effectiveness of both your attack and defense measures.
- Automated Reporting Tools: Reporting is a critical component of purple team exercises. Automated reporting tools can help teams track and document tests, generate actionable reports, and communicate results effectively.
- Threat Intelligence Platforms: These platforms provide information about the latest threats and help teams stay up to date. They can integrate with other security tools to provide contextual information about threats.
- Security Information and Event Management (SIEM) Systems: SIEM systems collect and analyze log and event data in real-time, offering an essential view of an organization's security posture.
- Intrusion Detection and Prevention Systems (IDS/IPS): These systems monitor network traffic for malicious activities and can often take action to block threats.
- Vulnerability Scanning and Management Tools: These tools help identify and manage vulnerabilities in a system or network.
- Penetration Testing Tools: While the red team generally uses these, purple teamers may use them to understand the attacks better.
- Security Orchestration, Automation, and Response (SOAR) Tools: These tools can help automate responses to certain types of threats, which can be helpful in managing the vast array of alerts that can be generated during a purple team exercise.
- Endpoint Detection and Response (EDR) Tools: These tools provide continuous monitoring and response to advanced threats.
- Cloud Security Tools: With the increasing adoption of cloud computing, cloud security tools are also crucial. These tools can help manage and monitor the security of cloud-based systems.
Remember, the value of a tool is not just in its features, but also in how well it integrates into your existing systems and processes, and the knowledge and expertise your team has in using it. Training and support are also critical considerations when choosing new tools.
Where does Maril usually look for and find the necessary tools?
When Maril needs to find a new tool, her first step is typically to consult her professional network.
This group includes other purple teamers and red teamers with whom she regularly meets to exchange information.
She values their insights and experiences and often seeks their opinions on tools they've used.
If she is considering a particular product, she makes a point of connecting with others who've used that solution before. After all, satisfied users are a clear indication of a tool's effectiveness and reliability.
Maril doesn't typically resort to booking a cold demo. She views this step as a last resort, only to be used if all other avenues have been exhausted.
“If I don't see anything else, I'll book a demo probably out of desperation, as a last resort.”
This approach reflects a shift in the buyer journey, emphasizing the importance of peer reviews and word-of-mouth recommendations over traditional sales tactics.
Cardinal rules security vendors, marketers, sales, what's above, below, in between, are breaking:
Don't cold message to get a call
“We can't say it enough. Cold pitching is dead. It pisses us off. It makes us hate you and it's going to kill your brand,” Maril asserts.
Cold pitching approach is outdated and more likely to harm your brand than promote it. Rather than sending unsolicited messages in hopes of landing a call, start treating your direct messages like real conversations.
It's important to consider the existing network of the person you're reaching out to. Connect with people they trust and take the time to nurture these relationships. Sales is a tough game, but cold messaging is not the way to play it.
Maril values genuine relationships and is open to connecting with recruiters and sales vendors, as long as they don't bombard her with sales pitches as soon as she accepts their connection request.
“By the way, I will build a relationship, a genuine friendship with any recruiter and or any sales vendor as long as you don't cold pitch me the second I accept your connection request.”
Be honest and realistic
If implementing your solution is going to demand a significant amount of work from the team, you need to be upfront about it.
Are you going to offer help in making your solution work? If something goes wrong, how swiftly can you get someone to address it?
As a vendor, you must be transparent about the level of support a client can expect when onboarding your solution.
Making up information is a no-go, especially when dealing with an engineer who can quickly discern the truth.
“Don't make up information. I'm an engineer and I can see right through it.”
“Don't just drop me like a hot rock”
Don’t abandon your clients once the sale is made.
Maril recalls instances where she had to offboard a solution just 30 days after buying it due to poor customer service.
“I literally have bought a solution and 30 days later we have offboarded it because the customer success has been crap.”
High-quality customer success is paramount and should be maintained throughout the client relationship.
Don't just drop your clients the moment you've made a sale. After all, ongoing support is a significant part of their investment in your solution.
What's the worst thing Maril's experienced from a vendor?
One of Maril's worst experiences with a vendor occurred when they insinuated that she was not competent in her job.
This happened during a tool evaluation process, when Maril was asking in-depth questions to better understand the product.
Rather than responding helpfully, the vendor took her questioning as a sign of inexperience.
Maril's intention was not to corner the vendor or make them look inept, but to seek necessary clarifications.
She found it unacceptable and unprofessional for the vendor to belittle her expertise, especially given her extensive knowledge and experience in the cybersecurity industry.
“When I ask these questions, I ask it from a reasonable place of knowledge. I'm not asking it to put you on the spot, I'm not asking it to make you look stupid. I'm asking because I have genuine questions I need answers to.”
“Don't start telling me that I just am so inexperienced with multiple environments and you are, just because you're a vendor who sees multiple environments all the time.”
What's one thing a vendor has done that made Maril feel good?
“One time I came out of a demo call and I asked a bunch of my hard questions. We call them “Maril questions”.
The depth of the discussion impressed the vendor so much that they assumed Maril had been working in the industry for five to seven years, even though she had only been in the field for a year and a half.
They commended Maril on her expertise and proficiency, leaving her feeling extremely good about herself.
This instance underscored the significance of genuine praise and positive reinforcement in business interactions.
After all, people tend to remember not what you say or do, but how you made them feel, and such experiences can greatly impact their perception of you and your brand.
Differences or anomalies in the market right now that vendors can take advantage of
Not very many people in cyber sell based on relationships.
They all try to sell based on features and engineers are inherently distrustful of those. They don't just want to hear it; they want to see it.
“You can say whatever you want to my CISO, but until I come on with your sales engineer, the guy who actually can answer my questions, this isn't going to go much farther.”
Adding a human aspect
The element of human connection is crucial here. Vendors who strive to build strong relationships and deeply understand their clients' needs can significantly set themselves apart in the market.
When the interaction feels like a targeted cold outreach quota being filled, it lacks the warmth and authenticity that foster trust.
Therefore, adding a personalized touch to every outreach effort is essential to stand out in the crowded cybersecurity marketplace.
“When you're just coming at me to try and fill a cold outreach quota, I don't like that. So, I think that the anomaly in cyber is selling based on relationships and having relationships with us first.”
Are you adding that human aspect into it? Are you even taking the time to customize your DM? Or are you just bot scripting a bunch of people and you don't even know who it's going to land?
Create champions in the organization
The concept of creating champions is vital in the security field. Just as security professionals need champions on the business side to promote their initiatives and encourage secure behaviors, vendors too can benefit from having champions within the organizations they target.
If a vendor can win over one security professional who becomes a champion on their behalf, the value derived from that relationship is exponentially higher than from numerous sales that might or might not renew the following year.
While building such relationships and creating champions should ideally be the norm, it remains an anomaly in the current market, making it a unique opportunity for vendors to leverage.
“If we can all just understand where each other are coming from and break those silos and get out of our own mindsets and start collaborating and having casual chats and getting to know each other's people, we will all be a lot better off,” says Maril.
It's crucial to understand that everyone is part of the same ecosystem, working towards a common goal. Embracing this mindset can lead to a more effective and efficient system where everyone works together rather than against each other.
Power of White Teaming
“A lot of people think purple teaming is the only collaborative security function that there is and it's not true. Purple, red, orange, blue, green teams - there's this whole security color wheel.
But when all those things are working together and everyone's collaborating, talking and understanding their part, who their internal customers are and we information share - all the colors combine. One big, beautiful security utopia, that's called white teaming,” says Maril.
Interested in sponsoring an episode like this with your target buyer?
→ Reserve your sponsorship here. ($2,575)
Subscribe to Audience 1st
Get notified every time an episode drops to better understand your audience and turn them into loyal customers.