Cybersecurity , Events , Gartner Summit 2015

Navy Red-Team Testing Moves to Business Beyond Pen Testing: Gauging Operational Readiness
Navy Red-Team Testing Moves to Business
A retired Navy aviator evangelizes red-team security testing.

As a U.S. Navy aviator, Mike Walls dropped bombs for a living for 26 years and then took that experience to the Fleet Cyber Command to lead so-called "red teams" to not only test the information systems on warships, but the impact degraded systems had on warfighting capabilities.

Now, as managing director of security operations and analysis at the IT security company EdgeWave, the retired Navy captain is evangelizing those Navy red-team testing capabilities to the private sector.

"Penetration testers are trying to stay up with adversary tactics, the latest hack," Walls says in an interview with Information Security Media Group. "The difference is the operational contest. The red teamer is not just trying to get into the network to prove he can. He's going two or three steps beyond to create effects with a very definitive purpose. A pen test is very encapsulated. A red team has a very broad operational view of what [it's] doing and what the impact is going to be."

In the interview, conducted at the Gartner Security and Risk Management Summit outside Washington, Walls:

  • Describes how red-team testing in the Navy prepares a warship commander to continue to engage in a battle with degraded IT systems;
  • Provides an example how a business could benefit from red-team testing;
  • Explains why warfighting experience in the Navy or business know-how in the private sector are key attributes for red-team members and their tleaders.

An Annapolis graduate, Walls joined EdgeWave shortly after retiring from the Navy last July. In the Navy, Walls directed forces conducting cyber operations across the global Navy cyber domain, including all Navy unclassified networks and websites. He also oversaw development and implementation of the Navy's first website vulnerability assessment capability and directed a cadre of sophisticated cybersecurity trainers and assessors conducting cooperative (blue team) and non-cooperative (red team) cyber-readiness assessments. He also provided penetration testing support to the Navy's operational test and evaluation force.




Around the Network