Professional Documents
Culture Documents
by Ray Espinoza
Director of Security, Cobalt.io
What is a Blue Team…
and Why Should You Care?
It’s even harder to build and scale a defensive cyber capability that can ‘keep up’
with the needs of a rapidly growing organization. Security tools and processes
that work well for a one or two-person team often don’t hold up when that same
team grows to 10, 50, or even 100 people.
Coping with ‘hypergrowth’ can be done, though — with careful planning and
execution.
In this guide, we’ll explain how to build defensive cyber capabilities (otherwise
known as blue teams) that are up to the task of protecting a rapidly growing
organization. But first, a definition:
— Wikipedia
The term blue team originates from the military, as does its opposite, the red
team. The blue team/red team approach was historically used for physical
security, but as with many military concepts, it translates well to cybersecurity.
When blue teams and red teams are brought together, you get… a purple team.
Purple Team
A purple team is an exercise that involves both teams working closely together to
maximize each other’s strengths and capabilities to drive improvement. It’s a
constant feedback loop. Knowledge transfer makes both teams better and more
efficient. But that’s a subject for another time.
First, you need a blue team that can safeguard your organization — both now and
in the future.
Vulnerability Incident
Management Response
Preventative Operational
Security Visibility
Ticketing Security
System Monitoring
Playbooks
Building a blue team that has the potential to scale requires planning and a solid
foundation to build from.
But building a foundation is something many small security teams outright avoid.
They believe formal structure and processes will slow them down and limit their
effectiveness.
If you want to remain functional as your organization grows, you must curb this
instinct. While ‘winging it’ might work now, it definitely won’t when your team and
its responsibilities start to grow.
Ticketing System
Preventative Security
Vulnerability Management
Incident Response
5 Operational Visibility
Jira
Github
Many small teams work without a formal ticketing system. This is a big mistake. It
leaves them with no way to track or evidence workload, and makes it hard to
identify and learn from mistakes.
Log and track all incoming work. This is critical for resource management
and planning.
Track the origin and content of requests, so you know where the workload
is coming from.
As this information is recorded and tracked, it can also be used to make decisions
about future actions.
Email Threat
Detection
Multi-Factor Endpoint
Authentication Protection
(MFA)
Preventative security is important for any blue team. For smaller teams, that don’t
have the capacity to chase down every threat, it’s crucial.
When faced with a shiny new tool, the question to ask is: “Does this address a
genuine threat that our organization faces?”
Email Threat Detection — Phishing is still the #1 data breach and network
intrusion threat across all industries. For a small team that can’t respond to
every malicious email that hits a user inbox, filtering is vital.
Endpoint Protection — You know the drill. There are dozens of antivirus,
firewalls, and EDR technologies on the market. Identify a combination that
meets the specific needs of your organization… and doesn’t break the
bank.
Remember, you must consider which threats are native to your industry, vertical,
and physical location. While some threats are universal, others aren’t — and you
must be prepared for the threats you’re most likely to face.
When investing in a new tool, make sure you’re fully operationalizing it before
moving on. Equally, take the time to track and report on the ROI of your
investment. Do this consistently and each time you expand your preventative
security capabilities, you’ll maximize the benefit gained.
One final note: Avoid the pitfall of security through tool purchase. It’s difficult for
small teams to handle lots of tools, and they can easily become a burden. Be
specific and methodical about investing resources.
s et ing
As ann
Sc
Vulnerabilg
Scannin
Vulnerability
Management
ity
Pentesting
In Cobalt’s State of Pentesting 2019 report, we analyzed data from over 1,400
pentests. For the third year in a row, misconfiguration of systems and services
remained the top vulnerability class.
Bonus
Of course, everybody knows they need these three functions. What people
tend to forget is that VM programs need one more critical component:
WEBSITE
Security incidents are inevitable. It’s not about IF they happen. It’s about WHEN
they happen, and HOW you respond and communicate.
Getting incident response right as a growing blue team boils down to four things:
Never let a security incident go to waste. Whether your response effort was
successful or not, learn from every incident and work to identify and address the
root cause. Don’t rely on ‘band-aid’ solutions that only address the immediate
problem.
Even the best processes fall apart if communication is lacking. To combat this,
have a formal procedure for communication and notifying stakeholders of
predetermined events. Your procedure should leave no room for interpretation —
if a stakeholder needs to know something, they should be notified immediately.
Scaling incident response is mainly about adding automation to the triage and
response activities. Responding to many incidents will initially require a lot of
manual, repetitive work, and replacing this process with automation frees up
resources and drives maturity within the security function.
The best way to ensure operational visibility is to work backward. You can do this
by:
Turning data into action takes more than an understanding of your environment
— it requires a centralized solution to collect and analyze data. For most
organizations, this is a Security Incidents & Events Management (SIEM) tool.
A SIEM is a critical tool for blue team scaling because it’s the only realistic way to
aggregate and learn from the huge volume of security data being produced. To
get maximum value from your investment, take the time to study and understand
the data you’re collecting and what you can do with it.
Every security team has piles of data and alerts. That’s not enough. What you
need is a consistent approach and response to it.
Data and queries used — which dataset will be used, and which specific
query will be run?
What needs to be done — What actions will ensure the desired result every
time?
If you lack resources, find an MSSP to temporarily hold down the fort while you
get your house in order.
Bonus
For more on developing playbooks, read Crafting the InfoSec Playbook by
Bollinger, Enright & Valites.
Compliance is often a driver (although generally not the driver) for blue team
development. For example, a customer might insist that your organization get
SOC2 or ISO 27001 certified before they’ll work with you.
Beyond this, there are two things you need to realize about compliance:
Choosing and adhering to a major framework is essential, and not just for
legal reasons; and,
Once you’re compliant with a major framework, you’ve proven you can conform to
a set of rules and you have some basic controls in place. Once you’ve hit this
stage, you’ll need to take things up a level before you can really consider your
organization secure.
As the leader of a blue team, you must know where your organization is most
vulnerable. Start by identifying the critical information and systems you need to
protect and work backward from there.
Bonus
For more on threat modeling, read Threat Modeling: Designing for Security by Adam
Shostack.
Blue teams don’t exist in isolation. They need support to get things done, and that
requires buy-in from stakeholders. After all, those vulnerabilities you found aren’t
going to fix themselves.
The more you can turn stakeholder relationships into mutually supportive
arrangements, the more chance your team will have of achieving its objectives.
Other tips for building and maintaining strong stakeholder relationships include:
Be clear about what’s needed and when. Don’t leave room for
interpretation, and ask stakeholders to be very clear about what they need
from your team.
So long as they have stakeholder buy-in, small, flat security teams work well early
on. As the organization and team grow, you should consider splitting up teams to
maintain focus and effectiveness.
And physical structure isn’t the only consideration. Here are four more things to
keep in mind:
One or two low underperforming members can be damage the success of a blue
team. Holding people to account might seem unpleasant — and it can be — but
it’s critical to the success of the team that you identify and address shortcomings
before they can undermine your operations.
In the beginning, evidencing improvements in a blue team is easy. It’s all about
net-new capabilities — you implement a new system or process, and you get a
drastically improved outcome.
Sadly, this type of exponential improvement doesn’t last very long. Once your
team starts to scale, improvements become gradual. They require activities such
as:
While less dramatic than the wins you celebrated early on, these activities
demonstrate to leadership that you have a mature security function. And as you
track the performance of your blue team, you’ll keep identifying areas for
improvement.
If you don’t have time to read the entire guide (or you need a quick refresher) here
are the main learning points:
To find out more about how Cobalt’s Pentest as a Service helps blue teams
identify and address security threats, visit our website.