1
Marcus J. Carey

“At a micro level, the blue team consists of the individuals directly responsible for monitoring, defending, and responding to incidents.”

Twitter: @marcusjcarey • Website: www.linkedin.com/in/marcuscarey

Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting sensitive government and commercial data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA).

How do you define a blue team?

At a macro level, the blue team is the entire organization, including the end users and customers. I say that because your end users and customers will be the first to notice when something goes wrong from a security perspective.

I know it's extremely awkward to have a customer let you know there is a security issue, but time and time again they end up saving us. Everyone is part of the team.

At a micro level, the blue team consists of the individuals directly responsible for monitoring, defending, and responding to incidents.

What are two core capabilities that a blue team should have?

I believe network visibility and log management are the two core capabilities every blue team should strive to master. In traditional infrastructures, network visibility allows organizations to understand what is happening on their network such as authentication, domain resolution, and all sorts of chatty protocols.

Network visibility goes hand in hand in the sense that not only do you have to ensure you can see what's going on the network, but you also need to make sure that information sources are logging events. They also need to ensure that the data is captured and can be analyzed (some in real time) for breaches.

This usually requires a log management system that requires enough storage to be useful for troubleshooting and forensic investigations.

TLDR: You have to make sure you are logging all the right stuff and that stuff can be retrieved for troubleshooting and incident response. Without those, you are probably playing security theater.

What are some of the key strengths of an incident response program?

I'm going to use the age-old concept of building a home-court advantage. You need to have a competent staff, which means you should invest in training and in hiring personnel hungry to learn and grow.

Solid incident response programs are built on top of knowing as much as possible about your system, software, and network infrastructure. You have to be able to ignore all normal activity as much as possible and zero in on the bad stuff.

Getting to zero is impossible because software will behave in weird ways, systems vary from organization, and users are going to do unexpected things. The key is to keep pushing, improving, and automating as much as possible.

How can blue teamers learn, practice, and grow?

I'm a big fan of the 80/20 model when it comes to learning and practicing your craft. Blue teamers should be able to spend 20 percent of their time on ongoing education and practicing new skills. It's a cycle in the sense that you learn first and then put those skills into practice, and the growth part is learning what works and what doesn't.

There are tons of free information sources that blue teamers can learn from. One of the traits of good blue teamers is their ability to self-study to solve problems. If you are hiring blue teamers, you should look for instances where they picked up new skills on their own.

If you are currently looking to get into a cybersecurity job, the most important trait that many hiring managers look for is your ability to self-study and learn new skills. You should “learn how to learn” and apply new skills. You'll drastically increase your value on the job market.

How do you reward good blue teaming work?

Compensate them properly and don't have them doing unnecessary security theater-type work. I personally make a promise to anyone who works with me that I'm going to ensure they are able to level up in their career. At some point in the future when they leave, their career will be on a higher plane. I sometimes see organizations stunt growth in order to retain personnel, which is wrong and always backfires.

What are some core metrics that a blue team can use to build, measure, and maintain a successful information security program?

When it comes down to it, blue teams will be measured ultimately in the mean time to detect breaches and mitigate the threats. To achieve this, the blue team is going to need to have the right people, processes, and technology to make it happen. The people need to be skilled, the processes have to be sharp, and the technology must be fully leveraged. Along the way, you have to continuously measure the mean time to detect along the way to improve and maintain those capabilities.

Where would you start if you were the only information security staff member at a small to medium-sized business with a primitive security infrastructure?

There are a ton of free resources from the National Institute of Standards and Technology (NIST). In particular, NIST's Cybersecurity Framework (CSF) is an amazing resource that any organization can pick up and start implementing.

In addition to the NIST CSF, there are several special publications (SPs) that they provide that I highly recommend for self-assessments, including these two:

• NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
• NIST SP 800-37: Risk Management Framework for Information Systems and Organizations

What is the most bang-for-your-buck security control?

Limiting administrative privileges is the biggest bang-for-your-buck security control. Just by limiting these privileges you are going to reduce the number of intrusions on your network. It will keep people from installing unauthorized, bootlegged, or cracked software.

Attackers typically inherit the level of the user or service that they compromise. This means that they will not initially have privileges to do whatever they want on the system if they aren't administrators. If the attacker has to escalate privileges, it's another opportunity to catch them in their tracks.

Has your organization implemented any deception technologies?

No.

Where should an organization use cryptography?

The most effective places to use encryption are virtual private networks, web page logins, and full-disk encryption.

VPNs typically use encryption to keep the data private from end to end. Web page logins need to be encrypted so usernames, passwords, and all the other authentication data remain secret. Full-disk encryption is important in case a computer or laptop is stolen and the data on the disk is protected.

How do you approach data governance and other methods of reducing your data footprint?

I learned in the military that you always want to keep as little data as you can. Keep only what you are required by law or compliance. Don't keep unnecessary customer or employee data. Time and time again we see crazy stories of how organizations kept all their customer data around unencrypted on premises and in the cloud. The best way to avoid this is to not have the data in the first place.

What is your opinion on compliance?

I'm okay with compliance because it does set a bar and create a minimal threshold that organizations should adhere to. I hope that by now people realize that compliance is the absolute bare minimum and doesn't mean that they are secure by any means.

In addition, security leaders need to ensure they are communicating honestly.

Is there a framework that aligns the activities or functions performed by the blue team with regulatory compliance requirements?

I'm a huge fan of the NIST Cybersecurity Framework because it recommends continuous testing and evaluation of the security program at a higher level than most generic compliance standards.

How do you engage all the different units of an organization to maximize defense?

You have to work together to include all the different units of the organization as members of the blue team. Even if separated into different units, roles such as system administrator, network engineers, software developers, etc., need to be part of an internal cybersecurity review board that communicates and reduces risk across the organizations. That same team would be great in incident response when that eventual intrusion happens. When an incident happens, it shouldn't be the first time everyone is in a room together.

What strategies do you use to communicate the threats you encounter to nontechnical decision-makers?

I think security professionals need to speak more in terms of business risk and become educators to nontechnical decision-makers. The business should drive all security decisions. So, the security leaders need to be able to break down how security decisions impact the business in business lingo. Also, the blue team needs to help all members of the organization understand security concepts and how user decisions can impact the organization.

What recommendations do you have for managing nontechnical executives' expectations during a significant ongoing incident?

I recommend doing tabletop exercises with executives at least quarterly and going through the most likely...