“At a micro level, the blue team consists of the individuals directly responsible for monitoring, defending, and responding to incidents.”

Twitter: @marcusjcarey • Website: www.linkedin.com/in/marcuscarey

Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting sensitive government and commercial data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA).

How do you define a blue team?

At a macro level, the blue team is the entire organization, including the end users and customers. I say that because your end users and customers will be the first to notice when something goes wrong from a security perspective.

I know it's extremely awkward to have a customer let you know there is a security issue, but time and time again they end up saving us. Everyone is part of the team.

At a micro level, the blue team consists of the individuals directly responsible for monitoring, defending, and responding to incidents.

What are two core capabilities that a blue team should have?

I believe network visibility and log management are the two core capabilities every blue team should strive to master. In traditional infrastructures, network visibility allows organizations to understand what is happening on their network such as authentication, domain resolution, ...