“I would classify blue team as anyone whose primary focus is defensive practices.”

Twitter: @synackpse • Website: linkedin.com/in/leebrotherston and squarelemon.com

Lee has spent the majority of his career in blue team roles including engineer, incident response, consultant, forensics, and leadership positions. These roles have spanned many industries such as telecommunications, finance, hospitality, transport, and IoT. He is the co-author of The Defensive Security Handbook (O'Reilly), and he regularly speaks at conferences on a number of information security–related topics.

How do you define a blue team?

This definition is actually harder than I thought. Every time I start with something like “improving the security posture of an organization,” the definition falls apart because a red team also attempts to do this via other means. So, in the broadest sense, I would classify blue team as anyone whose primary focus is defensive practices.

What are two core capabilities that a blue team should have?

Communication is a core capability. If a blue team cannot speak to people in other areas of the business effectively, then their ability to effect change will be severely impacted. This is true in the cases of both strategic initiatives and operational tactical decisions. Ultimately the security team probably doesn't wield ultimate power and so will rely on the support ...