“Often, the blue team is responsible for identifying risks, vulnerabilities, and threats, and for leading incident response or risk mitigation activities.”

Twitter: @chrissistrunk • Website: www.linkedin.com/in/chrissistrunk

Chris Sistrunk is the technical manager on the Mandiant ICS/OT security consulting team at FireEye, focusing on protecting critical infrastructure. Before FireEye, Sistrunk was a senior engineer at Entergy, where he was a subject-matter expert for transmission and distribution SCADA systems.

Sistrunk was awarded Energy Sector Security Professional of the Year in 2014. He is a senior member of the IEEE and is a registered professional engineer in Louisiana. He founded BSidesJackson, cofounded the BEER-ISAC, and helped organize the ICS Village at DEF CON 22. He holds a BS in electrical engineering and an MS in engineering and technology management from Louisiana Tech University.

How do you define a blue team?

A blue team, simply put, is a group of people tasked with proactively defending/protecting a system or network from threats. Often, the blue team is responsible for identifying risks, vulnerabilities, and threats, and for leading incident response or risk mitigation activities.

What are two core capabilities that a blue team should have?

People and tools.

The people must have that curious mindset that seeks to find the unexpected. Also, ...