“Every employee has defensive responsibilities as part of their role, no matter what their main role might be. This means from the CEO to the mail room.”

Twitter: @jaysonstreet • Website: JaysonEStreet.com

Jayson E. Street* is an author of the Dissecting the Hack series, the DEF CON Groups Global Ambassador, and the VP of InfoSec for SphereNY. He has also spoken at DEF CON, DerbyCon, GRRCon, and several other “CONs” and colleges on a variety of InfoSec subjects.

How do you define a blue team?

Blue team, I believe, means anyone working for the company in a position that involves specific defensive functions. I designate it that way because every employee has defensive responsibilities as part of their role, no matter what their main role might be. This means from the CEO to the mail room. However, blue team designates those in information security such as the SOC, network security, DFIR, etc.

What are two core capabilities that a blue team should have?

A comprehensive incident response skillset and established procedure for reacting to a breach.

While blue teams should have creating a defensive perimeter to prevent compromise as a top priority, in this day and age they should also be prepared just as equally if and most likely when a breach occurs. To think fortifications are what ultimately is going to protect you is not just outdated but foolhardy! We need ...