“The blue team is not responsible for actually implementing secure configuration controls (that's the job of systems admins), but they do make the recommendations for configuration changes that systems admins may have missed.”
Jake Williams is an accomplished InfoSec professional with almost two decades of industry experience. After spending more than a decade in the U.S. intelligence community performing various missions in offensive and defensive cyber, Jake founded Rendition Infosec where he leads a team of professionals performing adversary emulation, incident response, malware reverse engineering, forensics, and exploit development.
How do you define a blue team?
A blue team is the core of an organization's defensive cybersecurity mission. The blue team is not responsible for actually implementing secure configuration controls (that's the job of systems admins), but they do make the recommendations for configuration changes that systems admins may have missed.
Additionally, the blue team helps inform strategy for the SOC on the specific threats they'll need to detect. While the SOC is generally in charge of writing their own correlation rules, the blue team ensures that the proper log sources are available for the correlations.
What are two core capabilities that a blue team should have?
It's hard ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month, and much more.
