Practical Blue Teaming by Peter Jones

all right good morning everybody I will assume that you can't hear me because I'm quite loud person on the best of days uh my name is Peter Jones uh also known as a cyber Badger why do I call it but it didn't cyber budget because I'm not gonna tell you who I work for oh yeah it's quite simple um it's good to be back all right I am from the motherland uh I don't live here anymore so it's nice when I get excuse to come up home uh these days I tend to have a nice walk towards the beach uh so you've got people to Source investigation for stuff for you so so much I see so all right um I commute to the office one day a week because that's another 200 miles away so 300 miles to get here calculate 200 miles finding this conversation if you can work out who I work for give me a CV uh order to buy trade I've been a consultant I've been an author I wrote a number of books also been on TV and radio probably explains why I'm so bloody loud um made a career in digital forensics all right that's where I started breaking into Mobile phones and when I say mobile phones if you're a bit too young for this I apologize but break it into that first Apple phone the first Windows phones and when I say the first Windows forms I mean the ones in 2003 another ones in 2011. uh I'm a university lecturer I have taught a number of universities on the m62 corridor um but more recently uh one of the chairs of the child Institute I cover the Southwest another clue where I am best uh I'm also the co-founder of Southwest cyber security cluster yeah you're getting there right here and I'm also a mentor for these lovely ladies at the bottom so what what's this job about so we're on a blue team track aren't we I've been to see so you've all automatically people thinking you know is that a pretentious prick all right or he doesn't know what he's all about and we're all super technical he's probably not well I've just told you about my background so I'll hopefully give you an idea of my track I've got to where I am I deal with response on a regular basis okay we'll see false positive cyber defense GRC uh I've got soccer to deal with on a regular basis the old Supply Chain management uh and I deal with pen testers and yes like Holly said downstairs I do ask you how are you doing every couple of hours do you want to brew um because I'm actually quite a nice guy like that I don't send other people to make Bros working down south I make a wicked cup of tea so you know if you're a pentas in my environment I'd be white I'm talking about practical blue team in answer and the reason I wanted to do this talk is because I get people who assume my environment they assume they know what they're coming to face well my day-to-day my day-to-day bear in mind you know thinking about incidents and all that stuff I'm always looking for the latest attacks the latest threats against the business I am looking at threat intelligence I'm not paying somebody else to do it I'm looking for it what might be the same for you it's not the same for me uh I'm also looking for issues to exploit I am that guy headed by the parapet mentality I want to look for problems and yeah see so meetings I have Bloody Lords of them and I will do my down disk out of them or I'll go in what do I need to know well we've got an agenda no no what do I need to know well we need to sign off this luckily I get to send most of them virtually so I'll just turn off the camera turn off my microphone and continue what comes to my house and I'll say I do with those little security worries me I can't hear a single violin going on right now what this isn't about this is the most important this is not about me bashing consultancies about the next 30 minutes not 25 perspective it's also not made on a rant about tools you can buy in the market there's lots of Fantastic Tools and also it's not my oh I'm gonna throw that out coffee forget about it there's a lot of perspective a lot of people try to be General about Bluetooth by our [ __ ] buy our product it will solve your problems well actually there's a lot of stuff I have to deal with all the time and I've got to sort of work out what my day today is about otherwise I will be working 24 7. I'll never get to sleep so what's my noise my noise is alert listening to business priorities because I tell you now my business priorities are not the same as the actual business because they want to go off and do their thing they want to do the thing that earns us Millions for the business the noisest threats are actually ambulance Chasers I hate ambulance Chasers perhaps he frustrates the hell out of me because it's all about perspective why do I mean by that well actually I'll tell you what let's just rewind a bit lock 4J was probably for me one of the biggest grenades I got thrown in and it was pretty genuine I think we all went what the hell is this a patchy vulnerability and then we all lost our Christmas I actually lost my Christmas uh and that cost me daily with a wife I think it still cost me daily ever since and we still Found Love Before J issues now okay fine that was a critical that was something we all had to jump on that ship for and get resolved but I'm here in the same War sounds and seeing noises to move it well I don't think about you I never bloody heard of it never heard of this transfer tool I was panicking and we're going on conference calls and I go on conference calls with all the seesaws in the industry I work with which is about usual nonetheless nobody else had heard of it right we'll need to check our supply chain nay never heard of it is actually a big problem not for us what's my inbox say patch patch patch everybody buy ah [ __ ] come on context there's a lot of reality though I've got faced with not everything I do is going to line to the business objectives also you're all gonna be pretty techy in this room actually from a seesaw's perspective I'm sitting down with financial officers CEOs managing directors for multiple countries for the same company my American friends will have a different priority to my UK friends but there's only one of me who's got to cover all of them so when they turn around say align your security strategy to your business objectives good luck with that I can't do that so this is where blue team as a principal is really really important I just see it on LinkedIn LinkedIn can be a very linkedin's a new Twitter I would probably say right there's a lot of noise occupancy the same old blah blah blah seashells need to sit on the board no no don't I'll actually have no benefit to the company fights on the board zero benefit however I need Executive comms that's what I need I need to be able to talk to the various companies or parts of the company that'll actually make my job a lot easier to get the message across but we've not even got to the point of the people I work with that people sit with me behind me perspective and the budget needs you know more and more I'm still here in the line of oh it's really difficult to get security budget well actually if I speak to seesaws security budgets tend to be ring fence these days so the message isn't always lining up and just remember execs don't know what you're doing you are witchcraft you are Black Arts I had an interesting conversation with our CFO recently and he turned around and says I just thought you were a technical nerd who likes to sit in the corner and do your thing I wish I could do more of it foreign what is going on so that that's one first thing from a Bruce opens perspective and I've purposely stolen crowdstrikes threatens our report right I have no finishes craft strike nor that I don't really give total what they sell I just want to make a point about read our threatens our report it's really really important I would threat and teleport we'll have something different to their threat and teleport I'll have some different to their threat and teleport he knows there's key pieces of information actually breakout time okay I'm listening of course what we're here to do with you to defend and I'm seeing the industries of what's being affected and I'm going oh yeah all right okay we're quite popular we're quite popular no no I see diagrams like this noise absolutely nice and I'm sure it's really interesting for selling their products and install this from all our Keynotes today and I don't disagree with this by the way any security at all badly manage will not enhance your cyber security posture stop buying the tools and starting applying sense to cyber defense well I've got 20 minutes to convince you that's absolutely right because you know let's hold up a second and what you're telling me there's no silver bullets in the industry well yeah hopefully if you've not got that message by the first 10 minutes of this talk I'm failing what I'm trying to get across and particularly because I have these sort of people knocking on my door can I take a full coffee can I take you for launch pay the account because I don't care for myself I'm still a tight Yorkshire but stuff I've heard it or before and I I emphasize as well I am pretty technical I actually say that but for those seesaws who aren't and for those who have got there via and they'll be played by this because he's recording me other means everything else why I will say it if you want actually what I mean I'll say it off camera they won't have the same technical expertise there we go play so what is just enough well this is sort of tidal wave I still have to battle regardless I'm quite confident in what I do as a professional positive procedures be reviewed annually and underutilized and that drives me insane I actually do it with my own time to go okay what about this yeah what do I do I'm not gonna SMS yeah but what am I looking at so what I've started doing is when it comes to audits I don't go to audits anymore you go so when they turn around and go well they couldn't find his policy procedure no problems obviously for improvement training I find ways to utilizing it one-off annual training it's a bit of work you're just not going to get that message across it's very similar to what Holly was saying downstairs one-off pen testing great snapshot in time treating audits of tick boxes and actually my favorite story is that caps lockers happens one of my first cohorts and they learn about audits for the first time and they're drained audit well speaking as an auditor I was like what five downloads um audit to your best friend why because somebody else is finding my gaps my opportunities to make my life easier so what's wrong with an audit and I I actually recently off with a conversation with a colleague because I can't accept that why it's because what's going to go to the board wow why am I bothered because it gives me opportunity to say actually we're doing something about it we're growing as a business and financially we are we'll do better at this point two latter points are still unfortunately still a big thing buy an antivirus products and thinking you're protected people still think that we've still got compliance standards where having antivirus is a tick box right let's have a firewall and put allow all and nothing is broken why fix it's these are just enough and reality is this happens so let's get some value out of this talk because people offered it for 15 minutes Let's Get Back to Basics of blue team right Splatoon is not all being sat behind the keyboard we buy tools like a crash like she got dresses or whatever whatever the risk that's the problem this word risk and actually the people that both care about the r word do not care about the tool they just want to make sure they can continue doing their business operation so when they're coming to sell that product you're not going so it covers identity protection and the architect viruses and sometimes you can make me a cup of coffee if you don't know what risk you're trying to protect you you've lost the first rule of blue teaming and also not because every tool solves their threat and that's your ambulance Chasers buy our tool because it'll protect you from move it well let's touch it right it's like a patch everything else I'll patch you do a process that policy and process or procedures that GRC component that actually says no I don't need to spend thirty thousand dollars I can continue what I'm doing because as part of blue teaming that cycle and most importantly that tool is is exactly what it is it's notability spanner screwdriver in your box is toolbox each door sort of tool and I like this I got this from LinkedIn as well this is reality of what's going on we've got a lot of noise from the torque vendors from a security point of view security teams are always off stretched under exhaust my security team internally is is Tiny compared to the whole business we must take up 0.1 of the business record 24 7 working all hours God sends even that was uh security alerts this morning we have too many competing priorities and weirdly my team just gets left to it a lot I have a report in line or because people are more bothered by their Excel crashing or or coffee machine not working but we're doing our thing we fall off the radar such an odd things like we're doing it we're doing a good job but we could do some help yeah but people need coffee yeah all right okay um and we like resources for security awareness and behavior you know that and that's been a really interesting thing and for a long time and I'll put this on the table because obviously we're in the Tweed room yeah the early north of them in the village well yeah I am I feel like I am the tick box exercise in the office uh and uh a lot of Andrew have been to one of our seesaw meetings and if we could vouch for that could either very very quickly um what I do for culture because I'm gonna guess you're fairly um to the points like I am doesn't always work with colleagues inside M25 um not in the same way so that's great um what not here blue team is not about looking for failure nor should Consultants be assuming you're failing good and um we've always had a couple of foot talks this morning we just want to improve things aren't we we want to make sure we're actually defending the business and I actually had an auditor and until I I brought a consultant to do an internal audit if he's watching this on YouTube later I'm talking about you um who says right we're going to do internal audit I want to see why you're failing I want you up stopped him dead yeah hard enough for me who's a Quantified author to bring somebody else in because he got proof Independence why your system's failing well I said if that's the case well you're not coming in I'm not gonna I would stop that he did reply to my emails after that I had to ring up these bottles and why is he gone I was a bit upset with your response who's who's paying for this service here so all right I've griped a bit Yeah okay I've had around but I've ranted a little bit and we're talking about that far column I think it's important to know the other streams and we know as hardly said upstairs your pen testers think the best thing that's in sliced bread all right they know a bit those blue as blue team as well I like to think we've got quite a good knowledge bed blue team is said to be a well-oiled machine and that's what we want to achieve all right we're not just there to keep the lights on and I kind of sort of always think about the I.T crowd I forget the character's name no field then plays it and he comes out he goes I just watched the lights I think sometimes that's what people think was blue teams do so therefore we get pigeonholed because we're not sexy and directing and actually I think we do a better job than they do yeah fine this is something basic gaps that Pinterest test is fairly easy like into domain admin and also the other issue about Bluetooth it's very difficult to go on a promotional ladder there's nowhere really to go so why would you want to be a blue team any skills our blue team needs I think it's poorly measured pen testers a lot of gold pen testers but this is Bluetooth I'm gonna have a good one ish especially what they're doing really well by how they progress through the attack chain and they can sort of measure themselves on the top on the back I did a good job because I got certain amount of movement in the network well actually one blue team I would argue we've got to know a lot more however not on this slide does it tell you have to be an expert so what I'm still cast me back to my university date there's a big difference between information and knowledge on his about having experience familiarity being able to use your experience defend the best with our business and not be generic like some of the vulnerability announcements we've had previously so if you are thinking about coming to Blue Team in all right whilst it's not massively measurable there's not a lot of work to do quite frankly the Practical bit is about understanding what you're trying to protect in the first place let's go back a couple slides risk information data or what I tell my business is why am I trying to protect you're not losing your jobs you said I've got nothing to do with it on security yeah but if I get a 40 million pound ransomware that's your bonus goal do you want to stay oh well what do you mean my bonus is gone we've got another snippet somebody in the industry I work in had to pay 40 million recently as of recently or in the last two years so it was in dollars as well just kissed another bit more skeptical approach what work the message about a scoping bad pen testers do we're looking to protect pii maybe PCI information maybe are we looking to protect custom information maybe am I looking to protect the print server uh possibly maybe depends on where it is an infrastructure but be prepared to do your research don't wait for people to come to you and that's a big thing about blue teaming you can be proactive you don't have to be reactive because you're still watching the lights flickering in the server room and don't fall into the traps probably the geekiest slide I'll probably put in my slide there today think nothing's ever changed speak to YT nothing's changed the patch oh yeah we've patched if you choose from configuration well you have to change the configuration has anything changed no people change processes change as well and what's even worse is when people who processes change and you don't know about it but it's not practical to know about it because you might be a one thousand two thousand fifty thousand people business and security team is still five and also thinking the fact your tools already protecting you so one of the things I talk about while we've had so far is verification and validation and if you go into response of forensics you kind of get forced down this line but I think it's useful to be aware of it you got ISO 17 uh zero two zero which is for is a response and 25 which is your friends why I think they're really useful and you're less likely to be compliant against it in the private sector because you don't have a requirement it's in there it talks about verifying the tool is doing its job father date the process Point did you check your antivirus is doing its job I ran I got so I downloaded AI car okay how did you validate that was actually a thing I'm actually going back to my friends at crowdstrike that's why they had such a problem with cyber Essentials for such a long time because of how their program works it it ignored the icar look at what you're doing look at the your econstructor or your infrastructure look at how your tool is working um I will quite have to say I'm an advocate for dark Trace dark Trace has such a bad rep because of LinkedIn but actually if you spend time and effort tuning it working with it validating its results it's actually a really beautiful tool but of course I got it in this is