Improve, Adapt, And Overcome: Leveling Up Your Blue Team

hi everyone welcome to improvise adapt and overcome leveling up your blue team i am mark orlando and over the next 50 or so minutes we're going to talk about ways that you can level up your blue team and i'll talk about some of my experiences uh both positive and uh not so positive and uh we'll talk through a variety of different things within blue team and for the purposes of this discussion whatever blue team means to you however you define that i'm going to use the phrase blue team and security operations and cyber defense all of those are going to be somewhat interchangeable for the purposes of this talk so digging into a little bit more detail

over the next several minutes we're going to talk about some common challenges that we all face that i've seen many many times working with various blue teams and what we can do to address and overcome those challenges we'll talk about some of the fundamentals basic things that if you're not doing if you're not doing right or well you're really going to have a tough time leveling up and making the kinds of improvements and having the kinds of impact that you want to have we'll talk about measurement right so you can't manage you can't improve what you can't measure we'll talk about ways that we can do that so that we know how and when we're improving

some of the pitfalls in making some of those improvements and trying to get where you want to be and then my favorite part of the talk which is dumb things that i've done so mistakes that i will share with you that hopefully you can learn from and i'll share a little bit about what i learned from those as well and we'll talk uh close out by talking about things that you can do today and things that you can do in the coming weeks and months and beyond to make specific measurable improvements in your security operations and in your blue team so let's dive in why me why am i the person that's giving this talk today so

blue team is a passion of mine it's where i've spent all of my career in security for the most part going back about 19 years that i've been working in security operations today i'm the co-founder and the ceo of bionic which is a blue team focused uh cyber security company before that i built and led and worked in security teams at the white house the department of energy i was the cto for raytheon's cyber business and i spent many years on the managed security service provider and mdr side of things as well working with a variety of different customers i'm also an instructor at the sands institute i teach sec 450 which is blue team fundamentals

security operations and analysis now why am i giving this talk it's a very good question so in my experience especially in recent years i've seen a lot of investments going into security operations and into blue team and of course we can always do more and do better but by and large organizations are spending a lot of money on their cyber defense these days and in doing that we tend to focus a lot on the technical by this by that add this technology you have to have that technology but we often miss some of the other stuff some of the really important stuff that makes those technologies effective and enables us to have a real meaningful

impact in driving risk down defending the these enterprises for which we're responsible for and unfortunately again by and large in the aggregate we're still failing right sure we're having some success we're moving the needle uh you know in in some senses but breaches are still happening uh you know we're still getting compromised uh we're hearing about this stuff all the time and we're not driving up attacker cost uh really as much as we should be for the amount of money and resources that we're spending on this problem so in order to really start driving things in the direction that we need to drive them we need to make a mind shift and in doing that the reality is that we can

do a lot without a huge investment we can do a lot without the most expensive you know next-gen advanced technology that's on the market we can also do it without building up a huge you know unsustainable security team and so this talk for you know the rest of our time together i'm going to focus on kind of the non-technical parts of blue team kind of how the teams are run what are the things we need to focus on um there are other really really great presentations and resources out there that address you know the technical end of um defense and blue team but we're gonna focus primarily not 100 but primarily on some of those other

areas where we need to focus that other stuff so just to set the stage for the rest of our discussion here what are the challenges that i've seen in my experience working in this part of the security field and these are some of the major ones first off is lack of business alignment this is probably not news to anyone who's on the receiving end of this presentation but what i see is that security teams often operate in a vacuum or you know maybe according to some kind of generic set of best practices you know not so much aligned to the enterprise that they're defending so we often forget you know or lose sight of the fact that businesses don't

exist to be secure we're there to support the users to enable the business or the agency or the organization to do what it does to generate the value that it generates in a secure way we won't always be able to do that sometimes we have to take a back seat to that mission or that business but either way i still see many teams that are just not fully aligned to the enterprise that they're defending the business they're defending i also see when we talk about mind shifts i also see what i call the alert watcher mentality and i think many security teams have sort of started to grow beyond just you know log and route watch up for

alerts escalate them when you see them but i still see that mentality creeping into daily operations in a lot of places that i come into and that might not always look like hey something flashes red open a ticket route it right maybe we're a little past that but even if we are i still see tools and events and vendors driving workflow much more than i see security teams devising their own workflow again to meet the needs of the business and to align with the the business or the organization and then making the tools support that workflow and it's a really important distinction one that i see is not being made nearly as often as i'd

like to see it we have the sustainment mentality in security uh primarily in security operations is where i see this where we have a build out phase and then we have ongoing operations and once we've built everything out once we've deployed all those nice fancy tools it really just comes down to keeping those things going and sustainment right we're just ongoing operations this is a really dangerous mindset it can lead to burnout it can lead to kind of a lackadaisical approach to security and it can prevent us from growing and evolving the way that we need to and then finally data and tools these are this is the currency of blue team and security operations the

data that i have you know the technology that i'm using to manipulate to analyze and to take action based on that data so either we have too much of that right a lot of organizations i see far too much data maybe it's not the right kind of data in a lot of cases but you know too much noise not enough signal or maybe you know too many tools or not enough tools or not the right tools right and while it's not all about technology we do need a good balance of the right kind of visibility the right kind of actionable data and the right technology to help us scale our human expertise be creative do what we

need to do from an investigative and escalation standpoint so those are some of the big challenges that i see that we need to overcome if we really want to level up and improve so before we start talking about ways that we can do that really getting to the meat of it i want you all to consider these things because in my opinion many of the pitfalls uh and and many of the um ways that you know we need to overcome some of the challenges and improve security and improve what we're doing on the blue team is it comes down to one of these things the mission either we're not as fully aware of it as we should be we're not

supporting it the way that we should be um not aware of of what our own role in that larger mission is within the business or with the your within the organization how we're leading our teams how those teams are motivated or in some cases not so motivated it's going to make a huge difference and then the culture will we're building within the blue team okay and i'm going to dive into all of these things in much more detail in the next few minutes but again by and large most of the challenges the issues i see in the blue teams that i work with come down to one of these things so when i talk about fundamentals

what am i really talking about we have to get back to the basics right and in order to do that we can start with studying the business or the mission now you may be well aware of what your enterprise exists to do what your company your agency your organization you know what it does kind of on the face of it but are you really aware of market forces competitors what are the strategic plans of that business right what are all the different kinds of services that you know your agency your organization offers how does it create value okay not only today but in the next six months in the next year the next five years

how is it going to create value how is it going to change what are the other external forces that are going to impact that influence it competitors other parties that might be very interested in hijacking or reducing that value okay then you can start thinking about what the real risks are and where you should be prioritizing your time and attention we need to be ready to experiment and iterate now does that mean just throwing anything at the wall and seeing what sticks no not necessarily but remember i talked about that sustainment mentality you know just sitting there standing a watch we need to do everything we can to break out of that as often as we can

and be ready to grow and improve our capabilities right add new capabilities swap out things that aren't working well and iterate over time to make sure we're continuously improving incredibly important i often talk especially with leadership and executives about servant leadership now when it comes down to you know tactical leadership day-to-day security operations we need to be ready to share our knowledge we need to be ready to empower others to lift others up and help our teams improve and many times what i see in not only security but in tech in general we tend to hoard our expertise and hoard our knowledge like it's some kind of currency that once we spend it we're never going

to get it back but the reality is we need to be able to lift others up right adopt that mentality of servant leadership and i think that's true whether you're a manager or lead or you know just uh one of the one member of a larger team that needs to help your teammates you know do what they do better and enable them we need to be prepared to show results and i'm talking about metrics and i'll talk more about metrics in a few minutes you know add transparency again businesses do not exist to be secure so everything that we do that is important to us on a day-to-day basis that might not be something that resonates

with folks outside of the blue team and we need to acknowledge that and provide them with meaningful information meaningful data about what we're doing how well we're doing it and then finally we always need to have a plan okay wherever you're going whatever your strategy whatever your mission is as a blue team right where are you going to be in six months where are you going to be in a year what kind of improvements are you gonna make between now and then very important to do so i've said mission probably about a dozen times now let's talk about that for a minute what is your mission really in the blue team and the answer is not

to manage my sim to monitor these events to watch this email inbox right to handle user requests your mission as a blue team should be defined in a document some kind of written statement somewhere right we often call this a charter blue team charter or security operations charter whatever it is it's something that defines the mission your constituency the folks the business units that you're serving and your capabilities what are you there to do every member of the team should be able to describe this charter with relatively little variance from team member to team member if you went to your team right now today and asked what's our mission right you might be surprised at some of

the differences and answers that you would get so everyone needs to be on the same page about that many times it's helpful to have a steering committee which is a cross-functional group of leaderships leadership from all over the business or the organization that's responsible for setting direction for the security team managing all the requirements of the organization and ensuring that different divisions business functions stakeholders are represented in the blue team in the security operations center if you have one and that's a really good way to maintain that kind of organizational alignment that i talked about uh the steering committee you know can also help answer the question to others in the organization you know what are they doing

i never know what they're doing right we never want to be asked that question we want everybody to understand the value of what we do that cross-functional steering committee can be very handy in doing that now let's talk about team for a minute i often describe security teams as falling into one of two buckets from a staffing perspective and people whether you realize it or not are by far the most important part of any security team okay so i look at it as a spectrum maybe not necessarily buckets but a spectrum and on one end we have talent-centric teams these are teams that i've been a part of or that i've seen where everyone kind of rallies around

one specific individual or maybe a few key individuals that really set the tone for the group they set operational priorities uh they set you know focus hey here's what we're working on today here's how what you do if you see this event firing here's why we need this technology um you know these are teams where again you've got one or a few key individuals that are really driving the whole operation and on which the whole operation is very reliant on the other end of the spectrum we have a mission-centric team this is where uh the blue team might be governed by you know some larger governing body within the organization or maybe a contract i see this a lot

in government contracts where you have very specifically laid out here are the things that the team must do there's no room for experimentation or deviation from that scope and there's no right or wrong way to staff the team on a talent-centric team that might be a great way to get a lot of capability really fast if you need to get spun up quickly right get a lot of got a lot of wins right out of the gate but your capacity might be limited if you're so reliant on one or a few key individuals right there's only so much that that person or those people can do um bias in terms of what you're focused on

right or how the team works turnover those might be bigger problems because again you're heavily reliant on one or just a few key individuals as opposed to kind of leading and driving things by consensus conversely on a mission-centric team that can be really great for organizational alignment making sure you're meeting all the needs of the business or that management has set out sometimes that brings less flexibility and it can cause you to miss the force for the trees sure you might be doing everything that's in that contract but are you really measurably reducing risk and reliably you know identifying responding to intrusions compromises things like that so as you look at this i want you all to

think about in your blue team are you more on the talent-centric end of the spectrum or are you more on the mission mission-centric end of the spectrum i would be remiss in talking about staffing if i didn't also talk about what kinds of people we really want on the team and while many of you might not have staffing you know decisions decision making ability it's helpful to understand you know when we run into collaboration challenges or effectiveness challenges a lot of times it comes down to interpersonal issues and to try to navigate and hopefully avoid those or we can we want to make sure we're attracting the right kinds of folks and that means attracting aptitude right the ability to

learn and grow one skill set the right attitude which is the willingness to learn and grow one skill set to work as part of a team to make sure the team is successful uh you know a desire to do the work motivation and above all else diversity okay and i mean that in every sense of the word your team is not going to be as effective as it should be without diverse backgrounds diverse ways of thinking right diverse types of education formal informal right diversity is key diversity of thought is key we want to avoid over-reliance on credentials now again i'm an instructor for sans i'm a huge fan of formal in-class training uh of certifications

those are great where they stop being so great is where we are over reliant on them as a measure of someone's ability right it is a good useful data point we don't want to rely on them too much in all circumstances we want to watch out for egos right putting oneself above the team or the mission misrepresentation folks who maybe aren't quite as genuine as they should be when it comes to their skills abilities background experience so things to watch out for now i said that this talk is mostly not about the technical portions of cyber defense but i do want to touch on the things that your team absolutely has to have any discussion of

you know leveling up doing advanced things right if you're not doing these things right you're not going to be successful visibility absolutely critical i think most of us know that at this point if you're a blue teamer by trade or if you've done any kind of defensive work you can't defend what you can't see so we need access to things like core services web email dns right endpoint to endpoint communications we need network and endpoint data so we can see the full picture of everything that's going on in our environment you know cloud data where that's relevant and then again from a technical perspective we need to ask what is our team empowered to do

in sec 450 we spend a lot of time talking about this virtuous cycle or this human capital management model where you have to empower technical folks right and if they're empowered then they're more likely to be creative they're more likely to be effective so are we empowered to respond to things that we see are we empowered to make changes to and improve our telemetry tune our tools right without that empowerment the team is really going to be hamstrung in terms of things that that it can do things that it's willing to do and you know being able to level up we also want to measure our success remember we need to be able to tell our story to

individuals outside of the blue team where the technicalities of our work might not resonate it might not motivate them but telling the right story with the right supporting data that is very motivating uh whether you're in security or not you know to the right business leaders and the right stakeholders so most of you are probably familiar with the phrase kpi or key performance indicator these are measurements of in our case our security operations on a day-to-day basis things like what is our coverage what's our visibility for our security monitoring and response how fast are we identifying and responding to security incidents right those are kpis what are the distribution of criticality of those incidents things like that

what you may be less familiar with are okrs which are objectives and key results i believe this originally came out of intel several years ago under andy grove who i i think pioneered the concept of okrs if i'm not mistaken but these are measures that are a little bit higher level they tie operations to strategy so remember i talked about making sure your blue team is aligned to the business this is a great way to do that so think about what the priorities of your business or your organization are maybe it's we're getting lit up by social engineering attacks right so one strategic objective that we have for the blue team is to reduce those

right or reduce their impact now you can use okrs to bring kpis into the desired range right so thinking again about our example of reducing social engineering attacks okay there are several key results that we have to see in order to drive you know successful social engineering attacks down maybe it's faster better identification of phishing attacks right maybe it's more advanced notification when someone is trying to enumerate our users or you know actively do active reconnaissance of our environment whatever it is we've got kpis that help us identify those key results and we need to bring those into an acceptable range maybe for social engineering attacks you know maybe it's zero highly unlikely but but maybe that's our acceptable

range so we can use okrs right to kind of group these kpis together and drive them to where we want them to be over time this adds a little bit more of a narrative to your day-to-day kpis helps you tell a better story so i always tell my clients uh you know look at if you're if you've got your kpis nailed down pretty well and you know you want to start kind of raising the bar slowly take a look at adding okrs defining those and using them to drive your kpis to where you want them to be so again difference between kpis okrs kpis or things discrete measures of your operation there's going to be

a threshold or a target value that you want each measure to be at there are going to be specific data sources that you're going to use to get those kpis and there will be a sampling frequency right maybe your visibility and coverage kpi is only measured on a monthly basis or a quarterly basis right but your incident response kpis are going to be daily your monitoring kpis you know might be daily hourly what have you okrs they're more about key initiatives they're going to be finite in nature there's a desired kind of endpoint where you want to get to that that key objective and they're going to be results that you need to see along the way

to tell you whether or not you're getting to those okrs so when we talk about leveling up you know this is a big part of making sure you're leveling up uh in a measurable way right in a transparent way and not just saying yeah yeah we're doing a lot better we're we're blocking a lot more you know attacks we're responding to things faster right this makes it a little bit more scientific and adds a bit more transparency another part of improving is taking an honest look at how well you're doing what you're doing in the form of structured self-assessments for the blue team for the security operations team and there are lots of different types of

self assessments that you can do uh there have been some really great uh research and writing done about this chris sanders has done a lot about you know metacognition and assessing your work and kind of looking at what you're doing but i kind of group them into three buckets starting with the assessments that you do prior to the work that work might be an instant response it might be monitoring it might be a project um i call these pre-mortems right primor mortem as you may guess is similar to postmortem except you do it before the activity so before a response right before a tabletop exercise whatever it is you want to do a run-through of

that scenario right how you anticipate the process working and you want to identify inefficiencies right ineffective tasks within that process you know groups or individuals that aren't involved that maybe should be things like that that helps you identify issues proactively that you want to address either during the process or after during the task again whether it's an ir or you know other activity you want to be doing qc all along the way quality control right and this could be anything from having that kind of two sets of eyes rule right i want someone supervising what i'm doing to you know having a lead or somebody supervise specific tasks like evidence collection escalation right and doing

investigations closing out cases things like that quality and control is critically important i can't tell you how many times i've gone into a soccer blue team to do an assessment you ask for access to their ticking system and you see so many hours spent on tasks and investigations that have gone off the rails didn't reach the right conclusions maybe it didn't go well and no one bothered to look at them along the way no one bothered to follow the process and do that qc during and it's not until you know much later that we're able to identify those issues so during the process qc very very important and then you've got postmortems these are structured reviews of you know

things that have occurred let's take a look at this uh incident let's take a look at this investigation these changes we made um this is very very important to take an honest look at what we're doing this is a great exercise doing a postmortem to do as part of a brown bag or a team meeting you know pick out a case pick it apart right there are lots of different types of postmortems you can do you can do an a b test kind of thing where maybe you take all the evidence give it to another person or another team have them go off see if they come to the same conclusions or follow the same path that the other team

that worked that case did for example you can do more of a red teaming type exercise where you just have folks kind of pick apart uh what was done this is not only a great way to kind of build team cohesion and identify opportunities uh for improvement it's a great way to create this atmosphere of learning right and kind of normalize mistakes normalize failure and acceptance of those things as constructive you know opportunities for improvement so always recommend doing those postmortems okay watch out for these things so we've got a i think a basic understanding of some of the things that we can do to improve the efficacy of the blue team start focusing on some of the right

things above and beyond doing that technical work but again we want to watch out for that sustainment mentality that is a blue team killer and it is a productivity killer okay how many of you listening to this talk show up for your shift on the sock or the blue team you know you kind of go through your your playbook go through your processes you go home at the end of the day and you're really just not sure what kind of measurable impact you've had other than you know shoving some tickets around right closing out some alerts that is not the way defense should be we're stuck in that sustainment mentality we have to break out of that okay having

that steering committee that includes folks that are not a part of the blue team uh can help us stay out of that making sure that we're we're moving and growing and evolving along with the organization lack of trust this is a huge one now there is a really great study that was done not too long ago by the department of homeland security in cooperation with a lot of other organizations george mason university dartmouth several other research groups where researchers studied um the impacts of social maturity in instant response teams and looked at a lot of these kind of layer issues like communications and collaboration and sharing knowledge lack of trust you know that is a big

issue that is another blue team killer if you don't trust your teammates to be able to share knowledge with them to provide them constructive feedback and input right to help them and arm them with information they need to be successful uh your team is not going to be successful in any case where we've got people working together you're going to have conflicts you're going to have disagreements these can be fine they can even be really helpful as long as they're constructed and we work through them constructively lack of empowerment i already talked about that a little bit right empowerment leads to creativity you know how can we do this better right maybe i should go look for this threat

that i haven't seen in my tools but i know is likely to be in my environment right we want our humans to be creative because that's what humans do best but they can't do that unless they're empowered to do that they have time resources management support right to be creative to try different things if they can do that guess what they're gonna make improvements in how effective the blue team is so creativity leads to impacts positives you know uh efficacy and uh you know it's just kind of this ongoing cycle right more empowerment leads to uh better impact the inverse is also true right that we all can turn the other way as well if you're restricted and you may have

experienced this in the past or maybe you're experiencing it right now if you're not empowered to do things you're probably going to be less motivated to try to be creative and make improvements and the performance of the blue team is going to suffer for that and then finally role oriented bias now listen i know no one in this talk has ever done this right but maybe other people that are not on this talk you know definitely are out there where you know hey i am a forensic analyst right and i'm very focused on that and that's great challenges come in where if i'm a forensic analyst and suddenly everything i do every ir i see every

investigation right one of my first stops is well gotta get a disc image gotta dump the memory right sometimes that is the right place sometimes it may not be my point is not that you know forensics shouldn't be a focus my point is that uh sometimes you know when all you have is a hammer everything uh suddenly looks like a nail and we want to try to keep you know our focus somewhat broad it's great to specialize and in fact i always tell you know my students that you want to specialize in one or a few areas but we have to keep our outlook broad and understand that maybe our specific focus or skill set

may not always be the right fit for whatever problem set i'm currently working so task shifting right doing some of that post-mortem activity where we talk about kind of our different perspectives our different roles in an investigation things that we might have done differently this kind of communication and again kind of rotating folks through different roles different tasks can kind of help us keep that broader focus that broader awareness and understand that know while we may specialize in various things within the blue team you know sometimes our skill sets may not be the right skill set for the job or maybe we need to engage other teammates you know kind of help us uh solve a problem you know or address

something that we're trying to do stay out of that role oriented bias and now again i'm going to take a few minutes and talk about things that i personally have failed at one of my favorite business books is the hard thing about hard things by ben horowitz and uh this book is is more of an executive book it's about his experiences as a manager and a ceo and a leader in various internet startups so it's definitely you know management executive focused it's not security focused but the reason this book is one of my favorite business books is that ben talks almost exclusively about things that he has tried things that he encountered that maybe did not go great

and what he learned from that and i found the book to be very refreshing uh in that sense and so i thought i'd take a page from that and kind of share some of the lessons that i've learned in my 19 years of experience building and leading blue teams so here we go and by the way this is just a very very short excerpt from a much larger list uh taking action when someone talented drags down team morale is a big one so again i know no one here right none of us we're all pretty locked on we're all very easy and pleasant and wonderful to work with but sometimes imagine this if you will in the security

field you might have someone who's very talented very smart technically very capable right that does not really work well as part of a larger team right or maybe there's something off in the interpersonal dynamic okay and when this goes badly that can really damage the team it can bring down morale it can cause all sorts of other problems that have nothing to do with whether or not you know this particular individual has the skills or expertise needed for the job now i myself uh on more on one occasion in fact have you know failed to take appropriate action when this is happening you know things go sideways real quick uh when morale starts to go downhill and

uh you know i've had these situations before where you know whether it's a lack of coaching a lack of direct and frank feedback to that individual and also understanding that there are some times where you need to have you know one set of rules for the team and maybe make allowances you know if someone just has a different way of working or they have different needs uh as a team member right that's okay where that stops being okay is where it starts damaging the team again kind of degrading the team's ability to do its job and the one take away from this that i would have is you know not that there is one right

thing to do in every situation they're all going to be different but you have to take action and you have to take action swiftly it's very very important uh the second uh mistake that i have made and this is something that actually uh in in that book the hard thing about hard things um ben coins the phrase putting two in the box and in his example he talks about putting two people in an executive role that was meant for one but i personally have done this and seen it done in operations teams where you might have a lead or a manager or even the lead for a specific task or project and you don't want to alienate you know

anyone on the team you might have more than one person who is right for that role or right for that task but in order to kind of not alienate people right in order to try to keep everyone happy you try to put more than one person in that set of responsibilities or in that role and i have found that that very rarely works it causes confusion about who people should go to especially if it's you know a lead for example or a manager on the security team um it causes confusion about who sets the tone you know who makes the decision who is ultimately responsible and again whether you're a manager whether you're a lead or not

it helps to be able to identify you know this issue and whatever your org chart looks like within the team or within the blue team or the larger security organization you have to have those individuals that kind of drive things set the tone that have ultimate say uh in you know the technical task area or in what the team is doing the third one is big for me again i know definitely not an issue that any of you have had right sometimes in security and in tech in general we make the mistake of thinking because we have x experience or x technical knowledge we're smarter than our customer right when i say customer that might be your

internal customer might be your external customer if you're at an mssp or a consultant whoever it is whoever you're working for never make the mistake of thinking that because you might be a sme because you might be a technical expert you know better than they you know what they need so a lot of this comes back to just being a good listener listening to your internal users your stakeholders your management your users your job is to enable them to do what they do securely so while there may be a fair amount of bellyaching and complaining about security right because we have to strike that balance we can't let uh you know everything go right um

we have to listen we have to understand that you know the problems we're trying to solve the things that we're focused on not necessarily the things that uh someone else might be focused on and we have to be open to that shoving a technical solution down someone's throat as a lead as a manager i have definitely done this how many of you is a rhetorical question have a pet project a favorite tool something that you really really like you don't have to be a manager right maybe you just have a preferred thing and you want everybody to use that thing because it's so great and have you seen this feature and it does this and i

just love when you know i'm an investigation and i can just click click click and it does that right whatever it is blue team is a team sport if more than when people are using a technical solution it has to be someone that work something that works for everyone uh and again whether you're a manager or not uh keep in mind that you know your favorite thing your favorite focus area your favorite tool might not work for everyone and we need to be cognizant of that i certainly do providing feedback on a consistent basis okay so again this is not just for blue teamers who are managers or leads right we have to be able to provide

frank honest constructive feedback to other folks on the team on a consistent basis if we're not doing that for not having that conversation we're not going to be as comfortable with failure we're not going to be able to improve we might not even know how we need to improve so providing that constant feedback is really important you can't just assume because someone maybe is really good at their job or things are just kind of humming along like they should be you can't assume that that feedback is still not needed and that's kind of certainly been my mistake in the past right no matter how things are going you have to have that open communication you have to have that feedback

okay this concludes the section on things that i have failed at let's move on to things that you can do today um when you leave this virtual conference when you leave this talk right next week when you're back in your virtual office um go schedule one-on-ones if you're on a team schedule one-on-one with your manager if you don't already have them scheduled if you're a lead or a manager schedule one-on-one with your team members this is a super basic thing super basic management thing a lot of technical teams still do not do so having something on the calendar kind of forces you to have that feedback forces you to have that conversation it's a good idea no matter what

pull your team ask them to discuss the sock charter and what exactly they are protecting you can have a lot of fun with this doing uh you know a slack poll or things like that right get the discussion going see what the answers are make sure everyone is on the same page look for ways to remove barriers to communications and teamwork okay listen this is a big one really really big one so if you've been you know playing the new avengers video game uh on the side or like watching netflix or checking your phone while i'm talking i want you all to stop now and listen to this because this is a big one now

uh that we're on what going on day 200 some odd of quarantine so a lot of us are remote a lot of us are distributed whereas maybe we weren't before um increasingly blue teams are distributed anyway so we need to work that much harder to remove barriers to communication a big one being isolation and separation from each other excuse me and look for ways to work together as a team so a lot of us have collaboration tools a lot of us are doing meetings over zoom you might be feeling a lot of zoom fatigue at this point but using some of those tools to build social connections and that doesn't just mean hey you have

to go share a bunch of personal information about yourself with people maybe that's not your thing right but you know look for ways that you can have conversations about non-tactical day-to-day topics right set up some slack channels for maybe non-work related things that are of interest to large parts of the group um it really takes a proactive effort to continuously break down those barriers to foster teamwork uh i find that you know trying to put people together in social situations again even if that's just hey let's just get together and have uh you know a chat at the end of the day about whatever you all want right even if it's that um that can

really help improve cohesion and help make you more effective as a team go out next week set up a pre-briefing pre-mortem or a postmortem right following on to my last point if you're at a loss for what you can talk about in your next virtual zoom meeting right you've done all of the virtual exercises and happy hours and you know crazy hat days that you can think of go pick out an investigation pick out an ir and pull it apart do a post-mortem what worked what didn't work right what was everyone's experience kind of going through that uh opportunities for improvement it's a great team building activity and then pop quiz also rhetorical because of course this is

uh pre-recorded but i'm happy to hear your responses uh and discussion in the slack i'm sorry in the discord channel oops um pop quiz is your team talent centric or is it mission-centric what part of the spectrum do you fall on is that the right end of the spectrum uh thoughts about you know shifting that a little bit do you need to shift it or is it the right fit for your blue team definitely something to think about what you can do tomorrow so i'm sure all of you are going to go out in the next 48 hours you're gonna do all these things you're gonna be like mark i'm good to go i'm officially leveled up thanks moving

on right what do you do after that um again look for ways to foster interaction social connections on an ongoing basis that's one thing that can die on the vine really fast if you're not caring for it so you know especially these days right think of ways that you can foster social interactions social connections within your team can really make a huge impact set some clear goals roles and standards for how the team operates how people are going to progress in their careers you don't have to be a manager or a lead to do that right if you're an individual contributor or part of a larger team you should have clear role description you should have clear goals

and you should know the standards against which your performance is going to be measured and judged right if you don't have that guess what we can do to talk about that that's right one-on-ones right we can talk we communicate schedule those meetings exemplify communications norms that is a fancy way of saying be the change you want to see if all this sounds good to you if having a more collaborative environment of learning and continuous improvement if that sounds good guess what the change starts with you right exemplify that whether it's just and how you communicate in the team chat how you work and document that investigation and write be the example that you want to

see we want to create a safe space a safe space right for failure and learning that doesn't mean we want to be failing all the time what we do is is high stakes right so failure is not the ideal but it's going to happen sometimes and it has to be something that we can look at honestly understand that everybody can fail um you know the question is how are we going to learn from it how are we going to improve as a result excuse me and then pushing the team out of their comfort zone so in that dhs george mason study that i mentioned this was a big one as far as you know how can we kind of keep teams learning

keep them on the cutting edge and many studies have shown that keeping people on the edge of their knowledge of their comfort zone you know what they're used to doing is a great way to keep people learning to keep people motivated now we don't want to push people too far we don't want to toss them in the deep end on a daily basis make them feel overwhelmed and burnt out and we don't want to do it all the time okay but think about ways that either you as a part of a team or if you're a leader manager you know how you can push the team to the edge of their comfort zone on a

regular basis right that's where we're going to learn the most and we're going to be able to improve the most whether that's you know hey we're going to extend our capabilities a little bit right we're going to maybe work with some new technology we're going to branch out into another part of the organization or the business that we're not especially familiar with we're gonna start working with another team right that we haven't worked with before those are all good ways to kind of push the team a little bit further than they might be useful than used to some other resources that i'll leave you with today of course i would be remiss if i didn't

plug some of the classes that i work on with sans sec 450 i didn't write this class john hubbard is the course author um john is a you know great blue team expert and the reason that i agreed to come on board with sans and start teaching this class is uh it really resonated with me um there's a big focus on you know what are the technical priorities of a blue team you know how do all those work uh blue team should not be just kind of a way station on your way to you know some other discipline and um it's a great class highly recommend it if you have the means and the opportunity to take it

uh there's also sans management 551 which is building and leading security operations centers this is a two-day class it's currently in beta also written by john hubbard uh in fact i am working with john right now to extend it into a longer format but it's another great class um with what i think is the the right mentality about sock and blue team today i always plug anything written by chris sanders or chris crowley um these are just uh two individuals that write and share a lot about uh what they think works in a blue team in a sock you know doing the work of an analyst and i i tend to wholeheartedly agree with with

everything they say so highly recommend you know anything that's out there uh by chris or chris sans has a really extensive sock summit presentation archive all the talks given at all his hands summits are out there posted the cyber defense summit presentations are here at this link definitely recommend checking those out it's a great resource and i always recommend uh miters 10 strategies of a world-class security operation center this is a free text free publication that's been out there now for a couple of years but it's still you know i think is valid uh makes a lot of great points about things you should be looking at and thinking about on a blue team and uh kind of ways that

you can do that so it's always a good go-to with that i want to thank you all very much for attending um hope you got something out of it if you have any questions or just want to talk and nerd out on blue team you can hit me up in the chat um at the time of this presentation i also want to thank the organizers of besides charlotte i know it takes a lot of work to put these events together so thank you very much