Blueprint: Build the Best in Cyber Defense

Click here to send us your ideas and feedback on Blueprint!As the saying goes, "If you don't know where you're going, any road will take you there!" - an approach that is disastrous to a SOC. In order to succeed, the SOC must have a clear understanding of where they are going, how they're going to get there, and why. In this episode of our "11 Strategies" season we discuss chapter 1 of the book - "Know What You're Protecting and Why". Understanding your organization and the environment the SOC must perform in forms the foundation of all security team activity. In this episode the authors discuss the critical aspects of knowing what you're protecting. This includes consider your organization's mission, the legal, regulatory, and compliance environment, the technical capabilities you may or may not have, and the users that will inhabit the network and the actions they're going to be performing. Understanding these factors ensures your team starts off on the right path and keeps a common goal in view.This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman."Visit this Mitre page to find more information.-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Welcome to a brand new season of Blueprint! In this intro episode we discuss "Fundamentals" chapter of the "11 Strategies of a World Class Cybersecurity Operations Center" with the authors. We get into the motivation behind updating the book and why its lessons are more important than ever in 2023. This chapter includes discussion of the functions of a SOC, basics of workflow, CTI and contextual data sources, and why ops tempo and speed is a critical factor in SOC success.This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Visit this Mitre page to find more information.-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Hello Blueprint listeners! We’re excited to announce that the release of season 4 of Blueprint is just around the corner, and we’ve got something very special cooked up for you. We’ve teamed up with the authors of MITRE’s “11 Strategies of a World-Class Cybersecurity Operations Center” and over the next few months, we’ll be releasing episodes walking through each chapter with all 3 authors! We’ll be deep diving into what makes a SOC successful, get a first-hand account of why each strategy was chosen, and practical advice on each how to implement each strategy along the way. Join Blueprint host John Hubbard with authors Kat Knerler, Ingrid Parker, and Carson Zimmerman for this exciting new season, coming to your podcast aggregator on May 8th!You can find the video of each podcast at:https://www.youtube.com/@SANSCyberDefense The first two episodes will be released on Monday, May 8. Following that there will be a new episode out every Monday. Check out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Ever wonder how a cloud and application security expert views risks of cloud workloads? Well, wonder no more because on this episode we have Brandon Evans - SANS Certified Instructor and lead author of SEC510: Public Cloud Security. We cover the why and how of moving their applications to the cloud, the key considerations for a successful cloud security posture, and how building your infrastructure with a cloud-native mindset can and should lead to an improved security posture. BONUS: Be sure to stay tuned to the end of the episode for a very special announcement from Brandon on the new SANS Cloud Ace podcast. Coming to all podcast directories on September 28. Our Guest - Brandon EvansBrandon works for Zoom Video Communications, in which he leads their internal Application Security training. As an application developer for most of his professional career, he moved into security full-time largely because of his many formal trainings through SANS. He’s a contributor to the OWASP Serverless Top 10 Project and a co-leader for the Nashville OWASP chapter. Brandon is lead author for SEC510: Public Cloud Security: AWS, Azure, and GCP and a contributor and instructor for SEC540: Cloud Security and DevSecOps Automation. Resources:sans.org/cloud - SANS Cloud Resourceshttps://brandone.github.io/pixel-puzzles/ - Brandon’s Pixel Puzzle gameSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!In this episode we speak with Joe Lykowski - Cyber Defense Lead at a major manufacturing company on what it takes to build a mature, transparent, and effective SOC. Joe brings years of experience to the table in running a large organization’s security team and in this interview he draws out some of his favorite tips, strategies and more on metrics, building the right team, and what to prioritize as you build up a SOC for an org of any size.  Our Guest - Joe LykowskiA graduate of Western Michigan University, Joe has 19 years of professional IT experience ranging from academia, industrial control systems and manufacturing IT, mobile device service management, telepresence services, endpoint protection, and cyber security operations. His current role focused on leading a global team of cyber defenders with the core goal of protecting Dow from the growing cybersecurity threats.Follow Joe on Twitter: @JosephLykowskiSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Many of us are either looking to start a cyber security career, improve our knowledge and skills to further our career, or hire a team that has the most skilled and promising candidates. In this special episode with Rob Lee, Chief Curriculum Director of the SANS Institute, we discuss strategies for building, improving, and testing your cyber security group’s skill levels, and working to keep our knowledge as current as possible - a critical skill for anyone in the fast moving world of cyber security.Rob LeeRob Lee is the Chief Curriculum Director and Faculty Lead at SANS Institute and runs his own consulting business specializing in information security, incident response, threat hunting, and digital forensics. With more than 20 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response, he is known as “The Godfather of DFIR”. Rob co-authored the book Know Your Enemy, 2nd Edition, and is course co-author of FOR500: Windows Forensic Analysis and FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!In this episode of the Blueprint Podcast, we cover monitoring and securing macOS in an enterprise environment at scale with Jaron Bradley, Threat Detection lead at Jamf. We discuss the ups and downs of Apple's approach to macOS data collection over the years, the data sources and types that are accessible to defenders, what 3rd party agents bring to the table for security monitoring, and much more. Plus, Jaron gives us some great bonus tips for finding persistence mechanisms and malicious processes in enterprise macOS devices.Our Guest - Jaron BradleyJaron has a background in Incident Response, threat hunting, and detections development. After focusing on large scale APT attacks he developed an interest in the more niche spaces of lesser explored operating systems. He has experience as both a SOC analyst as well as detections engineering at the endpoint level.Jaron currently works as the macOS Detections Lead at Jamf Threat Labs and manages his own security tools and content for security researchers atthemittenmac.com. He is also the author of OS X Incident Response Scripting and Analysis. A book he claims is slightly outdated but still relevant to a lot of macOS analysis today.Resources mentioned in this episodeWebsiteshttps://www.themittenmac.com (my website)objective-see.com (great mac security website)Major Blogs Referenced by Jamf Threat Labshttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/https://www.jamf.com/threat-labs/ (threat labs home)ConferencesJamf Nation User Conference -> https://www.jamf.com/events/jamf-nation-user-conference/2022/Objective by the sea 5.0 -> Check out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!One of the best frameworks that showed up within the last 5 or so years is undoubtedly the MITRE ATT&CK® framework. Many of us may know about it in passing and even reference from time to time, but very few people seem to know the true depth of knowledge contained - everything from analytics to threat groups, specific mitigation and detection opportunities, and with the newest versions, even specific data sources. In this episode we talk to the Defensive Lead of ATT&CK from MITRE, Lex Crumpton, about what every blue team member needs to know about this framework, and more!Alexia CrumptonAlexia Crumpton is a Defensive Cyber Operations Researcher with over seven years of experience in software development, SOCs, and Malware Reverse Engineering. Her passion lies in heuristic behavior analysis in regards to adversary TTPs and countermeasures used to defend against them. Follow AlexiaLinkedIn: https://www.linkedin.com/in/alexia-crumpton-99930659/Resources mentioned in this episode:CAR - The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model.Top ATT&CK Techniques – Medium Blog, Github, Calculator Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need tCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Ever wonder why there’s so little information regarding macOS and Linux-oriented attacks? In this episode, we get the answer from  the multi-talented Cat Self - an Adversary Emulation Engineer at MITRE, Cyber Threat Intelligence Team Leader on ATT&CK Evaluations and macOS/ Lead on MITRE ATT&CK Enterprise. We discuss defense tools,  attacker TTPs, and what to consider when approaching defense for a macOS and Linux environment, and what trends we can expect in the future for these operating systems. Check out the resources below for links mentioned during this enlightening conversation!Our Guest: Cat SelfCat Self is the CTI Lead for MITRE ATT&CK® Evaluations, macOS/Linux Lead for ATT&CK® and serves as a leader of people at MITRE. Cat started her cyber security career at Target and has worked as a developer, internal red team operator, and Threat Hunter. Cat is a former military intelligence veteran and pays it forward through mentorship, technical macOS hunting workshops, and public speaking. Outside of work, she is often planning an epic adventure or climbing mountains in foreign lands. Follow Cat on Social MediaTwitter: @coolestcatiknowLinkedIn: Cat SelfResources mentioned in this episode:A highlight of new security changes in macOS Ventura:https://www.sentinelone.com/blog/apples-macos-ventura-7-new-security-changes-to-be-aware-of/ For securing a macOS device, I highly recommend installing Patrick Wardle’s endpoint tools. https://objective-see.org/tools.html My favorites are BlockBlock, KnockKnock, Lulu, & Netiquette.  Cat's “GoTo” blogsPatrick Wardle Objective-SeeJaron Bradley The Mitten MacHoward Oakley The Eclectic Light CompanyCody Thomas MediumSarah Edwards mac4n6Leo Pitt MediumChristopher Ross MediumCsaba Fitzl THEEVILBIT Blog Open Source ProjectsPlaybooks with Datasets to practice OTRFCode snippets aligned to MITRE ATT&CK Atomic Red TeamJupyter notebook environment setup by Anna PastushkoVirtual environment setup Hold My BeerSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host aCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Nearly every organization is using Microsoft Azure AD services in some respect, but monitoring Azure AD for threats is a significantly different skill that traditional Windows logging. In this episode we have 2 experts from Microsoft, Corissa Koopmans, and 3rd time returning guest Mark Morowczynski, to tell us about the important work that’s been done to help organizations understand their data and detect Azure AD attacks. We cover log sources, the new Microsoft security operations guide, standardized dashboards and visualizations you can leverage to jump right in with best practice, and much more. You don’t want to miss this one!Corissa Koopmans and Mark MorowczynskiCorissa Koopmans (@Corissalea) is part of the "Get to Production" team in the Microsoft Identity and Network Access Division, focusing on incorporating customer feedback to improve our products. She is very active in driving community contribution to AzureMonitor Log Analytics and increasing awareness of the power of log data by presenting at industry events including BSides, The Experts Conference (TEC), SPARK, & Microsoft MVP Summits.Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. Previously he was Premier Field Engineer supporting Active Directory, Active Directory Federation Services and Windows Client performance. He's spoken at various industry events such as Black Hat, Defcon Blue TeamVillage, Blue Team Con, GrayHat, several BSides, and more. He can be frequently found on Twitter as @markmorow arguing about baseball and making sometimes funny gifs.Azure AD SecOps - aka.ms/azureadsecopsAzure Monitor Log Analytics and KQL resources: aka.ms/KQLBlueTeamFor community contribution, please follow these prerequisites (these steps are also available at aka.ms/KQLBlueTeaml):1.      Have a GitHub account2.      Belong to the Microsoft Organization in GitHuba.      If you do not yet belong, click on this link: https://repos.opensource.microsoft.com/ and then select “Microsoft” to join their organization3.      Be a member of the @azure-ad-workbooks team in GitHuba.      if you are not yet a member, go to the Check out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn