Blueprint: Build the Best in Cyber Defense

Click here to send us your ideas and feedback on Blueprint!There are numerous ways to test your SOC's detection and prevention capabilities, but not all are created equal. Each has their own strengths and weaknesses, and can be done on a different time scale.This week, we focus on arguably one of the most important - adversary emulation. In this episode we speak with Jamie Williams from the MITRE ATT&CK team about why adversary emulation is important, how it works, how you can get started regardless of the size of your team, and how to track and run an adversary emulation test.Our guest: Jamie WilliamsJamie Williams is a Principal Adversary Emulation Engineer for the MITRE Corporation where he works on various exciting efforts involving security operations and research, specializing in adversary emulation and behavior-based detections. He also leads teams that help shape and deliver the “adversary-touch” within ATT&CK® and ATT&CK Evaluations.Follow Jamie Williams on Twitter (@jamieantisocial) and LinkedIn (/in/jamie-williams-108369190).Sponsor's NoteSupport for the Blueprint podcast comes from the SANS Institute.Since the debut of SEC450, we’ve always had students interested in a matching course covering the management and leadership aspects of running a SOC. If you like the topics in this podcast and would like to learn more about Blue Team leadership and management, check out the new MGT551: Building and Leading Security Operations Centers. This new course is designed for Security Team leaders looking to build, grow and operate a security operation center with peak efficiency. It’s a hands-on technical leadership course, that takes you through everything from scoping threat groups to use case creation, threat hunting, planning, SOC maturity and detection assessment and much much more.Check out the course syllabus, labs and a free demo at sansurl.com/551 Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!PowerShell may seem intimidating, but it can be one of the most amazing and useful tools at your disposal...if you know how to use it. In this episode, we have Josh Johnson, author of the new SANS course "SEC586: Blue Team Operations - Defensive Powershell" giving you a masterful crash course in: - The importance of PowerShell- How PowerShell works, and how to set yourself up to use it- Blue team use cases for log analysis, incident response and more- How to stopping attackers from leveraging PowerShell- Some of the amazing automation and playbook opportunities you may be missing out on.Lots of actionable content for defenders here, don't miss in this episode!Our Guest: Josh JohnsonJosh Johnson is a SANS Certified Instructor and course author of SEC586: Blue Team Operations: Defensive PowerShell. He has been working in the Information Security industry for over 10 years in varying roles with responsibilities ranging from penetration testing to incident response. Josh was Purple Teaming since before it had a name and used his offensive security skill set to find and pursue his true passion - Blue Team. Since then, he has been helping organizations of all sizes, and in varying industries from healthcare to retail to finance, improve their cyber defense capabilities.More About JoshFollow Josh:  Twitter | LinkedInSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450! Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!This episode is all about vulnerability management - both the technical and human aspects. Looking to start up a new vulnerability management team? Drowning in vulnerabilities to fix and don't know where to start? Struggling to get system owners to take action? Trying to find ways to communicate the importance and status of your patching efforts? Check out this episode with vulnerability management expert Chris Baker for answer these to questions and much more!Our Guest: Chris BakerChris Baker is an Information Security Leader with a deep background in information security including strategy development and operational excellence that has created highly efficient teams and delivered large impacts to the business value chain. He is a skilled risk management and information security professional with the versatility to lead large and diverse matrix teams and deep-dive into complex technical problems. A proven track record of collaborating effectively at all business levels while directing changes on a global, enterprise-wide scale.Follow Chris Baker@bakerc | LinkedInSponsor NoteSupport for the Blueprint podcast comes from the SANS Institute.Are you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!A common question from many defenders is "Which logs are the most important?” In this episode, Mick Douglas and Flynn Weeks join us to describe their What2Log project, which aims to simplify this problem for all of us!Our Guests: Mick Douglas & Flynn WeeksMick Douglas is the Managing Partner of InfoSec Innovations. He is a SANS certified instructor and is a member of the IANS faculty. In his spare time, he tries in vain to improve his photography skills and goes hiking looking for the perfect shot.Flynn is a senior Cybersecurity student and intern at InfoSec Innovations. Forensics, and in turn, logging, are passions of hers. In her spare time, she enjoys her time spent with pets and hiking. Follow Mick and FlynnTwitter:  Mick @bettersafetynet and Flynn @soundsofthetimeCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!In today’s episode, John is joined by Anton Chuvakin to discuss current and future security operations technology, which tools are the most important and which are becoming less important over time, the rules of automation in the SOC and how Anton would setup a modern Security Operations Center for a Cloud native organization.Today's Guest: Anton ChuvakinDr. Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is now involved with security solution strategy at Google Cloud, where he arrived via Chronicle Security (an Alphabet company) acquisition in July 2019. He is an author of books "Security Warrior", "Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management" and ""PCI Compliance, Third Edition: Understand and Implement Effective PCI Data Security Standard Compliance"" (book website) and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and other books. Anton has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS, security management. His blog "Security Warrior" was one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he addressed audiences in United States, UK, Australia, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on advisory boards of several security start-ups.Follow AntonTwitter:  @anton_chuvakinLinkedIn: /in/chuvakinCheck out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Are you a manager looking to build or improve your SOC? Are you trying to understand how to measure your SOCs maturity or use cases or your threat hunting efforts? If so, today’s episode with Rob van Os is for you. In this episode, we discuss the SOC CMM for SOC maturity measurement, the magma use case framework for building and tracking SOC use cases, and the Tahiti threat hunting methodology for showing ROI on threat hunting.Our Guest is Rob van OsRob van Os, MSc., CISSP, ISSAP is a senior security advisor working for CZ group. Until recently, Rob was the Product Owner of the Cyber Defense Center of a Dutch bank and as such responsible for cyber security operations. Rob obtained a Bachelor's degree in Computer Science in 2009 and a Master's degree in Information Security in 2016. Rob is the author of the SOC-CMM and lead author of the MaGMa UCF and the TaHiTI methodology. Follow Rob:Linkedin: /in/cyberdefensespecialist Website:  https://www.soc-cmm.com/  Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!What is AppSec, DevOps and DevSecOps? In this episode we discuss why defenders should know more about these terms and what the consequences are of ignoring these new and critical fields.Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.Advisor: Nord VPN, Cloud Defense, NeuraLegion, ICTC PAC, WoSECFounder: We Hack Purple, WoSEC International (Women of Security), OWASP DevSlop, #CyberMentoringMondaySupport for the Blueprint podcast comes from the SANS Institute.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Driving consistency and maintaining a high standard for alert response is a problem all SOCs must face, but how? In this episode, Josh Brower describes his efforts to combine automated detection signature deployment and use case database management into a single, easy to use app for Security Onion. Whether you use Security Onion or not, this episode dives into the design principles and workflow Josh used when designing the new open-source Playbook app and there’s something to learn from it for everyone on the Blue Team.Our Guest - Josh BrowerJosh Brower has been crashing computers since his teens, and now feels fortunate to be doing it professionally. He has spent the last 12 years focusing on InfoSec, particularly network and endpoint detection. He also enjoys teaching around InfoSec issues, especially to non-technical learners - helping them to understand how their actions in the digital world have real-world consequences, as well as how to proactively reduce the risk.Follow JoshTwitter: @DefensiveDepthLinkedIn: /in/joshbrower Web: https://defensivedepth.comSupport for the Blueprint podcast comes from the SANS InstituteAre you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Even if you're not a malware analyst, any blue teamer should be able to do some initial basic malware sample triage. The good news is that this is quite easy to do using freely available tools once you know what is available. Join John in this conversation with Ryan Chapman as they discuss how to reverse engineer malware and why you might want to do so.Our Guest - Ryan ChapmanRyan Chapman works as a Principal Incident Response analyst. He also teaches SANS FOR610: Reverse Engineering Malware and is the lead organizer for CactusCon, Arizona's hcaker conference. Ryan has worked in Security Operations Center and Computer Incident Response Team roles that handled incidents from inception all the way through remediation. Reviewing log traffic; researching domains and IPs; hunting through log aggregation utilities; sifting through pack captures; analyzing malware; and performing host and network forensics are all things that Ryan loves to do. With Ryan, it's all about the blue team!Follow RyanTwitter: @rj_chapLinkedIn: /in/ryanjchapmanWeb: https://incidentresponse.trainingSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Looking for a new way to approach the difficult problem of measuring and improving your SOC? Check out this episode to hear how to use methods pioneered in the manufacturing and reliability industry to help wrap your head around, and solve this complex issue. You don’t want to miss this episode with Jon Hencinski, Director of Operations at Expel who covers all of this and more.Our guest - Jon HencinskiJon Hencinski is the Director of Global Operations at Expel. In this role, he’s responsible for the day-to-day operations of Expel’s security operations center (SOC) and detection and response engineering. He oversees how Expel recruits, trains, and develops security analysts. Jon has over a decade of experience in the areas of SOC operations, threat detection, and incident response. Prior to Expel, Jon worked at FireEye, BAE Systems, and was an adjunct professor at The George Washington University.Follow JonTwitter: @jhencinskiLinkedIn: /in/jonathanhencinskiWeb: https://hencinski.medium.comSupport for the Blueprint podcast comes from the SANS Institute.Since the debut of SEC450, we’ve always had students interested in a matching course covering the management and leadership aspects of running a SOC. If you like the topics in this podcast and would like to learn more about Blue Team leadership and management, check out the new MGT551: Building and Leading Security Operations Centers. This new course is designed for Security Team leaders looking to build, grow and operate a security operation center with peak efficiency. It’s a hands-on technical leadership course, that takes you through everything from scoping threat groups to use case creation, threat hunting, planning, SOC maturity and detection assessment and much much more.Check out the course syllabus, labs and a free demo at sansurl.com/551 Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInCheck out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn