WEBVTT 1 00:00:00.000 --> 00:00:02.640 All right, everyone, welcome in. Today we're going deep into 2 00:00:02.640 --> 00:00:07.719 the world of cybersecurity, specifically the Blue Team, the defenders, 3 00:00:07.960 --> 00:00:11.199 the defenders exactly, and we've got a great resource for 4 00:00:11.320 --> 00:00:15.320 this deep dive excerpts from Tribe of Hackers Bleed Team 5 00:00:15.400 --> 00:00:18.960 Tribal knowledge from the best in defensive cybersecurity. 6 00:00:19.120 --> 00:00:22.320 Over fifty cybersecurity experts sharing their wisdom. 7 00:00:22.399 --> 00:00:25.359 It's amazing, right, So our mission today is to really 8 00:00:25.480 --> 00:00:29.359 unpack what these experts are saying, what really makes a 9 00:00:29.359 --> 00:00:30.160 Blue Team tick. 10 00:00:30.399 --> 00:00:32.399 It's like getting a backstage pass to the world of 11 00:00:32.439 --> 00:00:34.840 cyber defense exactly. You know, one of the things that 12 00:00:34.840 --> 00:00:36.960 struck me right away is how this book kind of 13 00:00:37.000 --> 00:00:39.679 shatters that whole Hollywood hacker stereotype. 14 00:00:39.840 --> 00:00:42.320 You mean, like the lone wolf genius in a dark room. 15 00:00:42.479 --> 00:00:45.679 Yeah, exactly. Instead, it paints this picture of a global tribe, 16 00:00:45.759 --> 00:00:49.439 a community of experts constantly collaborating and sharing knowledge. 17 00:00:49.600 --> 00:00:52.039 So more like a digital Justice League than a lone wolf. 18 00:00:52.119 --> 00:00:53.399 Yeah, that's a great way to put it. 19 00:00:53.560 --> 00:00:57.240 Okay, so no secret handshakes, but a global network of 20 00:00:57.280 --> 00:01:01.600 experts working together. Yeah, that's actual way cooler. But I 21 00:01:01.640 --> 00:01:04.159 got to ask, when these experts talk about the Blue 22 00:01:04.159 --> 00:01:06.920 Team are they all in the same page, Like, is 23 00:01:06.959 --> 00:01:09.840 there a universal definition of what a blue team is? 24 00:01:10.040 --> 00:01:11.799 Well, one thing that jumps out is how many different 25 00:01:11.879 --> 00:01:15.560 roles and responsibilities fall under the blue team umbrella. You know, 26 00:01:15.640 --> 00:01:17.799 there's not just one way to be a defender. 27 00:01:18.079 --> 00:01:20.760 So it's more about a mindset than a specific job title. 28 00:01:20.959 --> 00:01:23.319 I think that's a big part of it. O'Shea Bowenes 29 00:01:23.319 --> 00:01:26.599 talks about two main buckets in the book buckets. Yeah, 30 00:01:26.640 --> 00:01:27.680 she calls them buckets. 31 00:01:27.879 --> 00:01:28.840 Okay, I'm intrigued. 32 00:01:28.920 --> 00:01:33.159 So one bucket is all about industry collaboration, sharing information, 33 00:01:33.400 --> 00:01:36.280 threat intelligence best practices, that kind of thing excts. 34 00:01:36.280 --> 00:01:38.239 You're stronger together, right exactly. 35 00:01:38.719 --> 00:01:41.599 And the other bucket is about having both offensive andy 36 00:01:41.719 --> 00:01:42.799 defensive skills. 37 00:01:43.079 --> 00:01:45.480 So it's not just about building walls, it's about understanding 38 00:01:45.480 --> 00:01:49.200 how attackers think so you can anticipate their moves precisely. 39 00:01:49.439 --> 00:01:52.840 Fascinating and Bones also makes a really interesting point about 40 00:01:53.040 --> 00:01:55.519 cyber threats being a global problem. 41 00:01:55.239 --> 00:01:58.760 Right, no single company or country can solve this alone. 42 00:01:59.120 --> 00:02:02.400 It really unders scores the need for that global collaboration. 43 00:02:03.040 --> 00:02:03.640 Absolutely. 44 00:02:03.640 --> 00:02:05.879 This is already blowing my mind. Okay, so we've got 45 00:02:05.920 --> 00:02:10.520 a global team constantly learning, sharing intel it's like a 46 00:02:10.560 --> 00:02:11.560 digital Justice League. 47 00:02:11.639 --> 00:02:12.599 I like that analogy. 48 00:02:12.759 --> 00:02:15.879 But what are their superpowers? What really makes a Blue 49 00:02:15.919 --> 00:02:19.039 Team effective? What are the skills and strategies that set 50 00:02:19.080 --> 00:02:19.599 them apart? 51 00:02:19.879 --> 00:02:23.599 Well, Marcus J. Carey highlights two fundamental capabilities that pop 52 00:02:23.680 --> 00:02:27.439 up again and again, network visibility and log management. 53 00:02:27.719 --> 00:02:30.800 So it's like having eyes and ears everywhere, knowing exactly 54 00:02:30.879 --> 00:02:32.000 what's happening in your systems. 55 00:02:32.080 --> 00:02:33.479 Yeah, you've got to be able to see what's going 56 00:02:33.479 --> 00:02:36.560 on in your network, who's accessing, what's normal, what's not. 57 00:02:36.800 --> 00:02:39.199 But isn't that a ton of information to sift through? 58 00:02:39.680 --> 00:02:41.400 I mean, how do they even know where to start? 59 00:02:41.560 --> 00:02:44.719 That's where things get really interesting. Carrie stresses the importance 60 00:02:44.759 --> 00:02:47.120 of self study for anyone on the Blue Team. 61 00:02:47.240 --> 00:02:49.240 So you're saying it's not enough to just have the 62 00:02:49.319 --> 00:02:52.879 latest firewall or antivirus software. You need to know how 63 00:02:52.919 --> 00:02:54.639 to u ease it effectively exactly. 64 00:02:54.800 --> 00:02:56.919 The bad guys are always coming up with new tricks, 65 00:02:57.039 --> 00:02:59.520 so defenders need to be constantly learning. 66 00:02:59.240 --> 00:03:01.879 To like a never ending game of cat and mouse. 67 00:03:02.080 --> 00:03:04.520 That's a great way to put it, Okay, So adaptability 68 00:03:04.560 --> 00:03:07.759 is key absolutely, and o'she Bowens hits the nail on 69 00:03:07.800 --> 00:03:10.439 the head when she talks about the need for flexibility 70 00:03:10.479 --> 00:03:15.240 in Blue Team strategies. The threat landscape is constantly shifting, 71 00:03:15.319 --> 00:03:17.439 so you've got to be able to adjust your defenses 72 00:03:17.439 --> 00:03:17.879 on the fly. 73 00:03:18.199 --> 00:03:21.080 So it's not just about technical skills. It's about mindset too. 74 00:03:21.240 --> 00:03:25.439 Absolutely, it's about being able to analyze information from multiple angles, 75 00:03:25.840 --> 00:03:28.520 think critically, and solve problems creatively. 76 00:03:28.919 --> 00:03:31.400 Okay, I'm starting to see that the Blue Team is 77 00:03:31.520 --> 00:03:34.400 less about specific tools and more about a way of thinking. 78 00:03:34.719 --> 00:03:37.080 It's a combination of both. Really, you need the right 79 00:03:37.159 --> 00:03:40.560 tools and the right mindset to be truly effective. 80 00:03:40.719 --> 00:03:43.120 All right, So let's get practical. What are some of 81 00:03:43.120 --> 00:03:47.360 the security controls these experts actually recommend. What moves really 82 00:03:47.360 --> 00:03:48.000 make a difference. 83 00:03:48.120 --> 00:03:52.319 One surprisingly simple but effective control is locking down admin access. 84 00:03:52.439 --> 00:03:54.759 You mean, like making sure not everyone has the keys. 85 00:03:54.520 --> 00:03:57.439 To the kingdom exactly. Marcus J. Carey is a big 86 00:03:57.479 --> 00:04:00.000 advocate for this. He says it dramatically reduces the damage 87 00:04:00.159 --> 00:04:02.000 even a successful hacker can cause. 88 00:04:02.280 --> 00:04:04.919 Makes sense. If you limit the number of people with 89 00:04:05.039 --> 00:04:08.639 admin privileges, you reduce your attack surface exactly. 90 00:04:09.159 --> 00:04:12.159 And it's a relatively easy control to implement, so. 91 00:04:12.199 --> 00:04:15.319 Low effort, high impact. I like it, But how do 92 00:04:15.360 --> 00:04:19.199 you even begin to monitor a whole network for suspicious activity? 93 00:04:20.000 --> 00:04:21.439 That sounds like a daunting task. 94 00:04:21.560 --> 00:04:24.959 Ricky Bandis is a big believer in network visibility. He 95 00:04:25.079 --> 00:04:28.120 says tools like NetFlow can be incredibly effective for giving 96 00:04:28.160 --> 00:04:30.519 the blue team a clear picture of what's happening on 97 00:04:30.560 --> 00:04:31.120 the network. 98 00:04:31.800 --> 00:04:35.439 NetFlow so it's like security cameras for your data traffic. 99 00:04:35.560 --> 00:04:36.680 Yeah, that's a great analogy. 100 00:04:36.759 --> 00:04:38.920 You can see where the data is going, who's accessing what, 101 00:04:39.120 --> 00:04:41.160 and spot any red flags immediately. 102 00:04:41.319 --> 00:04:45.000 Right. It's about being proactive and catching those subtle signs 103 00:04:45.040 --> 00:04:46.040 that something might be off. 104 00:04:46.199 --> 00:04:49.240 Okay, so limiting access and having eyes on your network. Yeah, 105 00:04:49.240 --> 00:04:52.560 it's a good start, But doesn't it get incredibly complicated 106 00:04:52.600 --> 00:04:54.720 when you're talking about an entire organization? 107 00:04:55.040 --> 00:04:55.839 It definitely can. 108 00:04:56.120 --> 00:04:57.879 How do you make sure everyone's following the rules? 109 00:04:57.920 --> 00:05:00.720 Well, Amanda Berlin brings up a powerful too for this 110 00:05:00.839 --> 00:05:02.399 Windows group policy. 111 00:05:02.480 --> 00:05:06.360 Group policy. Isn't that something it admins use to manage computers? 112 00:05:06.720 --> 00:05:09.480 It is, and it can also be a powerful security 113 00:05:09.519 --> 00:05:13.399 tool house. Well, it's a centralized way to manage and 114 00:05:13.480 --> 00:05:18.279 automate those don't click on suspicious links type of rules 115 00:05:18.279 --> 00:05:19.519 across the entire company. 116 00:05:19.600 --> 00:05:22.120 So instead of relying on everyone remembering a million different 117 00:05:22.120 --> 00:05:25.959 security best practices, you can enforce them automatically through group policy. 118 00:05:26.040 --> 00:05:29.959 Exactly. It's about making security as seamless and user friendly 119 00:05:29.959 --> 00:05:32.560 as possible while still being effective. 120 00:05:33.040 --> 00:05:35.519 Okay, that makes sense. So you're taking the human element 121 00:05:35.560 --> 00:05:37.560 out of the equation as much as possible. 122 00:05:37.160 --> 00:05:40.319 We certain extent, Yes, but you still need to educate 123 00:05:40.439 --> 00:05:44.120 users about security best practices. Of course, group policy is 124 00:05:44.160 --> 00:05:45.399 just one layer of defense. 125 00:05:45.560 --> 00:05:48.319 Makes sense. Now, another expert, Sammy Loijo, has a pretty 126 00:05:48.360 --> 00:05:50.279 interesting approach. He talks about whitelisting. 127 00:05:50.680 --> 00:05:55.000 Ah, yes, whitelisting. It's a very proactive way to enhance security. 128 00:05:55.079 --> 00:05:56.439 But it also seems pretty bold. 129 00:05:56.519 --> 00:05:56.680 Yeah. 130 00:05:56.720 --> 00:05:58.839 I mean you're essentially saying nothing can run on the 131 00:05:58.879 --> 00:06:00.720 system unless we explicit allow us. 132 00:06:00.759 --> 00:06:03.759 Exactly. It flips the script on attackers. Instead of trying 133 00:06:03.800 --> 00:06:06.959 to block every bad thing, which is impossible, you only 134 00:06:06.959 --> 00:06:08.720 allow approved applications to run. 135 00:06:08.920 --> 00:06:11.560 So it's like creating a very exclusive guest list for 136 00:06:11.600 --> 00:06:12.160 your computer. 137 00:06:12.399 --> 00:06:14.079 Yeah, that's a good way to think about it. It's 138 00:06:14.079 --> 00:06:17.199 about minimizing your attack surface by reducing the number of 139 00:06:17.240 --> 00:06:18.399 potential entry points. 140 00:06:18.480 --> 00:06:21.120 Okay, I can see the logic there. But doesn't that 141 00:06:21.120 --> 00:06:23.639 create a lot of work for the blue team. I 142 00:06:23.639 --> 00:06:26.240 mean they have to constantly update the white list as 143 00:06:26.319 --> 00:06:27.600 new applications are needed. 144 00:06:27.839 --> 00:06:30.120 It can be a bit of work, but it's worth it. 145 00:06:30.199 --> 00:06:32.079 The security benefits are significant. 146 00:06:32.120 --> 00:06:36.439 Okay, so whitelisting limits what can run on a system, right, 147 00:06:36.639 --> 00:06:39.279 but what about controlling who can access those systems in 148 00:06:39.279 --> 00:06:39.920 the first place? 149 00:06:40.000 --> 00:06:43.360 Ah? Yes, access control. That's another crucial piece of the puzzle. 150 00:06:43.560 --> 00:06:47.319 And Aiman Elsaua emphasizes the power of single sign on 151 00:06:47.439 --> 00:06:52.519 with multi factor authentications plus MFA as it's often called. 152 00:06:52.600 --> 00:06:54.600 I've heard those terms, but to be honest, I'm still 153 00:06:54.639 --> 00:06:55.959 a little fuzzy on what they actually mean. 154 00:06:56.079 --> 00:06:59.519 Sure, no problem. So single sign on lets users access 155 00:06:59.600 --> 00:07:02.199 multiple systems with just one set of credentials. 156 00:07:02.279 --> 00:07:04.360 Okay, so it's about convenience exactly. 157 00:07:04.600 --> 00:07:07.160 It makes life easier for users. But then multi factor 158 00:07:07.199 --> 00:07:10.040 authentication adds an extra layer of security on top of that. 159 00:07:10.519 --> 00:07:13.680 So even if someone steals your password, they can't get 160 00:07:13.680 --> 00:07:16.560 in without that second factor like a code from your 161 00:07:16.560 --> 00:07:19.519 phone or a fingerprint scan precisely, so it's like double 162 00:07:19.519 --> 00:07:20.839 locking your digital front door. 163 00:07:21.040 --> 00:07:23.680 Yeah, that's a great analogy. And what's interesting is that 164 00:07:23.759 --> 00:07:28.240 Elsaala emphasizes that it's not just about making things more secure, 165 00:07:28.480 --> 00:07:31.079 it's about improving the user experience too. 166 00:07:31.360 --> 00:07:34.759 Because nobody wants to remember a million different passwords exactly. 167 00:07:34.800 --> 00:07:35.800 I know I struggle with that. 168 00:07:36.000 --> 00:07:39.759 It's a common problem and multi factor authentication can help 169 00:07:39.879 --> 00:07:41.920 solve that while also making things more secure. 170 00:07:42.040 --> 00:07:43.439 That's a win win in my book. 171 00:07:43.560 --> 00:07:44.199 Absolutely. 172 00:07:44.560 --> 00:07:49.920 So we've covered limiting access, monitoring the network, whitelisting, and 173 00:07:50.000 --> 00:07:53.000 beefing up log insecurity. It's like we're building a digital 174 00:07:53.040 --> 00:07:54.360 fortress brick by brick. 175 00:07:54.560 --> 00:07:56.720 It's all about layering your defenses, right. 176 00:07:56.839 --> 00:07:59.399 Yeah, what about all the data companies collect these days? 177 00:07:59.600 --> 00:08:02.079 It seems like data breaches are constantly in the news. 178 00:08:02.399 --> 00:08:05.160 You're right, data security is a huge concern, and that's 179 00:08:05.160 --> 00:08:08.759 where data governance comes In. Data governance, yeah, Terrence Jackson 180 00:08:08.759 --> 00:08:11.560 talks about the importance of knowing exactly what data you have, 181 00:08:11.639 --> 00:08:13.680 where it lives, and who has access to it. 182 00:08:14.040 --> 00:08:16.519 So it's not just about protecting the perimeter, it's about 183 00:08:16.879 --> 00:08:21.600 understanding what's valuable inside and securing it accordingly. Exactly makes sense. 184 00:08:22.000 --> 00:08:24.240 But where do you even begin with something like that? 185 00:08:24.560 --> 00:08:29.040 Jackson recommends starting with data mapping and classification. Exercises. You 186 00:08:29.120 --> 00:08:32.440 need to know what's sensitive, what needs extra protection, and 187 00:08:32.440 --> 00:08:34.559 what can be safely discarded. 188 00:08:34.360 --> 00:08:36.559 Because if you don't know what you have, you can't 189 00:08:36.559 --> 00:08:39.840 protect it properly, precisely. Okay, that makes sense. And once 190 00:08:39.840 --> 00:08:41.840 you've mapped and classified your data. 191 00:08:42.080 --> 00:08:47.360 What's next, Well, Jackson recommends implementing appropriate IAM controls Identity 192 00:08:47.440 --> 00:08:50.039 and Access management IAM. 193 00:08:50.279 --> 00:08:52.360 So it's like having a digital bouncer at the club, 194 00:08:52.440 --> 00:08:54.919 checking IDs and making sure only the right people get in. 195 00:08:55.039 --> 00:08:56.559 Yeah, that's a good way to think about it. It's 196 00:08:56.559 --> 00:08:59.120 about controlling who has access to what data and making 197 00:08:59.159 --> 00:09:00.679 sure those permissions are appropriate. 198 00:09:00.720 --> 00:09:05.120 Okay, so i AM controls access, But what about preventing 199 00:09:05.320 --> 00:09:08.279 sensitive data from leaving the organization in the first place. 200 00:09:08.360 --> 00:09:11.600 That's where DLP comes in data loss prevention. Think of 201 00:09:11.679 --> 00:09:14.600 it as a security guard for your data, preventing leaks 202 00:09:14.639 --> 00:09:15.519 before they happen. 203 00:09:15.720 --> 00:09:18.519 So we've got IM controls as the bouncer, and DLP 204 00:09:18.759 --> 00:09:21.159 is a security guard. Now that's a team I want 205 00:09:21.240 --> 00:09:22.360 on my side me too. 206 00:09:22.960 --> 00:09:26.559 They're essential for any comprehensive data governance strategy. 207 00:09:26.720 --> 00:09:29.519 Okay, so we've got access control and leak prevention, but 208 00:09:29.600 --> 00:09:33.320 what about retention policies? How long should companies hold on 209 00:09:33.360 --> 00:09:35.399 to data? Is there like a best practice for that. 210 00:09:35.399 --> 00:09:37.879 That's a great question, and there's no one size fits 211 00:09:37.879 --> 00:09:41.440 all answer, But the general consensus among these experts is 212 00:09:41.480 --> 00:09:44.440 to keep data only as long as you absolutely need it. 213 00:09:44.519 --> 00:09:47.360 So the less data you store, the less you have 214 00:09:47.399 --> 00:09:48.519 to worry about protecting. 215 00:09:48.919 --> 00:09:50.240 Exactly makes sense. 216 00:09:50.519 --> 00:09:52.279 It's like decluttering your digital life. 217 00:09:52.519 --> 00:09:54.159 Yeah, that's a good way to think about it. 218 00:09:54.200 --> 00:09:56.360 This is all giving me a whole new appreciation for 219 00:09:56.480 --> 00:09:59.879 the complexity of cybersecurity. Yeah, it's not just about fire 220 00:10:00.080 --> 00:10:03.639 walls and antivirus software. It's about data, processes and people too. 221 00:10:03.799 --> 00:10:07.360 Absolutely, it's a multi layered system where every piece matters. 222 00:10:07.840 --> 00:10:11.480 Speaking of interesting pieces, this next section on deception technologies 223 00:10:11.519 --> 00:10:15.159 caught my eye. What's the deal with tricking hackers? Is 224 00:10:15.159 --> 00:10:16.080 that even ethical? 225 00:10:16.399 --> 00:10:19.759 Well, deception technologies are about creating a minefield for attackers. 226 00:10:20.039 --> 00:10:22.919 Instead of just defending your real systems, you set up 227 00:10:22.960 --> 00:10:26.440 decoys like honeypots to lure them in and study their moods. 228 00:10:26.600 --> 00:10:28.639 So it's like setting a trap and watching to see 229 00:10:28.639 --> 00:10:32.120 who falls into it. Yeah, kind that's pretty clever, But 230 00:10:32.240 --> 00:10:35.720 wouldn't attackers eventually figure out that these are fake systems. 231 00:10:35.879 --> 00:10:39.080 They might, but even then you've gained valuable intel about 232 00:10:39.120 --> 00:10:42.279 their tactics and objectives. You've turned the tables and used 233 00:10:42.279 --> 00:10:43.639 their curiosity against them. 234 00:10:43.679 --> 00:10:46.120 Okay, so it's a way to gather intelligence and disrupt 235 00:10:46.159 --> 00:10:50.480 attacks exactly. Doesn't the word deception itself raise some ethical 236 00:10:50.519 --> 00:10:53.720 concerns like are we tricking people into doing something they 237 00:10:53.720 --> 00:10:54.759 wouldn't otherwise do. 238 00:10:55.080 --> 00:10:57.279 It's a valid concern, and one that comes up in 239 00:10:57.279 --> 00:10:59.960 the book is mao Velenzuela talks about how the term 240 00:11:00.159 --> 00:11:04.759 deception can be a bit tricky, especially for legal NHR departments. 241 00:11:05.120 --> 00:11:06.200 So how do you get around that? 242 00:11:06.399 --> 00:11:09.480 Well, Valenzuela has a great tactic. He suggests rebranding these 243 00:11:09.519 --> 00:11:12.200 technologies as early warning systems. 244 00:11:12.519 --> 00:11:16.639 Early warning systems. I like that It sounds much less 245 00:11:16.679 --> 00:11:18.679 like we're trying to trick people and more like we're 246 00:11:18.720 --> 00:11:20.039 just being extra vigilant. 247 00:11:20.240 --> 00:11:22.559 Exactly. It's a subtle shift in language, but it can 248 00:11:22.600 --> 00:11:24.600 make a big difference in getting everyone on board. 249 00:11:24.720 --> 00:11:27.759 Okay, so we've got our digital fortress, our data guardians, 250 00:11:28.360 --> 00:11:29.919 and now our early warning system. 251 00:11:30.039 --> 00:11:31.960 I'm liking these analogies me too. 252 00:11:32.320 --> 00:11:34.919 It helps to paint a picture we haven't even touched on. 253 00:11:35.000 --> 00:11:38.039 Compliance and frameworks. Yet where do those fit into the 254 00:11:38.039 --> 00:11:38.639 big picture. 255 00:11:39.000 --> 00:11:42.399 That's a great question, and it's interesting to see how 256 00:11:42.440 --> 00:11:46.759 these experts navigate that tricky world. They all acknowledge that 257 00:11:46.840 --> 00:11:51.600 compliance is necessary, right, but they also emphasize its limitations. 258 00:11:51.720 --> 00:11:53.919 So you're saying just checking boxes isn't enough to be 259 00:11:53.960 --> 00:11:55.440 truly secure exactly. 260 00:11:55.720 --> 00:11:58.960 Compliance can provide a baseline, a framework for building a 261 00:11:59.080 --> 00:12:02.799 solid security program, okay, but it should never be the 262 00:12:02.919 --> 00:12:03.360 end goal. 263 00:12:03.559 --> 00:12:06.679 It's like having a building code. It assures a minimum 264 00:12:06.759 --> 00:12:09.159 level of safety, but you can still build a really 265 00:12:09.200 --> 00:12:11.480 shoddy structure if you just follow the bare minimum. 266 00:12:11.519 --> 00:12:14.120 That's a perfect analogy. Thanks, So the real goal is 267 00:12:14.159 --> 00:12:16.480 to build a secure system, not just a compliant one. 268 00:12:16.720 --> 00:12:19.159 Right, So what frameworks do these experts recommend? 269 00:12:19.440 --> 00:12:23.480 Terrence Jackson and Donald McFarlane both mention the NIST Cybersecurity 270 00:12:23.519 --> 00:12:27.279 Framework and ISO twenty seven zero one as solid starting points. 271 00:12:27.399 --> 00:12:30.000 NIST and ISO, I've definitely heard those names before, but 272 00:12:30.039 --> 00:12:31.679 could you give us a quick rundown of what they're 273 00:12:31.679 --> 00:12:32.159 all about? 274 00:12:32.360 --> 00:12:36.559 Sure? So, the NIST Cybersecurity Framework is all about managing risk. 275 00:12:36.759 --> 00:12:39.679 It gives organizations a set of best practices to follow 276 00:12:39.720 --> 00:12:45.039 for identifying protecting, detecting, responding to, and recovering from cyber attacks. 277 00:12:45.200 --> 00:12:47.759 Okay, and what about ISO twenty seven thousan zero one. 278 00:12:47.919 --> 00:12:51.159 ISO twenty seven thousandero one is an international standard for 279 00:12:51.200 --> 00:12:56.240 setting up an information security management system or isms and isms. Yeah, 280 00:12:56.279 --> 00:12:59.639 it's a framework for managing information security risks and ensuring 281 00:12:59.679 --> 00:13:01.600 complaing alliance with relevant regulations. 282 00:13:01.840 --> 00:13:04.519 So they're both frameworks are building a secure organization, but 283 00:13:04.559 --> 00:13:08.000 with slightly different approaches exactly. Okay, that makes sense. But 284 00:13:08.080 --> 00:13:10.360 the key takeaway here, and one that William Benkson really 285 00:13:10.480 --> 00:13:13.159 drives home, is that compliance should be a side benefit 286 00:13:13.240 --> 00:13:16.879 of good security practices, not the goal itself. You shouldn't 287 00:13:16.879 --> 00:13:19.639 be doing security just to check boxes. You should be 288 00:13:19.639 --> 00:13:21.759 doing it to genuinely protect your organization. 289 00:13:22.080 --> 00:13:23.080 I couldn't agree more. 290 00:13:23.480 --> 00:13:26.600 This is making me rethink my whole view of compliance. 291 00:13:27.320 --> 00:13:29.919 It's not about jumping through hoops. It's about building a 292 00:13:29.960 --> 00:13:31.039 culture of security. 293 00:13:31.600 --> 00:13:35.600 Absolutely. It's about shifting the mindset from we have to 294 00:13:35.639 --> 00:13:38.279 do this to we want to do this because it's 295 00:13:38.279 --> 00:13:39.120 the right thing to do. 296 00:13:40.279 --> 00:13:43.120 That's a powerful shift. It is now speaking of doing 297 00:13:43.200 --> 00:13:46.080 the right thing. It seems like a lot of security 298 00:13:46.120 --> 00:13:48.039 breaches happen because of human error. 299 00:13:48.200 --> 00:13:48.879 That's true. 300 00:13:49.200 --> 00:13:52.840 So how do you get everyone in an organization on 301 00:13:52.919 --> 00:13:56.080 board with security? It can't just be the blue team's responsibility. 302 00:13:56.120 --> 00:13:58.919 You're absolutely right. Cybersecurity is a team sport, and that's 303 00:13:58.960 --> 00:14:02.519 where engaging every unit within the organization becomes so important. 304 00:14:02.720 --> 00:14:05.080 Okay, so we're talking about breaking down those silos and 305 00:14:05.080 --> 00:14:08.399 getting everyone working together, but how do you even begin 306 00:14:08.519 --> 00:14:10.360 to do that? I mean, it's one thing to say 307 00:14:10.399 --> 00:14:13.000 everyone needs to care about security, but it's another thing 308 00:14:13.039 --> 00:14:14.200 to actually make it happen. 309 00:14:14.759 --> 00:14:17.399 It's a challenge, for sure, but it's not impossible. 310 00:14:17.879 --> 00:14:20.360 So what are some strategies that actually work well? 311 00:14:20.360 --> 00:14:23.159 Oshae. Bowen's and Maggie Moore Ganty are big fans of 312 00:14:23.279 --> 00:14:24.480 tabletop exercises. 313 00:14:24.480 --> 00:14:27.639 Tabletop exercises like wargames. 314 00:14:27.320 --> 00:14:29.799 Yeah, kind of. It's where you bring people from different 315 00:14:29.799 --> 00:14:32.200 departments together and simulate a cyber attack. 316 00:14:32.639 --> 00:14:35.200 So it's like a fire drill, but for cyber threats exactly. 317 00:14:35.600 --> 00:14:38.919 It helps people understand the roles in a crisis, exposes 318 00:14:38.960 --> 00:14:42.600 weaknesses in your processes, and gets everyone thinking about security 319 00:14:42.879 --> 00:14:44.159 in a more tangible way. 320 00:14:44.480 --> 00:14:46.679 That's a great idea, But how do you get people 321 00:14:46.759 --> 00:14:48.840 to care about security? On a day to day basis, 322 00:14:49.360 --> 00:14:52.159 it's easy to tune out those don't click on suspicious 323 00:14:52.200 --> 00:14:53.279 links emails. 324 00:14:53.480 --> 00:14:57.279 That's where clear communication and education come in. Amanda Berlin 325 00:14:57.320 --> 00:14:59.639 and am And also both talk about ditching the tech 326 00:14:59.720 --> 00:15:02.200 jarg and making security relatable. 327 00:15:02.360 --> 00:15:06.039 So instead of lecturing people about firewalls and malware, you 328 00:15:06.080 --> 00:15:08.000 tell them a story about a hacker trying to break 329 00:15:08.039 --> 00:15:08.559 into their. 330 00:15:08.399 --> 00:15:12.000 House exactly, use analogies, keep it brief and to the point, 331 00:15:12.200 --> 00:15:16.200 and most importantly, focus on the why behind security policies. 332 00:15:15.919 --> 00:15:18.399 Because if people don't understand the why, they're less likely 333 00:15:18.440 --> 00:15:20.320 to follow the rules right precisely. 334 00:15:20.399 --> 00:15:22.919 It's human nature, and it's not just about employees. It's 335 00:15:22.960 --> 00:15:27.399 about communicating threats effectively to non technical decision makers too. 336 00:15:27.679 --> 00:15:30.399 Okay, so how do you explain a complex cyber attech 337 00:15:30.480 --> 00:15:33.679 to someone who doesn't speak tech. I can imagine that 338 00:15:33.720 --> 00:15:35.399 getting pretty complicated pretty quickly. 339 00:15:35.480 --> 00:15:40.159 Elsour suggests using relatable analogies, empathy, and keeping things concise. 340 00:15:40.519 --> 00:15:43.000 You need to understand their perspective and what they care about. 341 00:15:43.240 --> 00:15:46.320 So meet them where they are, not expect them to 342 00:15:46.440 --> 00:15:49.440 suddenly become cybersecurity experts exactly. 343 00:15:50.159 --> 00:15:53.440 And then Mark Orlando offers a fascinating technique using the 344 00:15:53.519 --> 00:15:55.679 five wise method in reverse. 345 00:15:55.759 --> 00:15:58.919 Okay, back up a second. What's the five wise method 346 00:15:59.080 --> 00:16:00.480 and how do you use it reverse? 347 00:16:00.639 --> 00:16:03.480 So the five wise is a problem solving technique where 348 00:16:03.519 --> 00:16:06.120 you keep asking why to get to the root cause 349 00:16:06.120 --> 00:16:08.360 of an issue. Okay, but in this case, you start 350 00:16:08.399 --> 00:16:11.080 with the business impact of a cyber attack and work backward. 351 00:16:11.200 --> 00:16:13.679 So instead of explaining the technical details, you frame it 352 00:16:13.679 --> 00:16:16.399 in terms of how it will hurt the bottom line exactly. 353 00:16:16.480 --> 00:16:20.000 You're speaking their language, showing them the real world consequences 354 00:16:20.039 --> 00:16:23.159 of a security breach. That's clever, it can be very effective. 355 00:16:23.559 --> 00:16:27.000 This is all incredibly eye opening. Cybersecurity isn't just about 356 00:16:27.000 --> 00:16:31.840 technical skills. It's about communications, psychology, even a bit of storytelling. 357 00:16:32.159 --> 00:16:36.840 You're getting it. It's this fascinating blend of technical expertise 358 00:16:37.240 --> 00:16:39.000 and human understanding. 359 00:16:39.320 --> 00:16:42.200 We've covered a ton of ground here, but there's still 360 00:16:42.399 --> 00:16:45.559 so much to explore in the world of Blue Team wisdom. 361 00:16:45.919 --> 00:16:49.159 What other surprises are lurking in these expert insights. 362 00:16:49.279 --> 00:16:52.080 Well, one of the most important themes woven throughout is 363 00:16:52.080 --> 00:16:54.480 the idea of continuous learning and growth. 364 00:16:54.639 --> 00:16:57.600 Ah Yes, the importance of staying ahead of the curve exactly. 365 00:16:57.679 --> 00:17:01.000 It's not enough to just learn the basis. You need 366 00:17:01.039 --> 00:17:04.160 to be constantly evolving your skills and knowledge. 367 00:17:04.240 --> 00:17:06.480 So it's not just about building a digital fortress, it's 368 00:17:06.480 --> 00:17:10.119 about making sure it can withstand the next siege, the 369 00:17:10.160 --> 00:17:11.319 next wave of attacks. 370 00:17:11.359 --> 00:17:15.319 Precisely, and William Bankson highlights the value of pairing with 371 00:17:15.440 --> 00:17:18.599 Red Team and application security teams to get a different 372 00:17:18.599 --> 00:17:20.079 perspective on your defenses. 373 00:17:20.200 --> 00:17:21.920 Hold on Red Team. I thought we were talking about 374 00:17:21.920 --> 00:17:22.480 the Blue team. 375 00:17:22.839 --> 00:17:25.119 We are, but red teams act as the attackers in 376 00:17:25.160 --> 00:17:28.079 a controlled environment. They try to penetrate your defenses so 377 00:17:28.119 --> 00:17:30.359 you can learn from their tactics and improve your security. 378 00:17:30.480 --> 00:17:33.359 Oh so it's like having a scrimmage before the big game. 379 00:17:33.720 --> 00:17:36.000 You test your defenses against a skilled opponent. 380 00:17:36.240 --> 00:17:40.039 Yeah, that's a great analogy. And Bankson also mentions free 381 00:17:40.039 --> 00:17:44.720 resources like open socio, a platform for practicing security skills, 382 00:17:45.000 --> 00:17:48.160 and John Breath recommends attending local security conferences like B 383 00:17:48.319 --> 00:17:49.079 Sides B. 384 00:17:49.160 --> 00:17:52.079 Sides, I've heard of those. It's a chance to connect 385 00:17:52.079 --> 00:17:54.200 with other security pros and learn from the best in 386 00:17:54.240 --> 00:17:54.640 the field. 387 00:17:54.920 --> 00:17:55.519 Exactly. 388 00:17:55.680 --> 00:17:58.279 Okay, so it's a mix of hands on practice, networking 389 00:17:58.640 --> 00:18:01.519 and staying up to date on the late technologies right. 390 00:18:01.480 --> 00:18:04.640 And Breath also suggests taking advantage of vendor training to 391 00:18:04.759 --> 00:18:07.200 learn the ins and outs of specific security tools. 392 00:18:07.720 --> 00:18:09.440 So there are a lot of different ways to learn 393 00:18:09.480 --> 00:18:12.160 and grow in this field. Absolutely, but doesn't all this 394 00:18:12.279 --> 00:18:15.039 learning get overwhelming? Where do you even find the time? 395 00:18:15.400 --> 00:18:18.119 That's a valid concern, and that's where the final piece 396 00:18:18.160 --> 00:18:22.480 of advice comes in documentation. John Breath emphasizes the importance 397 00:18:22.480 --> 00:18:24.880 of capturing your knowledge and sharing it with others. 398 00:18:25.359 --> 00:18:27.599 So it's not just about learning for yourself, it's about 399 00:18:27.599 --> 00:18:30.440 building a knowledge base that benefits the whole team, the 400 00:18:30.480 --> 00:18:32.119 whole organization exactly. 401 00:18:32.400 --> 00:18:35.440