• United States



Chris Hughes
Contributing Writer

6 best practices for blue team success

Aug 22, 20226 mins
NetworkingPenetration Testing

Every stakeholder, from the CISO to even the red team, wants the blue team to s쳮d against simulated cyberattacks. Sticking to this advice will help make that happen.

Two people review information on a tablet in an office workspace.
Credit: Gorodenkoff / Shutterstock

Cybersecurity team conversations these days can feel like a rainbow, with mentions of red, blue and even purple teams. While each team has its unique perspective and tasking, the blue team is trusted with arguably the most critical mission of all: protecting organizations from cybersecurity threats and vulnerabilities.

To do this, the blue team must be aware of the organization’s business/mission needs, relevant threats, digital footprint, and the associated vulnerabilities. From there, the team can bolster the security posture of the organizations by implementing security controls and mitigations to address the most pressing threats and vulnerabilities.

As my colleague Maril Vernon, senior security engineer and purple team lead at Aquia, Inc., says regarding the role of the blue team: 

“Blue teams are made up of so much more than SOC analysts and IT operations. It’s everybody from the business information security officer [BISO] to the cyber threat intelligence [CTI] team to the enterprise risk and business continuity plan [BCP] professionals. At the end of the day, even your red team is working for the blue side.
We’re all there in the effort of proactively proving and improving security. In purple team exercises, the most crucial and important part of what we do is identifying and incorporating correct members of the various blue teams and really imparting that educational piece of adversarial goals, mindset, and tradecraft onto them. The bottom line is the blue teams make up the first, second and tertiary lines of defense at varying levels and we don’t want to gamble the capabilities of any of them. The middle of an incident is not the place to identify and remediate processes and control gaps. We don’t ever want to show up to a fair fight with an adversary and proper blue team maturity is how we give ourselves that advantage.”

What follows are six best practices blue teams can take to carry out their critical focus and mission.

1. Use a cybersecurity framework

While some might roll their eyes at the mention of a cybersecurity framework, it is difficult to lay out and implement a coherent cybersecurity program without a framework to build from. There is no shortage of cybersecurity frameworks to rally around, with NIST’s Cybersecurity Framework (CSF) and Risk Management Framework (RMF) being among the most widely cited.

NIST CSF, for example, provides guidelines for mitigating organizational cybersecurity threats. It does so across the fundamental activities of identifying, protecting, detecting, responding and recovering. Organizations will experience these phases many times as risks and threats materialize. What’s unique about CSF is it also supports the use of profiles, which allow organizations to optimize the CSF to best align with their industry and organization and several example profiles are available for organizations to choose from.

2. Have visibility into and awareness of assets to be protected

No cybersecurity program can be effective without proper visibility and awareness of the assets it must protect. This is why controls such as hardware and software asset inventory have been fundamental CIS Security Controls for years.

A fundamental truth in cybersecurity is that you cannot protect what you cannot see or don’t know exists. In today’s cloud-driven environment, traditional assets are increasingly becoming software defined and exist in a cloud service provider’s (CSP’s) environment. This can apply to endpoints as well, as the use of virtual desktops continues to grow. Visibility applies to all organizational assets, whether physical or virtual.

3. Reduce the noise

Today’s blue team professionals are dealing with myriad tools, platforms and sources to cover the environment they must monitor and secure. This equates to a dizzying array of alerts and notifications that tax their attention, cognitive capacity and can even their morale. One thing that must be done to maximize the value of the blue team is to minimize the number of false positives, duplicative alerts and non-value-added notifications that take their attention away from legitimate threats and risks. One way to do this is to rationalize tool portfolios to remove duplicity and ensure the team is receiving and responding to high fidelity data.

4. Select tools that the team can master and use effectively 

Cybersecurity leaders can feel the need to procure and implement myriad tools to combat relevant threats and risks, and rightfully so as there is a lot to protect against. Studies have shown that despite the rampant growth in security tooling, concerning metrics suggest the tools aren’t having the desired impact. For example, Ponemon reports that organizations on average have over 40 security tools with team members admitting they don’t know how well they are working. A study from Market Cube points out that teams are adding tools faster than they can effectively use them.

Ironically, the burden of tool maintenance is compromising threat response and ultimately security postures. The introduction of each tool increases the overall cognitive load placed on a team. It takes time to learn the tool, provision and configure it, and then monitor it to make actionable use of its telemetry.

Burnout and cognitive overload in cybersecurity are real problems, not just because they can drain team energy and morale, but because juggling too many tools means less time to optimize them and drive down organizational risk. As a result, tool sprawl can exacerbate threats and vulnerabilities rather than mitigate them. The tools themselves also represent a part of an organization’s attack surface, and one often with elevated privileges that malicious actors will take advantage of.

5. See things from the eyes of an adversary 

A common trope repeated in the cybersecurity industry for defensive professionals is to “think like an attacker.” This is intuitive, given that to stop malicious activities you have understand how your enemy thinks. The best way to do that is to put yourselves in their shoes.

This means there is value for blue team professionals taking some time to practice from an offensive perspective. Understanding the relevant tools, tactics and procedures used by malicious actors can go a long way in informing how blue team professionals carry out their defensive activities. Some call this being able to better relate to the attackers, by getting some practical offensive security experience under your belt. This doesn’t have to be in a formal role change or against a real target, but it could be facilitated by labbing or participating in capture-the-flag (CtF) exercises.

6. Fight like you train

The late U.S. General George Patton once said, “You fight like you train.” He meant that when the time to fight comes, you will perform according to how you’ve trained. Under pressure, organizations and individuals don’t just miraculously rise to the occasion; they fall to their level of training. This emphasizes why it is so critical to train regularly and rigorously, not just with tabletop exercises and paperwork drills, but with real red team exercises and experiences. This is a mature approach that forces organizations to not just speculate how prepared they are to detect incidents, protect against malicious actors and ultimately be resilient to attacks, but to actually demonstrate it. Training for the fight will better equip your teams and organizations for the real-world threats they face.

Chris Hughes
Contributing Writer

Chris Hughes currently serves as the co-founder and CISO of Aquia. Chris has nearly 20 years of IT/cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a civil servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an adjunct professor for M.S. cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry working groups such as the Cloud Security Alliances Incident Response Working Group and serves as the membership chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast. He holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications. He regularly consults with IT and cybersecurity leaders from various industries to assist their organizations with their cloud migration journeys while keeping security a core component of that transformation.

More from this author