It looks like I'm going to be building and teaching a Blue Teaming / Security Operations course for the Fall 2023 semester.
What do you think are the most important topics I should cover? What do you want new grads on your defensive security team to know?
Boost for reach, please!
@blueteamgoon Emphasize that building bridges, insights, and relationships across teams outside of InfoSec group is critical to actually securing the org.
Countless times I was able to head off disaster because a friend in TechOps, Marketing, etc. wanted to double-check something with me. I was able to help them find a better solution.
The OSI model. Seriously. Understanding the layers that controls affect and simply tracing a packet though the various layers is a lifelong IT/Security skill. Even if something is a "black box" understanding what layers that black box interacts with can be enlightening.
Social Skills, clear communication, DevOps culture (think Phoenix Project). Very few security skills in security that don't build on basic IT concepts.
Definitely agree! I love the "dual class" nod. Great parallel!
@blueteamgoon Learn how to build things and patch software. Learn the skills that you want your developers to have (software development, SRE, infrastructure management). Knowing what your partners in the company have to do and how they work changes the conversation from "No don't to this" to "Have you considered this alternative that is more secure? I can help you brainstorming/designing/building!"
+ what the others say about communication, documentation.
@blueteamgoon I'm a linux/cloud sysadmin but I have a very good relationship with our #infosec folks.
The reason? Ops and Security to me are two sides of the same coin.
The manager over in infosec used to be my boss in in operations.
Everything Taggart said, but at least some base in how linux, windows, *aaS, etc function is absolutely critical from my perspective.
Great! Some ideas following in unprioritized order:
Identify: understand threat models, detection coverage planning, system criticality, stakeholders in IR, how to create an IR plan with a clear RACI, inclusion of MSP's in plans
(Thread)
@blueteamgoon Protect: integrity control for logs and backups, keeping the threat model updated based on threat intel, how to run exercises
Detect: Vulnerability management, connecting Vulnerability exposure to asset criticality, making this info available in a siem through lookup tables, build practical playbooks that use threat intel and context for confidence improvement, communication with system owners and end users during triage.
Respond: follow the IR plan :) , comms and management during IR, evidence collection, chain of custody, IOC extraction, yara file creation, identification of impact zone
Recover: recovery test criteria, how to run a post mortem, how to actually use the post mortem to improve things.
Other: collaboration, the value of integrity, work-life balance, empathy.
From the top of my head...
* Emphasis on knowing the basics of logging, and knowing how networks and networking works.
* How to read windows events and syslog
* Touching on regex, and data manipulation
* How a SIEM works
* A sheet or something of commonly used acronyms in infosec
* Sysmon and the swiftonsecurity config XML
* How CVEs work and why they aren't the be-all-to-end-all
* How CVSS works
* How to write and read policy
* What Anti-Virus actually is and where it fails
* How to research IoC artifacts
* Why being customer service minded is very important. Also why punishing users is one of the worst things you can do
* How to train users, as in, what things to focus on and making things FAR easier than you think you need to
I probably have a ton more, but can't think of them off the top of my head
Matthew Gracie
b1sh0p
TryCatchHCF 
Rahul Bhichher
NS
lds
Taggart: ~# 
Chris Thompson
Diego
Håkon O.
Michael Starks, Logsta🪵
zeno's paradox speedrunner
NerdShinobi