BLUEPRINT

Click here to send us your ideas and feedback on Blueprint!In this episode, we sit down with Rich Greene, a former United States Army Special Forces Green Beret and current SANS instructor for SEC275 and SEC301. Rich shares his incredible journey spanning 20 years in the Army, including his transition from military communication roles into the realm of cybersecurity. He talks about the importance of fundamentals in cybersecurity, the power of effective communication and persuasion, and dispels common misconceptions about entering the cyber field. Rich also highlights his passion for teaching and how his military background has shaped his approach to instruction and information security. Tune in for invaluable advice that applies to anyone no matter your role!. Check out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!In this episode, we sit down with Ryan Thompson, a seasoned expert in building dashboards that actually detect real threats—not just look pretty. With experience at Elastic, Alert Logic, and top EDR vendors, Ryan shares deep insights into the science behind effective dashboards and how security teams can cut through the noise to find the threats on your network.We cover:Why most SOC dashboards fail to deliver real insights—and how to fix them.The right way to structure dashboards for SIEM, EDR, and threat hunting.How to visualize security data effectively to make detection faster.The balance between automation, alerts, and analyst intuition.If you're a SOC analyst, detection engineer, or security leader looking to elevate your dashboard game and sharpen your cyber threat detection skills, this is an episode you won't want to miss!Check out John's SOC Training Courses for SOC Analysts and Leaders: SEC450: Blue Team Fundamentals - Security Operations and Analysis LDR551: Building and Leader Security Operations Centers Follow and Connect with John: LinkedIn

Click here to send us your ideas and feedback on Blueprint!Surprise!! It's a mini solo episode to kick off the new year and it's on one of the most important topics there is - how to achieve your goals in 2025 and beyond!In this episode I talk about a topic I've never covered anywhere before - my personal system for productivity and how it helps me, and can likely you help you stay on track for those 2025 goals and stay aligned with what is most important in your life. Check this episode out for some useful productivity tips, inspiration, recommendations for some of my favorite books, and fuel to get fired up for 2025! HAPPY NEW YEAR! Note: The episode thumbnail is the actual picture that I took of the quote that I mention seeing in the coffee shop that day in 2018. Episode NotesSimon Sinek - Start With WhyThe 5-Fold Why TechniqueBook - The 12 Week YearBook - The ONE ThingObsidianThe Eisenhower MatrixBook - Steal Like An ArtistBook - 4000 Weeks: Time Management for Mortals

Click here to send us your ideas and feedback on Blueprint!Mark Morowczynski returns for his 4th(!) time with his Microsoft coworker and identity and authentication expert Tarek Dawoud in this incredibly insightful conversation on the what, why, and how of  phishing resistant credentials that YOU can implement right now! This conversation covers:What makes MFA phishable?What phishing resistant credentials are and how they workThe history and modern methods for phishing resistant credentialsWhat attacks will be used once we move to phishing resistant credentials, and how to prevent and detect itHow verified digital identities and corporate identification can help further reduce risk of help desk based attacksShifting the culture to adopt a passwordless loginKey logs to detect identity attacksResources for learning KQLEpisode Links:Tarek Explains Phishing Resistant Authentication: https://www.youtube.com/watch?v=3wtwUh6iyxYMicrosoft Digital Defense Report: https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024Nuance: https://www.nuance.com/index.htmlBook - The Definitive Guide to KQL: https://www.microsoftpressstore.com/store/definitive-guide-to-kql-using-kusto-query-language-9780138293383 KQL Github Repo: github.com/kqlmspress Kusto Detective Agency: https://detective.kusto.io/Connect with John:- LinkedIn- Take A Training Course with JohnSOC Analyst and Leadership Training Courses:- SEC450: Blue Team Fundamentals - Security Operations and Analysis- LDR551: Building and Leading Security Operations CentersSANS:- Cyber Defense Course List- Upcoming Training Events- Free tools, VMs, cheat sheets and more for cyber defenders

Click here to send us your ideas and feedback on Blueprint!In this mega-discussion with Seth Misenar on GenAI and LLM usage for security operations we cover some very interesting questions such as: - The importance of natural language processing in Sec Ops- How AI is helping us detect phishing email- Where and how AI is lowering the bar for entry-level security SOC roles- Should we worry about AI hallucinations or AI taking our jobs?- What is a reasoning model and how is it different than what we've seen so far?- The future of AI - Multimodal interaction, Larger Context Windows, RAG, and more- What is Agentic AI and why will it change the game?Episode Links:The book from Manning Seth liked as a thoughtful accessible on-ramp: https://www.manning.com/books/introduction-to-generative-aiCoursera prompt engineering course series: https://coursera.org/specializations/prompt-engineeringGandalf Online Prompt Injection Challenges from Lakera (FYI Seth finds a lot of Lakera's content to be really high-quality and useful): https://gandalf.lakera.ai/baseline“Nonsense on stilts” reference from Gary Marcus in response to the Google employee claiming LaMDA was sentient: https://garymarcus.substack.com/p/nonsense-on-stilts?utm_source=twitter&sd=pf. AI as a monster with a smiley face image: https://knowyourmeme.com/memes/shoggoth-with-smiley-face-artificial-intelligenceEthan Mollick is the Wharton professor Seth mentioned, Seth says his “One Useful Thing” Substack is a valuable and thought provoking source: https://www.oneusefulthing.org/. Also his book, Co-Intelligence: Living and Working with AI, would also be worth checking out: Learn more about SANS' SOC courses at sans.org/socConnect with John:- LinkedIn- Take A Training Course with JohnSOC Analyst and Leadership Training Courses:- SEC450: Blue Team Fundamentals - Security Operations and Analysis- LDR551: Building and Leading Security Operations CentersSANS:- Cyber Defense Course List- Upcoming Training Events- Free tools, VMs, cheat sheets and more for cyber defenders

Click here to send us your ideas and feedback on Blueprint!In this episode, we take you behind the scenes of a complex gift card fraud investigation. Join host John Hubbard and guest Mark Jeanmougin as they explore the intricate details of uncovering and combating a clever case of cyber fraud. In this episode Mark discusses how the incident was identified, investigated, contained, and what lessons were learned along the way.Episode Links:- Mark's LinkedIn Profile: https://www.linkedin.com/in/markjx/- Mark's Teaching Schedule: https://www.sans.org/profiles/mark-jeanmougin/Learn more about SANS' SOC courses at sans.org/socConnect with John:- LinkedIn- Take A Training Course with JohnSOC Analyst and Leadership Training Courses:- SEC450: Blue Team Fundamentals - Security Operations and Analysis- LDR551: Building and Leading Security Operations CentersSANS:- Cyber Defense Course List- Upcoming Training Events- Free tools, VMs, cheat sheets and more for cyber defenders

Have you ever wondered what it takes to write and publish an information security book? In this special bonus episode following season 4, John discusses with Kathryn, Ingrid, and Carson the challenges and rewards of self-publishing, and the kind of effort that goes into producing a book like "11 Strategies of a World-Class Cybersecurity Operations Center".This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!

"This final chapter of the book is no simple closer! "Turn Up the Volume by Expanding SOC Functionality" covers testing that your SOC is functioning as intended through activities such as Threat Hunting, Red and Purple Teaming, Adversary Emulation, Breach and Attack Simulation, tabletop exercises and more. There's even a discussion of cyber deception types and tactics, and how it can be used to further frustrate attackers. Join John, Kathryn, Ingrid, and Carson in this final chapter episode for some not to be missed tips! This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!

"Metrics, is there any more confusing and contentious topic in cybersecurity? In this episode the authors cover their advice and approach to measuring your team so that issues can be quickly identified and performance can continuously improve!This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!

"Research has shown that communication is one of the most important factors for success in security incident response teams. In this chapter, the authors discuss the critical types of information that must be shared within the SOC, with the constituency, and with the greater cybersecurity community. SANS Cyber Defense Discord Invite - sansurl.com/cyber-defense-discordThis special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!

Tool choice can be a make-or-break decision for security analysts, driving whether getting work done is a struggle, or an efficient, stress-free experience. How can we select the right tools for the job? Which tools are most important? Answers to these questions and more are in this week's episode of Blueprint!This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 - Hope to see you in class! Learn more about SANS' SOC courses at sans.org/soc

In this special live recording from the SANS Blue Team Summit 2023, Kathryn Knerler, Ingrid Parker, and Carson Zimmerman joined John Hubbard they share their insights and expertise with attendees by answering their pressing questions. From discussing the most effective strategies for building a successful SOC to sharing tips on how to stay ahead of emerging cyber threats, our guests provide invaluable advice for those who work in a security operations center (SOC). If you're looking to take your SOC to the next level or are simply interested in the latest developments in cybersecurity, this episode is a must-listen. Tune in to hear from some of the most respected experts in the field and gain valuable insights that could make all the difference in how you approach cybersecurity.This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!

There's no denying that the average security team is completely overwhelmed with options for data to collect. With a deluge of endpoint, network, and cloud data sources to collect, how to do we identify and collect the most useful data sources? That's the topic of this episode. Join Kathryn, Ingrid, Carson, and John in this episode for a discussion on tactical data collection that will ensure your team doesn't miss the signs of an impending incident!This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Every security team has limited budget and time, how do you know where to focus? Cyber Threat Intelligence provides those answers! In this episode, Ingrid, Carson and Kathryn describe how we can use CTI to focus our defensive efforts to understand our most likely attacks and attackers and move towards prioritizing what truly matters.This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

"No security team is perfect, so in this episode, authors Carson, Ingrid, and Kathryn discuss what it takes to prepare for fast, effective incident response capability. Covering preparation, planning and execution, Strategy 5 will teach your team how to jump into action at the earliest sign of problems.This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Sponsor's Note-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn"Join us at the SANS Blue Team Summit June 12-13 Live Online! To register visit www.sans.org/blueteam-summit

"In this episode we dive deep on the "People" factor of the SOC. Who should you hire, what skills should you hire for, what backgrounds are most likely to lead to success for your team? We also get into what happens after the hire - training, growth, and supporting your team in their skill and career development. This one is a must-listen for all the managers out there. We're all trying to build the highest skilled, most supportive team with low turnover, and the tips our authors bring to this episode on chapter 4 - "Hire AND Grow Quality Staff" will be crucial in that mission.This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn"Join us at the SANS Blue Team Summit June 12-13 Live Online! To register visit www.sans.org/blueteam-summit

"In this episode we discuss how to decide on the right org structure and capabilities of your SOC. This includes questions like tiered vs. tierless models, which capabilities the SOC should focus on, centralized vs. distributed SOCs, outsourcing of duties and staff augmentation considerations, and also where the SOC might sit in the larger chart of your organization. Every SOC needs to be tailored to best meet the mission, and chapter 3 - "Build a SOC Structure to Match Your Organizational Needs" will help you get there.This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Sponsor's NoteSupport for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn"Join us at the SANS Blue Team Summit June 12-13 Live Online! To register visit www.sans.org/blueteam-summit

"Though a SOC is responsible for protecting your organization's assets, it is not the owner of those systems. If the SOC is not established with a clear charter and authority to act, it may quickly become difficult to be effective. Who should the SOC report to, what should be in a SOC charter, and how can we make these tough decisions? Those are the questions covered in this episode of our special "11 Strategies" season. This episode covers chapter 2 of the book - "Give the SOC the Authority to Do Its Job".This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Visit Mitre's page for more information -----------Sponsor's NoteSupport for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn"Join us at the SANS Blue Team Summit June 12-13 Live Online! To register visit www.sans.org/blueteam-summit

"As the saying goes, "If you don't know where you're going, any road will take you there!" - an approach that is disastrous to a SOC. In order to succeed, the SOC must have a clear understanding of where they are going, how they're going to get there, and why. In this episode of our "11 Strategies" season we discuss chapter 1 of the book - "Know What You're Protecting and Why". Understanding your organization and the environment the SOC must perform in forms the foundation of all security team activity. In this episode the authors discuss the critical aspects of knowing what you're protecting. This includes consider your organization's mission, the legal, regulatory, and compliance environment, the technical capabilities you may or may not have, and the users that will inhabit the network and the actions they're going to be performing. Understanding these factors ensures your team starts off on the right path and keeps a common goal in view.This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman."Visit this Mitre page to find more information.-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Welcome to a brand new season of Blueprint! In this intro episode we discuss "Fundamentals" chapter of the "11 Strategies of a World Class Cybersecurity Operations Center" with the authors. We get into the motivation behind updating the book and why its lessons are more important than ever in 2023. This chapter includes discussion of the functions of a SOC, basics of workflow, CTI and contextual data sources, and why ops tempo and speed is a critical factor in SOC success.This special season of the Blueprint Podcast is taking a deep dive into MITRE's 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book's authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.Visit this Mitre page to find more information.-----------Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450 Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Hello Blueprint listeners! We're excited to announce that the release of season 4 of Blueprint is just around the corner, and we've got something very special cooked up for you. We've teamed up with the authors of MITRE's “11 Strategies of a World-Class Cybersecurity Operations Center” and over the next few months, we'll be releasing episodes walking through each chapter with all 3 authors! We'll be deep diving into what makes a SOC successful, get a first-hand account of why each strategy was chosen, and practical advice on each how to implement each strategy along the way. Join Blueprint host John Hubbard with authors Kat Knerler, Ingrid Parker, and Carson Zimmerman for this exciting new season, coming to your podcast aggregator on May 8th!You can find the video of each podcast at:https://www.youtube.com/@SANSCyberDefense The first two episodes will be released on Monday, May 8. Following that there will be a new episode out every Monday. 

Ever wonder how a cloud and application security expert views risks of cloud workloads? Well, wonder no more because on this episode we have Brandon Evans - SANS Certified Instructor and lead author of SEC510: Public Cloud Security. We cover the why and how of moving their applications to the cloud, the key considerations for a successful cloud security posture, and how building your infrastructure with a cloud-native mindset can and should lead to an improved security posture. BONUS: Be sure to stay tuned to the end of the episode for a very special announcement from Brandon on the new SANS Cloud Ace podcast. Coming to all podcast directories on September 28. Our Guest - Brandon EvansBrandon works for Zoom Video Communications, in which he leads their internal Application Security training. As an application developer for most of his professional career, he moved into security full-time largely because of his many formal trainings through SANS. He's a contributor to the OWASP Serverless Top 10 Project and a co-leader for the Nashville OWASP chapter. Brandon is lead author for SEC510: Public Cloud Security: AWS, Azure, and GCP and a contributor and instructor for SEC540: Cloud Security and DevSecOps Automation. Resources:sans.org/cloud - SANS Cloud Resourceshttps://brandone.github.io/pixel-puzzles/ - Brandon's Pixel Puzzle gameSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

In this episode we speak with Joe Lykowski - Cyber Defense Lead at a major manufacturing company on what it takes to build a mature, transparent, and effective SOC. Joe brings years of experience to the table in running a large organization's security team and in this interview he draws out some of his favorite tips, strategies and more on metrics, building the right team, and what to prioritize as you build up a SOC for an org of any size.  Our Guest - Joe LykowskiA graduate of Western Michigan University, Joe has 19 years of professional IT experience ranging from academia, industrial control systems and manufacturing IT, mobile device service management, telepresence services, endpoint protection, and cyber security operations. His current role focused on leading a global team of cyber defenders with the core goal of protecting Dow from the growing cybersecurity threats.Follow Joe on Twitter: @JosephLykowskiSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

Many of us are either looking to start a cyber security career, improve our knowledge and skills to further our career, or hire a team that has the most skilled and promising candidates. In this special episode with Rob Lee, Chief Curriculum Director of the SANS Institute, we discuss strategies for building, improving, and testing your cyber security group's skill levels, and working to keep our knowledge as current as possible - a critical skill for anyone in the fast moving world of cyber security.Rob LeeRob Lee is the Chief Curriculum Director and Faculty Lead at SANS Institute and runs his own consulting business specializing in information security, incident response, threat hunting, and digital forensics. With more than 20 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response, he is known as “The Godfather of DFIR”. Rob co-authored the book Know Your Enemy, 2nd Edition, and is course co-author of FOR500: Windows Forensic Analysis and FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

In this episode of the Blueprint Podcast, we cover monitoring and securing macOS in an enterprise environment at scale with Jaron Bradley, Threat Detection lead at Jamf. We discuss the ups and downs of Apple's approach to macOS data collection over the years, the data sources and types that are accessible to defenders, what 3rd party agents bring to the table for security monitoring, and much more. Plus, Jaron gives us some great bonus tips for finding persistence mechanisms and malicious processes in enterprise macOS devices.Our Guest - Jaron BradleyJaron has a background in Incident Response, threat hunting, and detections development. After focusing on large scale APT attacks he developed an interest in the more niche spaces of lesser explored operating systems. He has experience as both a SOC analyst as well as detections engineering at the endpoint level.Jaron currently works as the macOS Detections Lead at Jamf Threat Labs and manages his own security tools and content for security researchers atthemittenmac.com. He is also the author of OS X Incident Response Scripting and Analysis. A book he claims is slightly outdated but still relevant to a lot of macOS analysis today.Resources mentioned in this episodeWebsiteshttps://www.themittenmac.com (my website)objective-see.com (great mac security website)Major Blogs Referenced by Jamf Threat Labshttps://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/https://www.jamf.com/threat-labs/ (threat labs home)ConferencesJamf Nation User Conference -> https://www.jamf.com/events/jamf-nation-user-conference/2022/Objective by the sea 5.0 -> https://objectivebythesea.org/v5/index.htmlSupport for the Blueprint podcast comes from the SANS Institute.Follow SANS Cyber Defense: Twitter | Join us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

One of the best frameworks that showed up within the last 5 or so years is undoubtedly the MITRE ATT&CK® framework. Many of us may know about it in passing and even reference from time to time, but very few people seem to know the true depth of knowledge contained - everything from analytics to threat groups, specific mitigation and detection opportunities, and with the newest versions, even specific data sources. In this episode we talk to the Defensive Lead of ATT&CK from MITRE, Lex Crumpton, about what every blue team member needs to know about this framework, and more!Alexia CrumptonAlexia Crumpton is a Defensive Cyber Operations Researcher with over seven years of experience in software development, SOCs, and Malware Reverse Engineering. Her passion lies in heuristic behavior analysis in regards to adversary TTPs and countermeasures used to defend against them. Follow AlexiaLinkedIn: https://www.linkedin.com/in/alexia-crumpton-99930659/Resources mentioned in this episode:CAR - The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model.Top ATT&CK Techniques – Medium Blog, Github, Calculator Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need tJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

Ever wonder why there's so little information regarding macOS and Linux-oriented attacks? In this episode, we get the answer from  the multi-talented Cat Self - an Adversary Emulation Engineer at MITRE, Cyber Threat Intelligence Team Leader on ATT&CK Evaluations and macOS/ Lead on MITRE ATT&CK Enterprise. We discuss defense tools,  attacker TTPs, and what to consider when approaching defense for a macOS and Linux environment, and what trends we can expect in the future for these operating systems. Check out the resources below for links mentioned during this enlightening conversation!Our Guest: Cat SelfCat Self is the CTI Lead for MITRE ATT&CK® Evaluations, macOS/Linux Lead for ATT&CK® and serves as a leader of people at MITRE. Cat started her cyber security career at Target and has worked as a developer, internal red team operator, and Threat Hunter. Cat is a former military intelligence veteran and pays it forward through mentorship, technical macOS hunting workshops, and public speaking. Outside of work, she is often planning an epic adventure or climbing mountains in foreign lands. Follow Cat on Social MediaTwitter: @coolestcatiknowLinkedIn: Cat SelfResources mentioned in this episode:A highlight of new security changes in macOS Ventura:https://www.sentinelone.com/blog/apples-macos-ventura-7-new-security-changes-to-be-aware-of/ For securing a macOS device, I highly recommend installing Patrick Wardle's endpoint tools. https://objective-see.org/tools.html My favorites are BlockBlock, KnockKnock, Lulu, & Netiquette.  Cat's “GoTo” blogsPatrick Wardle Objective-SeeJaron Bradley The Mitten MacHoward Oakley The Eclectic Light CompanyCody Thomas MediumSarah Edwards mac4n6Leo Pitt MediumChristopher Ross MediumCsaba Fitzl THEEVILBIT Blog Open Source ProjectsPlaybooks with Datasets to practice OTRFCode snippets aligned to MITRE ATT&CK Atomic Red TeamJupyter notebook environment setup by Anna PastushkoVirtual environment setup Hold My BeerSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team membeJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

Nearly every organization is using Microsoft Azure AD services in some respect, but monitoring Azure AD for threats is a significantly different skill that traditional Windows logging. In this episode we have 2 experts from Microsoft, Corissa Koopmans, and 3rd time returning guest Mark Morowczynski, to tell us about the important work that's been done to help organizations understand their data and detect Azure AD attacks. We cover log sources, the new Microsoft security operations guide, standardized dashboards and visualizations you can leverage to jump right in with best practice, and much more. You don't want to miss this one!Corissa Koopmans and Mark MorowczynskiCorissa Koopmans (@Corissalea) is part of the "Get to Production" team in the Microsoft Identity and Network Access Division, focusing on incorporating customer feedback to improve our products. She is very active in driving community contribution to AzureMonitor Log Analytics and increasing awareness of the power of log data by presenting at industry events including BSides, The Experts Conference (TEC), SPARK, & Microsoft MVP Summits.Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. Previously he was Premier Field Engineer supporting Active Directory, Active Directory Federation Services and Windows Client performance. He's spoken at various industry events such as Black Hat, Defcon Blue TeamVillage, Blue Team Con, GrayHat, several BSides, and more. He can be frequently found on Twitter as @markmorow arguing about baseball and making sometimes funny gifs.Azure AD SecOps - aka.ms/azureadsecopsAzure Monitor Log Analytics and KQL resources: aka.ms/KQLBlueTeamFor community contribution, please follow these prerequisites (these steps are also available at aka.ms/KQLBlueTeaml):1.      Have a GitHub account2.      Belong to the Microsoft Organization in GitHuba.      If you do not yet belong, click on this link: https://repos.opensource.microsoft.com/ and then select “Microsoft” to join their organization3.      Be a member of the @azure-ad-workbooks team in GitHuba.      if you are not yet a member, go to the Microsoft Organization in GitHub and search for the Join us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

John and Fortress Vice President of Research and Development Tony Turner share their wisdom on trends they are seeing in the cyber industry and offer advice as to how we should be looking at the Cyber Supply Chain in 2022 and beyond.Follow Tony TurnerLinkedIn: https://www.linkedin.com/in/tonyturnercissp/Web: https://www.fortressinfosec.com/team/tony-turnerSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

There are many technical factors that contribute to the success of a security operations team, but you need more than just tech skills for mounting a solid defense. In this episode of Blueprint we bring back previous guest Mark Orlando to talk about his BlackHat 2022 presentation with Dr. Daniel Shore (PhD in workplace psychology) . We discuss team dynamics, how the mapping of multi-team systems can improve the flow of your incident response activities, and much more. Check out the related BlackHat talk here: https://www.youtube.com/watch?v=CtkJ84bc50gOur Guest - Mark OrlandoMark Orlando is a SANS Associate Instructor, co-author MGT551: Building and Leading Security Operations Centers, instructor for SEC450: Blue Team Fundamentals: Security Operations and Analysis, and the Co-Founder and CEO of Bionic Cyber. Prior to Bionic, Mark built, assessed, and managed security teams at the Pentagon, the White House, the Department of Energy, and numerous Fortune 500 clients. Mark has presented on security operations and assessment at DefCon's Blue Team Village, the Institute for Applied Network Security (IANS) Forum, BSidesDC, and the RSA Conference and has been quoted in the New York Times, the Washington Post, Forbes, and many other publications. He holds a Bachelor's Degree in Advanced Information Technology from George Mason University and served in the US Marine Corps as an Artillery Non-Commissioned Officer.Follow Mark OrlandoTwitter: https://twitter.com/markaorlandoLinkedIn: https://www.linkedin.com/in/marko16/Web: https://www.sans.org/profiles/mark-orlando/Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

Host John Hubbard, Blueprint host and SANS Cyber Defense Curriculum Lead, moderated a panel of cyber security experts including Heather Mahalik, Katie Nickels and Jeff McJunkin for this powerful discussion.John and guests share their wisdom on trends they are seeing in the cyber industry and offer advice as to how we should be looking at cyber defense in 2022 and beyond.Guests: Heather MahalikKatie NickelsJeff McJunkinFilmed live at SANSFIRE 2022Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Many of us with the typical IT and security backgrounds might not have the slightest idea what to expect when we hear the terms “this product uses advanced machine learning…”, but that claim certainly conjures up a lot of skepticism due to the opaque nature of the algorithms in many of these products. In this episode we discuss what AI and ML are best used for, and what they can, can't, and shouldn't be used for with guest Dave Hoelzer.Our Guest - Dave HoelzerDavid Hoelzer, a SANS Fellow and author of more than twenty days of SANS courseware, is an expert in a variety of information security fields, having served in most major roles in the IT and security industries over the past twenty-five years. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security officer for Cyber-Defense, an open-source security software solution provider.Follow DaveTwitter: https://twitter.com/it_audit LinkedIn: https://www.linkedin.com/in/davidhoelzer/ --Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

While malicious insiders are a threat that most of us would like to imagine we might never have to deal with, it's still one of the cyber threats you must realistically consider and plan for. But how do you identify malicious intent and potential attacks from those already inside our network that have legitimate access to our data? Check out this episode where James Rowley lays out what you need to consider when it comes to insider threat detection. Our Guest - James RowleyJames Rowley is a cybersecurity-consultant-turned-dectection-engineer building the next generation of insider threat detections. As a Detection Engineer, James is responsible for merging the world of blue team and insider threat, moving the needle on how we approach insider detections within cyberspace. James outside of the workspace is passionate about most things related to outdoors, beer, whiskey, wine, food, travel, and Minnesota sports teams. You will find James enjoying these things and more with his fiance and two dogs, Marshall (Bernese Mountain Dog) and Maya (Basset Hound).--Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at http://sans.org/sec450 Hope to see you in class!--Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedInJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

With ransomware and other highly disruptive attacks on the rise, there are few systems more important to defend than our critical infrastructure and ICS equipment. How should we think about defending these systems vs our typical IT network though? In this episode, Dean Parsons is here to give us that answer. Our Guest - Dean ParsonsDean brings over 20 years of technical and management experience to the classroom. He has worked in both Information Technology and Industrial Control System (ICS) Cyber Defense in critical infrastructure sectors such as telecommunications, and electricity generation, transmission, distribution, and oil & gas refineries, storage, and distribution. Dean is an ambassador for defending industrial systems and an advocate for the safety, reliability, and cyber protection of critical infrastructure. His mission as an instructor is to empower each of his students, and he earnestly preaches that “Defense is Do-able!” Over the course of his career, Dean's accomplishments include establishing entire ICS security programs for critical infrastructure sectors, successfully containing and eradicating malware and ransomware infections in electricity generation and manufacturing control networks, performing malware analysis triage and ICS digital forensics, building converged IT/OT incident response and threat hunt teams, and conducting ICS assessments in electric substations, oil and gas refineries, manufacturing, and telecommunications networks. A SANS Certified Instructor, Dean teaches ICS515: ICS Visibility, Detection, and Response and is a co-author of the new SANS Course ICS418: ICS Security Essentials for Managers. Dean is a member of the SANS GIAC Advisory Board and holds many cybersecurity professional certifications including the GICSP, GRID, GSLC, and GCIA, as well as the CISSP®. He is a proud native of Newfoundland and holds a BS in computer science from Memorial University of Newfoundland.Follow Dean ParsonsTwitter: https://twitter.com/deancybersecLinkedIn: https://www.linkedin.com/in/dean-parsons-cybersecurity/Resources mentioned in this episodeOSINT / Site-visit Cheat Sheethttps://www.sans.org/posters/ics-site-visit-plan/ICS Cyber Kill Chain Whitepaper:https://www.sans.org/white-papers/36297/?msc=blog-ics-libraryICS specific Network Security Monitoring:https://www.sans.org/posters/industrial-network-security-monitoring/Top 5 ICS Incident Response Tabletopshttps://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them/My weekly ICS Defense Force LiveStreamhttps://www.youtube.com/playlist?list=PLjoUWqjR7qXhdZIcC8LgEBogrTyeoKqRTJoin us in Scottsdale, AZ or virtually for the 2022 SANS Institute Blue Team Summit & Training. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

It's a special mailbag episode from John Hubbard! After three seasons, John asked the listeners what questions they had for him.  He touched on the current XDR trend, how other teams can support SOC activities, defining security mindset, and more. 

In this solo episode to wrap up season 2, John discusses some of the key takeaways from the guests interviwed throughout this year, and has some very exciting news for all blue teamers on a brand new GIAC certification. ;)Link: (GIAC GSOC LINK HERE)John is a Security Operations Center (SOC) consultant and speaker, a Certified SANS instructor, and the course author of two SANS courses, SEC450: Blue Team Fundamentals - Security Operations and Analysis and MGT551: Building and Leading Security Operations Centers. Follow John Twitter: @SecHubb YouTube: youtube.com/user/jhub908LinkedIn: in/johnlhubbardAll Blueprint Podcast Episodes: sans.org/blueprint-podcast

We all need solid, well though-out playbooks to help standardize our respons to common threat scenarios. In this episode we speak with Thomas Detzner and Mark Morowczynski about the brand new set of Microsoft incident response playbooks that were just released. This is a brand new effort to meticulously document prerequisites, investigation steps, and remediation process for common scenarios most commonly seen by the Microsoft incident response teams, and you definitely won't want to miss it.Our Guests: Thomas Detzner and Mark MorowczynskiThomas Detzner is a Project Leader  for Microsoft, creating guidance for Azure AD IR.Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. He can be frequently found on Twitter as @markmorow arguing about baseball and making sometimes funny gifs.Links:https://aka.ms/irplaybooks - Playbooks discussed in this episodehttps://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub#access-data-from-your-event-hub - Azure Event Hubhttps://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093 - Security Baslineshttps://www.microsoft.com/en-us/download/details.aspx?id=52630 - Security Auditing and Monitoring ReferenceSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450! Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Compliance and audit checks can be painful, and that's before you introduce additional cloud services and technology. In this episode featuring AJ Yawn we discuss some incredibly useful and actionable cloud security concepts and tools that can help your team boost visibility and reduce user permissions to help prevent breaches before they happen. In addition, we discuss what a good compliance audit should be, and how to turn audits from painful to incredibly valuable.Resources mentioned in this episode:- AWS CloudTrail: https://aws.amazon.com/cloudtrail/- AWS Well-Architected Framework:https://aws.amazon.com/architecture/well-architected/ - AWS Config: https://aws.amazon.com/config - AWS Organizations:https://aws.amazon.com/organizations/ - AWS Service Control Policies (SCP): https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html Our Guest - AJ Yawn AJ Yawn is the Co-Founder and CEO of ByteChek. He is a seasoned cloud security professional that possesses over a decade of senior information security experience with extensive experience managing a wide range of cybersecurity compliance assessments (SOC 2, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers.AJ advises startups on cloud security and serves on the Board of Directors of the ISC2 Miami chapter as the Education Chair, he is also a Founding Board member of the National Association of Black Compliance and Risk Management professions, regularly speaks on information security podcasts, events, and he contributes blogs and articles to the information security community including publications such as CISOMag, InfosecMag, HackerNoon, and ISC2.Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.Are you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

There are numerous ways to test your SOC's detection and prevention capabilities, but not all are created equal. Each has their own strengths and weaknesses, and can be done on a different time scale.This week, we focus on arguably one of the most important - adversary emulation. In this episode we speak with Jamie Williams from the MITRE ATT&CK team about why adversary emulation is important, how it works, how you can get started regardless of the size of your team, and how to track and run an adversary emulation test.Our guest: Jamie WilliamsJamie Williams is a Principal Adversary Emulation Engineer for the MITRE Corporation where he works on various exciting efforts involving security operations and research, specializing in adversary emulation and behavior-based detections. He also leads teams that help shape and deliver the “adversary-touch” within ATT&CK® and ATT&CK Evaluations.Follow Jamie Williams on Twitter (@jamieantisocial) and LinkedIn (/in/jamie-williams-108369190).Sponsor's NoteSupport for the Blueprint podcast comes from the SANS Institute.Since the debut of SEC450, we’ve always had students interested in a matching course covering the management and leadership aspects of running a SOC. If you like the topics in this podcast and would like to learn more about Blue Team leadership and management, check out the new MGT551: Building and Leading Security Operations Centers. This new course is designed for Security Team leaders looking to build, grow and operate a security operation center with peak efficiency. It’s a hands-on technical leadership course, that takes you through everything from scoping threat groups to use case creation, threat hunting, planning, SOC maturity and detection assessment and much much more.Check out the course syllabus, labs and a free demo at sansurl.com/551 Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

PowerShell may seem intimidating, but it can be one of the most amazing and useful tools at your disposal...if you know how to use it. In this episode, we have Josh Johnson, author of the new SANS course "SEC586: Blue Team Operations - Defensive Powershell" giving you a masterful crash course in: - The importance of PowerShell- How PowerShell works, and how to set yourself up to use it- Blue team use cases for log analysis, incident response and more- How to stopping attackers from leveraging PowerShell- Some of the amazing automation and playbook opportunities you may be missing out on.Lots of actionable content for defenders here, don't miss in this episode!Our Guest: Josh JohnsonJosh Johnson is a SANS Certified Instructor and course author of SEC586: Blue Team Operations: Defensive PowerShell. He has been working in the Information Security industry for over 10 years in varying roles with responsibilities ranging from penetration testing to incident response. Josh was Purple Teaming since before it had a name and used his offensive security skill set to find and pursue his true passion - Blue Team. Since then, he has been helping organizations of all sizes, and in varying industries from healthcare to retail to finance, improve their cyber defense capabilities.More About JoshFollow Josh:  Twitter | LinkedInSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450! Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

This episode is all about vulnerability management - both the technical and human aspects. Looking to start up a new vulnerability management team? Drowning in vulnerabilities to fix and don't know where to start? Struggling to get system owners to take action? Trying to find ways to communicate the importance and status of your patching efforts? Check out this episode with vulnerability management expert Chris Baker for answer these to questions and much more!Our Guest: Chris BakerChris Baker is an Information Security Leader with a deep background in information security including strategy development and operational excellence that has created highly efficient teams and delivered large impacts to the business value chain. He is a skilled risk management and information security professional with the versatility to lead large and diverse matrix teams and deep-dive into complex technical problems. A proven track record of collaborating effectively at all business levels while directing changes on a global, enterprise-wide scale.Follow Chris Baker@bakerc | LinkedInSponsor NoteSupport for the Blueprint podcast comes from the SANS Institute.Are you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

A common question from many defenders is "Which logs are the most important?” In this episode, Mick Douglas and Flynn Weeks join us to describe their What2Log project, which aims to simplify this problem for all of us!Our Guests: Mick Douglas & Flynn WeeksMick Douglas is the Managing Partner of InfoSec Innovations. He is a SANS certified instructor and is a member of the IANS faculty. In his spare time, he tries in vain to improve his photography skills and goes hiking looking for the perfect shot.Flynn is a senior Cybersecurity student and intern at InfoSec Innovations. Forensics, and in turn, logging, are passions of hers. In her spare time, she enjoys her time spent with pets and hiking. Follow Mick and FlynnTwitter:  Mick @bettersafetynet and Flynn @soundsofthetime

In today’s episode, John is joined by Anton Chuvakin to discuss current and future security operations technology, which tools are the most important and which are becoming less important over time, the rules of automation in the SOC and how Anton would setup a modern Security Operations Center for a Cloud native organization.Today's Guest: Anton ChuvakinDr. Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is now involved with security solution strategy at Google Cloud, where he arrived via Chronicle Security (an Alphabet company) acquisition in July 2019. He is an author of books "Security Warrior", "Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management" and ""PCI Compliance, Third Edition: Understand and Implement Effective PCI Data Security Standard Compliance"" (book website) and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and other books. Anton has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS, security management. His blog "Security Warrior" was one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he addressed audiences in United States, UK, Australia, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on advisory boards of several security start-ups.Follow AntonTwitter:  @anton_chuvakinLinkedIn: /in/chuvakinCheck out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Are you a manager looking to build or improve your SOC? Are you trying to understand how to measure your SOCs maturity or use cases or your threat hunting efforts? If so, today’s episode with Rob van Os is for you. In this episode, we discuss the SOC CMM for SOC maturity measurement, the magma use case framework for building and tracking SOC use cases, and the Tahiti threat hunting methodology for showing ROI on threat hunting.Our Guest is Rob van OsRob van Os, MSc., CISSP, ISSAP is a senior security advisor working for CZ group. Until recently, Rob was the Product Owner of the Cyber Defense Center of a Dutch bank and as such responsible for cyber security operations. Rob obtained a Bachelor's degree in Computer Science in 2009 and a Master's degree in Information Security in 2016. Rob is the author of the SOC-CMM and lead author of the MaGMa UCF and the TaHiTI methodology. Follow Rob:Linkedin: /in/cyberdefensespecialist Website:  https://www.soc-cmm.com/  Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

What is AppSec, DevOps and DevSecOps? In this episode we discuss why defenders should know more about these terms and what the consequences are of ignoring these new and critical fields.Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.Advisor: Nord VPN, Cloud Defense, NeuraLegion, ICTC PAC, WoSECFounder: We Hack Purple, WoSEC International (Women of Security), OWASP DevSlop, #CyberMentoringMondaySupport for the Blueprint podcast comes from the SANS Institute.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Driving consistency and maintaining a high standard for alert response is a problem all SOCs must face, but how? In this episode, Josh Brower describes his efforts to combine automated detection signature deployment and use case database management into a single, easy to use app for Security Onion. Whether you use Security Onion or not, this episode dives into the design principles and workflow Josh used when designing the new open-source Playbook app and there’s something to learn from it for everyone on the Blue Team.Our Guest - Josh BrowerJosh Brower has been crashing computers since his teens, and now feels fortunate to be doing it professionally. He has spent the last 12 years focusing on InfoSec, particularly network and endpoint detection. He also enjoys teaching around InfoSec issues, especially to non-technical learners - helping them to understand how their actions in the digital world have real-world consequences, as well as how to proactively reduce the risk.Follow JoshTwitter: @DefensiveDepthLinkedIn: /in/joshbrower Web: https://defensivedepth.comSupport for the Blueprint podcast comes from the SANS InstituteAre you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Even if you're not a malware analyst, any blue teamer should be able to do some initial basic malware sample triage. The good news is that this is quite easy to do using freely available tools once you know what is available. Join John in this conversation with Ryan Chapman as they discuss how to reverse engineer malware and why you might want to do so.Our Guest - Ryan ChapmanRyan Chapman works as a Principal Incident Response analyst. He also teaches SANS FOR610: Reverse Engineering Malware and is the lead organizer for CactusCon, Arizona's hcaker conference. Ryan has worked in Security Operations Center and Computer Incident Response Team roles that handled incidents from inception all the way through remediation. Reviewing log traffic; researching domains and IPs; hunting through log aggregation utilities; sifting through pack captures; analyzing malware; and performing host and network forensics are all things that Ryan loves to do. With Ryan, it's all about the blue team!Follow RyanTwitter: @rj_chapLinkedIn: /in/ryanjchapmanWeb: https://incidentresponse.trainingSponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.Check out the details at sansurl.com/450  Hope to see you in class!Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Looking for a new way to approach the difficult problem of measuring and improving your SOC? Check out this episode to hear how to use methods pioneered in the manufacturing and reliability industry to help wrap your head around, and solve this complex issue. You don’t want to miss this episode with Jon Hencinski, Director of Operations at Expel who covers all of this and more.Our guest - Jon HencinskiJon Hencinski is the Director of Global Operations at Expel. In this role, he’s responsible for the day-to-day operations of Expel’s security operations center (SOC) and detection and response engineering. He oversees how Expel recruits, trains, and develops security analysts. Jon has over a decade of experience in the areas of SOC operations, threat detection, and incident response. Prior to Expel, Jon worked at FireEye, BAE Systems, and was an adjunct professor at The George Washington University.Follow JonTwitter: @jhencinskiLinkedIn: /in/jonathanhencinskiWeb: https://hencinski.medium.comSupport for the Blueprint podcast comes from the SANS Institute.Since the debut of SEC450, we’ve always had students interested in a matching course covering the management and leadership aspects of running a SOC. If you like the topics in this podcast and would like to learn more about Blue Team leadership and management, check out the new MGT551: Building and Leading Security Operations Centers. This new course is designed for Security Team leaders looking to build, grow and operate a security operation center with peak efficiency. It’s a hands-on technical leadership course, that takes you through everything from scoping threat groups to use case creation, threat hunting, planning, SOC maturity and detection assessment and much much more.Check out the course syllabus, labs and a free demo at sansurl.com/551 Follow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Austin Taylor discusses the promise and reality of cyber security-centric data science, and how you can use machine learning for solving practical security problems.Twitter Handles: @HuntOperator | @SecHubb | @SANSDefenseAll Blueprint Podcast Episodes: sans.org/blueprint-podcast

Roberto Rodriguez explains the awesome projects and initiatives he is working on to help blue teams perform advanced data collection, analysis, and threat hunting.Twitter Handles: @Cyb3rWard0g | @SecHubb | @SANSDefenseAll Blueprint Podcast Episodes: sans.org/blueprint-podcast

Cloud expert Kyle Dickinson discusses common cloud infrastructure attacks, and how you can detect and prevent them before they happen to your organization.Twitter Handles: @KyleHaxWhy | @SecHubb | @SANSDefenseAll Blueprint Podcast Episodes: sans.org/blueprint-podcast