Recommended
More Related Content
What's hot
What's hot (20)
Similar to Blue Team Guide for Fresh Eyes
Similar to Blue Team Guide for Fresh Eyes (20)
Recently uploaded
Recently uploaded (20)
Blue Team Guide for Fresh Eyes
- 1. Blue Team Guide for Fresh Eyes Presented by Christine Le
- 2. whoami ➔ Security & Tools Engineer ➔ Twitter: @sopooped
- 3. Agenda ➔ Challenges ➔ Tackle the Challenges ➔ Mindset to Have
- 4. Early Career Challenges Lack of experience Minimal security knowledge Little industry exposure
- 5. Challenges as a Security Engineer Priorities compete for attention Organizations have technical debt Best practices aren’t always followed
- 6. It’s okay. Protip Developing a caffeine addiction is frowned upon by those who care about about your health and/or are not addicted to caffeine.
- 7. Tackle the Challenges Plan and execute Develop baseline knowledge Stay current with technology trends
- 8. Plan ➔ “Success does not happen overnight” ➔ Plan for failure ➔ It’s more important to deliver than to bite off more than you can chew and miss deadlines Protip It is not a waste of time to put in the extra effort to make an existing solution better, nor is it with learning something new.
- 9. Develop Baseline Knowledge ➔ Figure out what is being expected ◆ Each shop and role has different requirements ➔ Determine weaknesses ◆ Understand core security principles ◆ Get familiar with needed toolset and tools’ associated lingo Protip Do not run away from something just because you are “not good” at it.
- 10. Build Upon Baseline Knowledge ➔ Consider making the current solution ◆ Cleaner ◆ Faster ◆ More robust ➔ Automate when possible ◆ Speed up manual tasks ◆ Ensure repeatable steps ➔ Expand comfort zone Protip It is not a waste of time to put in the extra effort to make an existing solution better, nor is it with learning something new.
- 11. Technology Trends ➔ What are the shiny new toys? ➔ Why is there appeal? ➔ What are the limitations / concerns?
- 12. Execute ➔ Run with it ➔ It’s better to deliver late than to never deliver at all
- 13. Keep a Positive Mindset Remain calm & be humble “It’s never no. It’s let’s find a way.” Have the appetite to learn
- 14. Keep a Positive Mindset “It’s never no. It’s let’s find a way.” ➔ Can be interpreted differently based on the context ➔ Business needs to flow, compromise is needed ➔ You need to grow, don’t give in
- 15. Keep a Positive Mindset Have the appetite to learn ➔ Be an independent learner but also reach out to those more senior than you ➔ Don’t get comfortable ➔ Stay the “dumbest” person in the room for as long as possible
- 16. ➔ Things may seem on fire ➔ It will be okay ➔ Don’t forget who helped you Keep a Positive Mindset Remain calm & be humble
- 17. End. Q & A
Editor's Notes
- I started out as an intern, automating detection processes, deploying infrastructure for the team’s tools, and learning how to write playbooks. For the most part, I was sheltered by the intern bubble. Then about a year ago, I transitioned to my current role, and my responsibilities grew. I now do even more of what I did as an intern, and I get to review and improve upon the organization’s security in the cloud. I’ve learned A LOT this year, but there were challenges everywhere along the way.
- So this talk covers the big challenges that I noticed would be common to those new to the defensive world, lessons learned, and protips to help navigate the way to success!
- There are always early career challenges, and they’re pretty similar across the board. When I first started, the “real world” security knowledge stemmed from a security 101 college course and attending Defcon and BSides. I had very little exposure to working in industry overall. And although I was willing to bang on the pipes, I didn’t know which pipes to bang on.
- There are a lot of moving parts. It gets stressful. You’re going to play catch up. There are stipulations to this statement.
- Getting familiar means doing your homework. Do not just read the description of what a tool or API call does, but actually read the documentation page. DO NOT MAKE ASSUMPTIONS. I don’t know how many times I learned this the hard way: Goes to deploy add-on to Splunk heavy forwarder. Learns that it’s controlled by the deployment master. “go get” where does the package come from? How is it validated? DID I GET IT FROM RUSSIA OR CHINA? Changes configuration on S3 bucket. Breaks entire team’s production service.
- I’m someone who doesn’t like to settle for “good enough.” And I wouldn’t recommend to anyone looking to really pursue a career that requires constant learning. After establishing the foundational knowledge, keep doing and you’ll get better. Sure, experience is key in growth, but what if you can expedite that growth? This is basically “extra credit.”
- Figuring out what needs to be worked upon and addressing those areas are big steps towards advancing your career. But how do you stay current to make sure you’re continuing to move in the right direction? By paying attention to technology trends. There are new frameworks, models, services, and tools released all the time. Staying up-to-date will help you make decisions as to which tools to bring into your security environment and how to advise non-security teams within the organization. Building on to the importance of staying up-to-date with trends, attackers follow technology trends to exploit them. You do not want to be caught off guard. For example, how many of you use docker and kubernetes? Containerizing things and controlling entire fleets has taken engineering developments to a different level. However, according to Mitre’s CVE listings, there are about 20 CVEs related to docker and almost another 20 related to kubernetes in the past year. Your security team might not use docker and kubernetes, but understanding how the mechanics of how they work and how they’re being used within your organization will help with either patching or remediation when the time comes.
- Stay the dumbest person in the room for as long as possible. Things will be on fire. Don’t get comfortable. Don’t forget who helped you-- whether it be your mentor, the person who called you out on your bullshit, or the IT staff who unlocked your account because you can’t seem to type your password correctly.
- If there’s a will, there’s a way Security assessments Defining a meaningful solution
- Whether it be your mentor, the person who called you out on your bullshit, or the IT staff who unlocked your account because you can’t seem to type your password correctly.