Blueprint: Build the Best in Cyber Defense

How GenAI is Changing Your SOC for the Better with Seth Misenar Oct 09, 2024

Click here to send us your ideas and feedback on Blueprint!

In this mega-discussion with Seth Misenar on GenAI and LLM usage for security operations we cover some very interesting questions such as:

- The importance of natural language processing in Sec Ops
- How AI is helping us detect phishing email
- Where and how AI is lowering the bar for entry-level security SOC roles
- Should we worry about AI hallucinations or AI taking our jobs?
- What is a reasoning model and how is it different than what we've seen so far?
- The future of AI - Multimodal interaction, Larger Context Windows, RAG, and more
- What is Agentic AI and why will it change the game?

Episode Links:

The book from Manning Seth liked as a thoughtful accessible on-ramp: https://www.manning.com/books/introduction-to-generative-ai
Coursera prompt engineering course series: https://coursera.org/specializations/prompt-engineering
Gandalf Online Prompt Injection Challenges from Lakera (FYI Seth finds a lot of Lakera’s content to be really high-quality and useful): https://gandalf.lakera.ai/baseline
“Nonsense on stilts” reference from Gary Marcus in response to the Google employee claiming LaMDA was sentient: https://garymarcus.substack.com/p/nonsense-on-stilts?utm_source=twitter&sd=pf.
AI as a monster with a smiley face image: https://knowyourmeme.com/memes/shoggoth-with-smiley-face-artificial-intelligence
Ethan Mollick is the Wharton professor Seth mentioned, Seth says his “One Useful Thing” Substack is a valuable and thought provoking source: https://www.oneusefulthing.org/. Also his book, Co-Intelligence: Living and Working with AI, would also be worth checking out:

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

From Clues to Containment - Unraveling A Gift Card Fraud Scheme with Mark Jeanmougin Oct 09, 2024

Click here to send us your ideas and feedback on Blueprint!

In this episode, we take you behind the scenes of a complex gift card fraud investigation. Join host John Hubbard and guest Mark Jeanmougin as they explore the intricate details of uncovering and combating a clever case of cyber fraud. In this episode Mark discusses how the incident was identified, investigated, contained, and what lessons were learned along the way.

Episode Links:
- Mark's LinkedIn Profile: https://www.linkedin.com/in/markjx/
- Mark's Teaching Schedule: https://www.sans.org/profiles/mark-jeanmougin/

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Bonus Episode: What does it take to author a cybersecurity book? Aug 03, 2023

Click here to send us your ideas and feedback on Blueprint!

Have you ever wondered what it takes to write and publish an information security book? In this special bonus episode following season 4, John discusses with Kathryn, Ingrid, and Carson the challenges and rewards of self-publishing, and the kind of effort that goes into producing a book like "11 Strategies of a World-Class Cybersecurity Operations Center".
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
-----------
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 11: Turn up the Volume by Expanding SOC Functionality Jul 18, 2023

Click here to send us your ideas and feedback on Blueprint!

"This final chapter of the book is no simple closer! "Turn Up the Volume by Expanding SOC Functionality" covers testing that your SOC is functioning as intended through activities such as Threat Hunting, Red and Purple Teaming, Adversary Emulation, Breach and Attack Simulation, tabletop exercises and more. There's even a discussion of cyber deception types and tactics, and how it can be used to further frustrate attackers. Join John, Kathryn, Ingrid, and Carson in this final chapter episode for some not to be missed tips!
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 10: Measure Performance to Improve Performance Jul 10, 2023

Click here to send us your ideas and feedback on Blueprint!

"Metrics, is there any more confusing and contentious topic in cybersecurity? In this episode the authors cover their advice and approach to measuring your team so that issues can be quickly identified and performance can continuously improve!
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Sponsor's Note:
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 9: Communicate Clearly, Collaborate Often, Share Generously Jul 05, 2023

Click here to send us your ideas and feedback on Blueprint!

"Research has shown that communication is one of the most important factors for success in security incident response teams. In this chapter, the authors discuss the critical types of information that must be shared within the SOC, with the constituency, and with the greater cybersecurity community.
SANS Cyber Defense Discord Invite - sansurl.com/cyber-defense-discord
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 8: Leverage Tools and Support Analyst Workflow Jun 26, 2023

Click here to send us your ideas and feedback on Blueprint!

Tool choice can be a make-or-break decision for security analysts, driving whether getting work done is a struggle, or an efficient, stress-free experience. How can we select the right tools for the job? Which tools are most important? Answers to these questions and more are in this week's episode of Blueprint!
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Sponsor's Note:
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 - Hope to see you in class!

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Blueprint Live at the SANS Blue Team Summit 2023 Jun 22, 2023

Click here to send us your ideas and feedback on Blueprint!

In this special live recording from the SANS Blue Team Summit 2023, Kathryn Knerler, Ingrid Parker, and Carson Zimmerman joined John Hubbard they share their insights and expertise with attendees by answering their pressing questions. From discussing the most effective strategies for building a successful SOC to sharing tips on how to stay ahead of emerging cyber threats, our guests provide invaluable advice for those who work in a security operations center (SOC). If you're looking to take your SOC to the next level or are simply interested in the latest developments in cybersecurity, this episode is a must-listen. Tune in to hear from some of the most respected experts in the field and gain valuable insights that could make all the difference in how you approach cybersecurity.
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 7: Select and Collect the Right Data Jun 19, 2023

Click here to send us your ideas and feedback on Blueprint!

There's no denying that the average security team is completely overwhelmed with options for data to collect. With a deluge of endpoint, network, and cloud data sources to collect, how to do we identify and collect the most useful data sources? That's the topic of this episode. Join Kathryn, Ingrid, Carson, and John in this episode for a discussion on tactical data collection that will ensure your team doesn't miss the signs of an impending incident!
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
-----------
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 6: Illuminate Adversaries with Cyber Threat Intelligence Jun 12, 2023

Click here to send us your ideas and feedback on Blueprint!

Every security team has limited budget and time, how do you know where to focus? Cyber Threat Intelligence provides those answers! In this episode, Ingrid, Carson and Kathryn describe how we can use CTI to focus our defensive efforts to understand our most likely attacks and attackers and move towards prioritizing what truly matters.
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 5: Prioritize Incident Response Jun 05, 2023

Click here to send us your ideas and feedback on Blueprint!

No security team is perfect, so in this episode, authors Carson, Ingrid, and Kathryn discuss what it takes to prepare for fast, effective incident response capability. Covering preparation, planning and execution, Strategy 5 will teach your team how to jump into action at the earliest sign of problems.
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Sponsor's Note
-----------
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 4: Hire AND Grow Quality Staff May 29, 2023

Click here to send us your ideas and feedback on Blueprint!

In this episode we dive deep on the "People" factor of the SOC. Who should you hire, what skills should you hire for, what backgrounds are most likely to lead to success for your team? We also get into what happens after the hire - training, growth, and supporting your team in their skill and career development. This one is a must-listen for all the managers out there. We're all trying to build the highest skilled, most supportive team with low turnover, and the tips our authors bring to this episode on chapter 4 - "Hire AND Grow Quality Staff" will be crucial in that mission.
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
-----------
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 3: Build a SOC Structure to Match Your Organizational Needs May 22, 2023

Click here to send us your ideas and feedback on Blueprint!

In this episode we discuss how to decide on the right org structure and capabilities of your SOC. This includes questions like tiered vs. tierless models, which capabilities the SOC should focus on, centralized vs. distributed SOCs, outsourcing of duties and staff augmentation considerations, and also where the SOC might sit in the larger chart of your organization. Every SOC needs to be tailored to best meet the mission, and chapter 3 - "Build a SOC Structure to Match Your Organizational Needs" will help you get there.
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Sponsor's Note
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 2: Give the SOC the Authority to Do Its Job May 15, 2023

Click here to send us your ideas and feedback on Blueprint!

Though a SOC is responsible for protecting your organization's assets, it is not the owner of those systems. If the SOC is not established with a clear charter and authority to act, it may quickly become difficult to be effective. Who should the SOC report to, what should be in a SOC charter, and how can we make these tough decisions? Those are the questions covered in this episode of our special "11 Strategies" season. This episode covers chapter 2 of the book - "Give the SOC the Authority to Do Its Job".
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Visit Mitre's page for more information
-----------
Sponsor's Note
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Strategy 1: Know What You Are Protecting and Why May 08, 2023

Click here to send us your ideas and feedback on Blueprint!

As the saying goes, "If you don't know where you're going, any road will take you there!" - an approach that is disastrous to a SOC. In order to succeed, the SOC must have a clear understanding of where they are going, how they're going to get there, and why. In this episode of our "11 Strategies" season we discuss chapter 1 of the book - "Know What You're Protecting and Why". Understanding your organization and the environment the SOC must perform in forms the foundation of all security team activity. In this episode the authors discuss the critical aspects of knowing what you're protecting. This includes consider your organization's mission, the legal, regulatory, and compliance environment, the technical capabilities you may or may not have, and the users that will inhabit the network and the actions they're going to be performing. Understanding these factors ensures your team starts off on the right path and keeps a common goal in view.
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman."
Visit this Mitre page to find more information.
-----------
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

11 Strategies of a World-Class Security Operations Center: Fundamentals May 08, 2023

Click here to send us your ideas and feedback on Blueprint!

Welcome to a brand new season of Blueprint! In this intro episode we discuss "Fundamentals" chapter of the "11 Strategies of a World Class Cybersecurity Operations Center" with the authors. We get into the motivation behind updating the book and why its lessons are more important than ever in 2023. This chapter includes discussion of the functions of a SOC, basics of workflow, CTI and contextual data sources, and why ops tempo and speed is a critical factor in SOC success.
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Visit this Mitre page to find more information.
-----------
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Get Ready, A Very Special Season 4 Is On the Way! May 01, 2023

Click here to send us your ideas and feedback on Blueprint!

Hello Blueprint listeners! We’re excited to announce that the release of season 4 of Blueprint is just around the corner, and we’ve got something very special cooked up for you. We’ve teamed up with the authors of MITRE’s “11 Strategies of a World-Class Cybersecurity Operations Center” and over the next few months, we’ll be releasing episodes walking through each chapter with all 3 authors! We’ll be deep diving into what makes a SOC successful, get a first-hand account of why each strategy was chosen, and practical advice on each how to implement each strategy along the way. Join Blueprint host John Hubbard with authors Kat Knerler, Ingrid Parker, and Carson Zimmerman for this exciting new season, coming to your podcast aggregator on May 8th!
You can find the video of each podcast at:
https://www.youtube.com/@SANSCyberDefense
The first two episodes will be released on Monday, May 8. Following that there will be a new episode out every Monday.

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Brandon Evans: Cloud Security - Threats and Opportunities Sep 13, 2022

Click here to send us your ideas and feedback on Blueprint!

Ever wonder how a cloud and application security expert views risks of cloud workloads? Well, wonder no more because on this episode we have Brandon Evans - SANS Certified Instructor and lead author of SEC510: Public Cloud Security. We cover the why and how of moving their applications to the cloud, the key considerations for a successful cloud security posture, and how building your infrastructure with a cloud-native mindset can and should lead to an improved security posture.
BONUS: Be sure to stay tuned to the end of the episode for a very special announcement from Brandon on the new SANS Cloud Ace podcast. Coming to all podcast directories on September 28.

Our Guest - Brandon Evans

Brandon works for Zoom Video Communications, in which he leads their internal Application Security training. As an application developer for most of his professional career, he moved into security full-time largely because of his many formal trainings through SANS. He’s a contributor to the OWASP Serverless Top 10 Project and a co-leader for the Nashville OWASP chapter. Brandon is lead author for SEC510: Public Cloud Security: AWS, Azure, and GCP and a contributor and instructor for SEC540: Cloud Security and DevSecOps Automation.
Resources:
sans.org/cloud - SANS Cloud Resources
https://brandone.github.io/pixel-puzzles/ - Brandon’s Pixel Puzzle game

Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.

Check out the details at sansurl.com/450 Hope to see you in class!

Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube

Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Joe Lykowski: Building a Transparent, Data-Driven SOC Sep 06, 2022

Click here to send us your ideas and feedback on Blueprint!

In this episode we speak with Joe Lykowski - Cyber Defense Lead at a major manufacturing company on what it takes to build a mature, transparent, and effective SOC. Joe brings years of experience to the table in running a large organization’s security team and in this interview he draws out some of his favorite tips, strategies and more on metrics, building the right team, and what to prioritize as you build up a SOC for an org of any size.
Our Guest - Joe Lykowski
A graduate of Western Michigan University, Joe has 19 years of professional IT experience ranging from academia, industrial control systems and manufacturing IT, mobile device service management, telepresence services, endpoint protection, and cyber security operations. His current role focused on leading a global team of cyber defenders with the core goal of protecting Dow from the growing cybersecurity threats.

Follow Joe on Twitter: @JosephLykowski

Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.

Check out the details at sansurl.com/450 Hope to see you in class!

Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube

Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Rob Lee: Training and Reskilling in Cyber Security Aug 30, 2022

Click here to send us your ideas and feedback on Blueprint!

Many of us are either looking to start a cyber security career, improve our knowledge and skills to further our career, or hire a team that has the most skilled and promising candidates. In this special episode with Rob Lee, Chief Curriculum Director of the SANS Institute, we discuss strategies for building, improving, and testing your cyber security group’s skill levels, and working to keep our knowledge as current as possible - a critical skill for anyone in the fast moving world of cyber security.
Rob Lee

Rob Lee is the Chief Curriculum Director and Faculty Lead at SANS Institute and runs his own consulting business specializing in information security, incident response, threat hunting, and digital forensics. With more than 20 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response, he is known as “The Godfather of DFIR”. Rob co-authored the book Know Your Enemy, 2nd Edition, and is course co-author of FOR500: Windows Forensic Analysis and FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.

Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.

Check out the details at sansurl.com/450 Hope to see you in class!

Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube

Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Jaron Bradley: Securing Enterprise macOS Aug 23, 2022

Click here to send us your ideas and feedback on Blueprint!

In this episode of the Blueprint Podcast, we cover monitoring and securing macOS in an enterprise environment at scale with Jaron Bradley, Threat Detection lead at Jamf. We discuss the ups and downs of Apple's approach to macOS data collection over the years, the data sources and types that are accessible to defenders, what 3rd party agents bring to the table for security monitoring, and much more. Plus, Jaron gives us some great bonus tips for finding persistence mechanisms and malicious processes in enterprise macOS devices.
Our Guest - Jaron Bradley

Jaron has a background in Incident Response, threat hunting, and detections development. After focusing on large scale APT attacks he developed an interest in the more niche spaces of lesser explored operating systems. He has experience as both a SOC analyst as well as detections engineering at the endpoint level.Jaron currently works as the macOS Detections Lead at Jamf Threat Labs and manages his own security tools and content for security researchers atthemittenmac.com. He is also the author of OS X Incident Response Scripting and Analysis. A book he claims is slightly outdated but still relevant to a lot of macOS analysis today.

Resources mentioned in this episode
Websites

https://www.themittenmac.com (my website)
objective-see.com (great mac security website)
Major Blogs Referenced by Jamf Threat Labs

Conferences

Jamf Nation User Conference ->

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Alexia Crumpton: MITRE ATT&CK for Defenders Aug 16, 2022

Click here to send us your ideas and feedback on Blueprint!

One of the best frameworks that showed up within the last 5 or so years is undoubtedly the MITRE ATT&CK® framework. Many of us may know about it in passing and even reference from time to time, but very few people seem to know the true depth of knowledge contained - everything from analytics to threat groups, specific mitigation and detection opportunities, and with the newest versions, even specific data sources. In this episode we talk to the Defensive Lead of ATT&CK from MITRE, Lex Crumpton, about what every blue team member needs to know about this framework, and more!
Alexia Crumpton

Alexia Crumpton is a Defensive Cyber Operations Researcher with over seven years of experience in software development, SOCs, and Malware Reverse Engineering. Her passion lies in heuristic behavior analysis in regards to adversary TTPs and countermeasures used to defend against them.

Follow Alexia

LinkedIn: https://www.linkedin.com/in/alexia-crumpton-99930659/

Resources mentioned in this episode:
CAR - The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model.

Top ATT&CK Techniques – Medium Blog, Github, Calculator
Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs t

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Cat Self: macOS and Linux Security Aug 09, 2022

Click here to send us your ideas and feedback on Blueprint!

Ever wonder why there’s so little information regarding macOS and Linux-oriented attacks? In this episode, we get the answer from the multi-talented Cat Self - an Adversary Emulation Engineer at MITRE, Cyber Threat Intelligence Team Leader on ATT&CK Evaluations and macOS/ Lead on MITRE ATT&CK Enterprise. We discuss defense tools, attacker TTPs, and what to consider when approaching defense for a macOS and Linux environment, and what trends we can expect in the future for these operating systems. Check out the resources below for links mentioned during this enlightening conversation!
Our Guest: Cat Self

Cat Self is the CTI Lead for MITRE ATT&CK® Evaluations, macOS/Linux Lead for ATT&CK® and serves as a leader of people at MITRE. Cat started her cyber security career at Target and has worked as a developer, internal red team operator, and Threat Hunter. Cat is a former military intelligence veteran and pays it forward through mentorship, technical macOS hunting workshops, and public speaking. Outside of work, she is often planning an epic adventure or climbing mountains in foreign lands.

Follow Cat on Social Media

Twitter: @coolestcatiknow

LinkedIn: Cat Self

Resources mentioned in this episode:
A highlight of new security changes in macOS Ventura:

https://www.sentinelone.com/blog/apples-macos-ventura-7-new-security-changes-to-be-aware-of/

For securing a macOS device, I highly recommend installing Patrick Wardle’s endpoint tools. https://objective-see.org/tools.html My favorites are BlockBlock, KnockKnock, Lulu, & Netiquette.

Cat's “GoTo” blogs

Patrick Wardle Objective-See

Jaron Bradley The Mitten Mac

Howard Oakley The Eclectic Light Company

Cody Thomas Medium

Sarah Edwards mac4n6

Leo Pitt Medium

Christopher Ross Medium

Csaba Fitzl THEEVILBIT Blog

Open Source Projects

Playbooks with Datasets to practice OTRF

Code snippets aligned to MITRE ATT&CK Atomic Red Team

Jupyter notebook environment setup by

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Corissa Koopmans and Mark Morowczynski: Azure AD Threat Detection and Logging Aug 02, 2022

Click here to send us your ideas and feedback on Blueprint!

Nearly every organization is using Microsoft Azure AD services in some respect, but monitoring Azure AD for threats is a significantly different skill that traditional Windows logging. In this episode we have 2 experts from Microsoft, Corissa Koopmans, and 3rd time returning guest Mark Morowczynski, to tell us about the important work that’s been done to help organizations understand their data and detect Azure AD attacks. We cover log sources, the new Microsoft security operations guide, standardized dashboards and visualizations you can leverage to jump right in with best practice, and much more. You don’t want to miss this one!
Corissa Koopmans and Mark Morowczynski

Corissa Koopmans (@Corissalea) is part of the "Get to Production" team in the Microsoft Identity and Network Access Division, focusing on incorporating customer feedback to improve our products. She is very active in driving community contribution to AzureMonitor Log Analytics and increasing awareness of the power of log data by presenting at industry events including BSides, The Experts Conference (TEC), SPARK, & Microsoft MVP Summits.
Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. Previously he was Premier Field Engineer supporting Active Directory, Active Directory Federation Services and Windows Client performance. He's spoken at various industry events such as Black Hat, Defcon Blue TeamVillage, Blue Team Con, GrayHat, several BSides, and more. He can be frequently found on Twitter as @markmorow arguing about baseball and making sometimes funny gifs.

Azure AD SecOps - aka.ms/azureadsecops
Azure Monitor Log Analytics and KQL resources: aka.ms/KQLBlueTeam
For community contribution, please follow these prerequisites (these steps are also available at aka.ms/KQLBlueTeaml):
1. Have a GitHub account
2. Belong to the Microsoft Organization in GitHub
a. If you do not yet belong, click on this link: https://repos.opensource.microsoft.com/ and then select “Microsoft” to join their organization
3. Be a member of the

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Tony Turner: Securing the Cyber Supply Chain Jul 26, 2022

Click here to send us your ideas and feedback on Blueprint!

John and Fortress Vice President of Research and Development Tony Turner share their wisdom on trends they are seeing in the cyber industry and offer advice as to how we should be looking at the Cyber Supply Chain in 2022 and beyond.
Follow Tony Turner

LinkedIn: https://www.linkedin.com/in/tonyturnercissp/

Web: https://www.fortressinfosec.com/team/tony-turner

Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.

Check out the details at sansurl.com/450 Hope to see you in class!

Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube

Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Mark Orlando: Building a Stronger Blue Team Jul 19, 2022

Click here to send us your ideas and feedback on Blueprint!

There are many technical factors that contribute to the success of a security operations team, but you need more than just tech skills for mounting a solid defense. In this episode of Blueprint we bring back previous guest Mark Orlando to talk about his BlackHat 2022 presentation with Dr. Daniel Shore (PhD in workplace psychology) . We discuss team dynamics, how the mapping of multi-team systems can improve the flow of your incident response activities, and much more.
Check out the related BlackHat talk here: https://www.youtube.com/watch?v=CtkJ84bc50g
Our Guest - Mark Orlando

Mark Orlando is a SANS Associate Instructor, co-author MGT551: Building and Leading Security Operations Centers, instructor for SEC450: Blue Team Fundamentals: Security Operations and Analysis, and the Co-Founder and CEO of Bionic Cyber. Prior to Bionic, Mark built, assessed, and managed security teams at the Pentagon, the White House, the Department of Energy, and numerous Fortune 500 clients. Mark has presented on security operations and assessment at DefCon's Blue Team Village, the Institute for Applied Network Security (IANS) Forum, BSidesDC, and the RSA Conference and has been quoted in the New York Times, the Washington Post, Forbes, and many other publications. He holds a Bachelor's Degree in Advanced Information Technology from George Mason University and served in the US Marine Corps as an Artillery Non-Commissioned Officer.

Follow Mark Orlando

Twitter: https://twitter.com/markaorlando

LinkedIn: https://www.linkedin.com/in/marko16/

Web: https://www.sans.org/profiles/mark-orlando/

Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.

Check out the details at sansurl.com/450 Hope to see you in class!

Follow SANS Cyber Defense: Twitter | LinkedIn |

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Blueprint Live at SANSFIRE 2022: A panel with Heather Mahalik, Katie Nickels and Jeff McJunkin Jul 14, 2022

Click here to send us your ideas and feedback on Blueprint!

Host John Hubbard, Blueprint host and SANS Cyber Defense Curriculum Lead, moderated a panel of cyber security experts including Heather Mahalik, Katie Nickels and Jeff McJunkin for this powerful discussion.
John and guests share their wisdom on trends they are seeing in the cyber industry and offer advice as to how we should be looking at cyber defense in 2022 and beyond.
Guests:
Heather Mahalik
Katie Nickels
Jeff McJunkin
Filmed live at SANSFIRE 2022

Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.

Check out the details at sansurl.com/450 Hope to see you in class!

Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube

Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

David Hoelzer: Threat Detection with Machine Learning and AI Jul 12, 2022

Click here to send us your ideas and feedback on Blueprint!

Many of us with the typical IT and security backgrounds might not have the slightest idea what to expect when we hear the terms “this product uses advanced machine learning…”, but that claim certainly conjures up a lot of skepticism due to the opaque nature of the algorithms in many of these products. In this episode we discuss what AI and ML are best used for, and what they can, can’t, and shouldn’t be used for with guest Dave Hoelzer.

Our Guest - Dave Hoelzer

David Hoelzer, a SANS Fellow and author of more than twenty days of SANS courseware, is an expert in a variety of information security fields, having served in most major roles in the IT and security industries over the past twenty-five years. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security officer for Cyber-Defense, an open-source security software solution provider.

Follow Dave

Twitter: https://twitter.com/it_audit

LinkedIn: https://www.linkedin.com/in/davidhoelzer/

--

Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube

Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

James Rowley: Creating and Running an Insider Threat Program Jul 12, 2022

Click here to send us your ideas and feedback on Blueprint!

While malicious insiders are a threat that most of us would like to imagine we might never have to deal with, it’s still one of the cyber threats you must realistically consider and plan for. But how do you identify malicious intent and potential attacks from those already inside our network that have legitimate access to our data? Check out this episode where James Rowley lays out what you need to consider when it comes to insider threat detection.

Our Guest - James Rowley

James Rowley is a cybersecurity-consultant-turned-dectection-engineer building the next generation of insider threat detections. As a Detection Engineer, James is responsible for merging the world of blue team and insider threat, moving the needle on how we approach insider detections within cyberspace. James outside of the workspace is passionate about most things related to outdoors, beer, whiskey, wine, food, travel, and Minnesota sports teams. You will find James enjoying these things and more with his fiance and two dogs, Marshall (Bernese Mountain Dog) and Maya (Basset Hound).

--

Sponsor's Note:

Support for the Blueprint podcast comes from the SANS Institute.

If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.

This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.

Check out the details at http://sans.org/sec450 Hope to see you in class!

--

Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube

Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Dean Parsons: Cyber Security for OT and ICS Jul 12, 2022

Click here to send us your ideas and feedback on Blueprint!

With ransomware and other highly disruptive attacks on the rise, there are few systems more important to defend than our critical infrastructure and ICS equipment. How should we think about defending these systems vs our typical IT network though? In this episode, Dean Parsons is here to give us that answer.

Our Guest - Dean Parsons

Dean brings over 20 years of technical and management experience to the classroom. He has worked in both Information Technology and Industrial Control System (ICS) Cyber Defense in critical infrastructure sectors such as telecommunications, and electricity generation, transmission, distribution, and oil & gas refineries, storage, and distribution. Dean is an ambassador for defending industrial systems and an advocate for the safety, reliability, and cyber protection of critical infrastructure. His mission as an instructor is to empower each of his students, and he earnestly preaches that “Defense is Do-able!”

Over the course of his career, Dean’s accomplishments include establishing entire ICS security programs for critical infrastructure sectors, successfully containing and eradicating malware and ransomware infections in electricity generation and manufacturing control networks, performing malware analysis triage and ICS digital forensics, building converged IT/OT incident response and threat hunt teams, and conducting ICS assessments in electric substations, oil and gas refineries, manufacturing, and telecommunications networks.

A SANS Certified Instructor, Dean teaches ICS515: ICS Visibility, Detection, and Response and is a co-author of the new SANS Course ICS418: ICS Security Essentials for Managers. Dean is a member of the SANS GIAC Advisory Board and holds many cybersecurity professional certifications including the GICSP, GRID, GSLC, and GCIA, as well as the CISSP®. He is a proud native of Newfoundland and holds a BS in computer science from Memorial University of Newfoundland.

Follow Dean Parsons

Twitter: https://twitter.com/deancybersec

LinkedIn: https://www.linkedin.com/in/dean-parsons-cybersecurity/

Resources mentioned in this episode

OSINT / Site-visit Cheat Sheet

https://www.sans.org/posters/ics-site-visit-plan/

ICS Cyber Kill Chain Whitepaper:

https://www.sans.org/white-papers/36297/?msc=blog-ics-library

ICS specific Network Security Monitoring:

https://www.sans.org/posters/industrial-network-security-monitoring/

Top 5 ICS Incident Response Tabletops

https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them/

My weekly ICS Defense Force LiveStream

https://www.youtube.com/pl

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

John Hubbard: Your Top Cyber Defense Questions Answered from Seasons 1 + 2 Jul 01, 2022

Click here to send us your ideas and feedback on Blueprint!

It's a special mailbag episode from John Hubbard! After two seasons, John asked the listeners what questions they had for him. He touched on the current XDR trend, how other teams can support SOC activities, defining security mindset, and more.

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

John Hubbard: Key lessons and takeaways from Blueprint Season 2 + A Special Announcement! Jun 08, 2021

Click here to send us your ideas and feedback on Blueprint!

In this solo episode to wrap up season 2, John discusses some of the key takeaways from the guests interviwed throughout this year, and has some very exciting news for all blue teamers on a brand new GIAC certification. ;)
Link: (GIAC GSOC LINK HERE)
John is a Security Operations Center (SOC) consultant and speaker, a Certified SANS instructor, and the course author of two SANS courses, SEC450: Blue Team Fundamentals - Security Operations and Analysis and MGT551: Building and Leading Security Operations Centers.
Follow John
Twitter: @SecHubb
YouTube: youtube.com/user/jhub908
LinkedIn: in/johnlhubbard
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Mark Morowczynski & Thomas Detzner: Microsoft Incident Response Playbooks Jun 01, 2021

Click here to send us your ideas and feedback on Blueprint!

We all need solid, well though-out playbooks to help standardize our respons to common threat scenarios. In this episode we speak with Thomas Detzner and Mark Morowczynski about the brand new set of Microsoft incident response playbooks that were just released. This is a brand new effort to meticulously document prerequisites, investigation steps, and remediation process for common scenarios most commonly seen by the Microsoft incident response teams, and you definitely won't want to miss it.
Our Guests: Thomas Detzner and Mark Morowczynski
Thomas Detzner is a Project Leader for Microsoft, creating guidance for Azure AD IR.
Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. He can be frequently found on Twitter as @markmorow arguing about baseball and making sometimes funny gifs.
Links:
https://aka.ms/irplaybooks - Playbooks discussed in this episode
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub#access-data-from-your-event-hub - Azure Event Hub
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093 - Security Baslines
https://www.microsoft.com/en-us/download/details.aspx?id=52630 - Security Auditing and Monitoring Reference
Sponsor's Note:
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450! Hope to see you in class!
Follow SANS Cyber Defense: Twitter |

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

AJ Yawn: Cloud, Compliance and Automating Security May 25, 2021

Click here to send us your ideas and feedback on Blueprint!

Compliance and audit checks can be painful, and that's before you introduce additional cloud services and technology. In this episode featuring AJ Yawn we discuss some incredibly useful and actionable cloud security concepts and tools that can help your team boost visibility and reduce user permissions to help prevent breaches before they happen. In addition, we discuss what a good compliance audit should be, and how to turn audits from painful to incredibly valuable.
Resources mentioned in this episode:
- AWS CloudTrail: https://aws.amazon.com/cloudtrail/
- AWS Well-Architected Framework:https://aws.amazon.com/architecture/well-architected/
- AWS Config: https://aws.amazon.com/config
- AWS Organizations:https://aws.amazon.com/organizations/
- AWS Service Control Policies (SCP): https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Our Guest - AJ Yawn
AJ Yawn is the Co-Founder and CEO of ByteChek. He is a seasoned cloud security professional that possesses over a decade of senior information security experience with extensive experience managing a wide range of cybersecurity compliance assessments (SOC 2, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers.

AJ advises startups on cloud security and serves on the Board of Directors of the ISC2 Miami chapter as the Education Chair, he is also a Founding Board member of the National Association of Black Compliance and Risk Management professions, regularly speaks on information security podcasts, events, and he contributes blogs and articles to the information security community including publications such as CISOMag, InfosecMag, HackerNoon, and ISC2.

Sponsor's Note:
Support for the Blueprint podcast comes from the SANS Institute.
Are you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!
Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Jamie Williams: Adversary Emulation May 18, 2021

Click here to send us your ideas and feedback on Blueprint!

There are numerous ways to test your SOC's detection and prevention capabilities, but not all are created equal. Each has their own strengths and weaknesses, and can be done on a different time scale.This week, we focus on arguably one of the most important - adversary emulation. In this episode we speak with Jamie Williams from the MITRE ATT&CK team about why adversary emulation is important, how it works, how you can get started regardless of the size of your team, and how to track and run an adversary emulation test.
Our guest: Jamie Williams
Jamie Williams is a Principal Adversary Emulation Engineer for the MITRE Corporation where he works on various exciting efforts involving security operations and research, specializing in adversary emulation and behavior-based detections. He also leads teams that help shape and deliver the “adversary-touch” within ATT&CK® and ATT&CK Evaluations.

Follow Jamie Williams on Twitter (@jamieantisocial) and LinkedIn (/in/jamie-williams-108369190).
Sponsor's Note
Support for the Blueprint podcast comes from the SANS Institute.
Since the debut of SEC450, we’ve always had students interested in a matching course covering the management and leadership aspects of running a SOC. If you like the topics in this podcast and would like to learn more about Blue Team leadership and management, check out the new MGT551: Building and Leading Security Operations Centers. This new course is designed for Security Team leaders looking to build, grow and operate a security operation center with peak efficiency. It’s a hands-on technical leadership course, that takes you through everything from scoping threat groups to use case creation, threat hunting, planning, SOC maturity and detection assessment and much much more.
Check out the course syllabus, labs and a free demo at sansurl.com/551
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Josh Johnson: PowerShell and Defensive Automation for the Blue Team May 11, 2021

Click here to send us your ideas and feedback on Blueprint!

PowerShell may seem intimidating, but it can be one of the most amazing and useful tools at your disposal...if you know how to use it. In this episode, we have Josh Johnson, author of the new SANS course "SEC586: Blue Team Operations - Defensive Powershell" giving you a masterful crash course in:
- The importance of PowerShell
- How PowerShell works, and how to set yourself up to use it
- Blue team use cases for log analysis, incident response and more
- How to stopping attackers from leveraging PowerShell
- Some of the amazing automation and playbook opportunities you may be missing out on.
Lots of actionable content for defenders here, don't miss in this episode!
Our Guest: Josh Johnson
Josh Johnson is a SANS Certified Instructor and course author of SEC586: Blue Team Operations: Defensive PowerShell. He has been working in the Information Security industry for over 10 years in varying roles with responsibilities ranging from penetration testing to incident response. Josh was Purple Teaming since before it had a name and used his offensive security skill set to find and pursue his true passion - Blue Team. Since then, he has been helping organizations of all sizes, and in varying industries from healthcare to retail to finance, improve their cyber defense capabilities.

More About Josh
Follow Josh: Twitter | LinkedIn
Sponsor's Note:
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450! Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Chris Baker: Get A Handle On Your Vulnerabilities May 04, 2021

Click here to send us your ideas and feedback on Blueprint!

This episode is all about vulnerability management - both the technical and human aspects. Looking to start up a new vulnerability management team? Drowning in vulnerabilities to fix and don't know where to start? Struggling to get system owners to take action? Trying to find ways to communicate the importance and status of your patching efforts?
Check out this episode with vulnerability management expert Chris Baker for answer these to questions and much more!
Our Guest: Chris Baker
Chris Baker is an Information Security Leader with a deep background in information security including strategy development and operational excellence that has created highly efficient teams and delivered large impacts to the business value chain. He is a skilled risk management and information security professional with the versatility to lead large and diverse matrix teams and deep-dive into complex technical problems. A proven track record of collaborating effectively at all business levels while directing changes on a global, enterprise-wide scale.

Follow Chris Baker
@bakerc | LinkedIn

Sponsor Note
Support for the Blueprint podcast comes from the SANS Institute.
Are you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!
Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.
With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.
Check out the constantly growing list of available courses at sansurl.com/blueteamops
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Mick Douglas & Flynn Weeks: Simplifying your Logging Strategy with the What2Log Project Apr 27, 2021

Click here to send us your ideas and feedback on Blueprint!

A common question from many defenders is "Which logs are the most important?” In this episode, Mick Douglas and Flynn Weeks join us to describe their What2Log project, which aims to simplify this problem for all of us!
Our Guests: Mick Douglas & Flynn Weeks
Mick Douglas is the Managing Partner of InfoSec Innovations. He is a SANS certified instructor and is a member of the IANS faculty. In his spare time, he tries in vain to improve his photography skills and goes hiking looking for the perfect shot.
Flynn is a senior Cybersecurity student and intern at InfoSec Innovations. Forensics, and in turn, logging, are passions of hers. In her spare time, she enjoys her time spent with pets and hiking.
Follow Mick and Flynn
Twitter: Mick @bettersafetynet and Flynn @soundsofthetime

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Anton Chuvakin: The Current State and Future of Security Operations Apr 20, 2021

Click here to send us your ideas and feedback on Blueprint!

In today’s episode, John is joined by Anton Chuvakin to discuss current and future security operations technology, which tools are the most important and which are becoming less important over time, the rules of automation in the SOC and how Anton would setup a modern Security Operations Center for a Cloud native organization.
Today's Guest: Anton Chuvakin
Dr. Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is now involved with security solution strategy at Google Cloud, where he arrived via Chronicle Security (an Alphabet company) acquisition in July 2019.

He is an author of books "Security Warrior", "Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management" and ""PCI Compliance, Third Edition: Understand and Implement Effective PCI Data Security Standard Compliance"" (book website) and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and other books.

Anton has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS, security management. His blog "Security Warrior" was one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he addressed audiences in United States, UK, Australia, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on advisory boards of several security start-ups.

Follow Anton
Twitter: @anton_chuvakin
LinkedIn: /in/chuvakin
Check out the constantly growing list of available courses at sansurl.com/blueteamops
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Rob van Os: Maturing your Cyber Defense Apr 13, 2021

Click here to send us your ideas and feedback on Blueprint!

Are you a manager looking to build or improve your SOC? Are you trying to understand how to measure your SOCs maturity or use cases or your threat hunting efforts? If so, today’s episode with Rob van Os is for you. In this episode, we discuss the SOC CMM for SOC maturity measurement, the magma use case framework for building and tracking SOC use cases, and the Tahiti threat hunting methodology for showing ROI on threat hunting.
Our Guest is Rob van Os
Rob van Os, MSc., CISSP, ISSAP is a senior security advisor working for CZ group. Until recently, Rob was the Product Owner of the Cyber Defense Center of a Dutch bank and as such responsible for cyber security operations. Rob obtained a Bachelor's degree in Computer Science in 2009 and a Master's degree in Information Security in 2016. Rob is the author of the SOC-CMM and lead author of the MaGMa UCF and the TaHiTI methodology.
Follow Rob:
Linkedin: /in/cyberdefensespecialist
Website: https://www.soc-cmm.com/
Sponsor's Note:
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the constantly growing list of available courses at sansurl.com/blueteamops
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

AppSec, DevOps and DevSecOps Apr 06, 2021

Click here to send us your ideas and feedback on Blueprint!

What is AppSec, DevOps and DevSecOps? In this episode we discuss why defenders should know more about these terms and what the consequences are of ignoring these new and critical fields.
Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.

Advisor: Nord VPN, Cloud Defense, NeuraLegion, ICTC PAC, WoSEC

Founder: We Hack Purple, WoSEC International (Women of Security), OWASP DevSlop, #CyberMentoringMonday

Support for the Blueprint podcast comes from the SANS Institute.
Check out the constantly growing list of available courses at sansurl.com/blueteamops
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Playbook for Security Onion Mar 30, 2021

Click here to send us your ideas and feedback on Blueprint!

Driving consistency and maintaining a high standard for alert response is a problem all SOCs must face, but how? In this episode, Josh Brower describes his efforts to combine automated detection signature deployment and use case database management into a single, easy to use app for Security Onion. Whether you use Security Onion or not, this episode dives into the design principles and workflow Josh used when designing the new open-source Playbook app and there’s something to learn from it for everyone on the Blue Team.
Our Guest - Josh Brower
Josh Brower has been crashing computers since his teens, and now feels fortunate to be doing it professionally. He has spent the last 12 years focusing on InfoSec, particularly network and endpoint detection. He also enjoys teaching around InfoSec issues, especially to non-technical learners - helping them to understand how their actions in the digital world have real-world consequences, as well as how to proactively reduce the risk.
Follow Josh
Twitter: @DefensiveDepth
LinkedIn: /in/joshbrower
Web: https://defensivedepth.com
Support for the Blueprint podcast comes from the SANS Institute
Are you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!
Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.
With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.
Check out the constantly growing list of available courses at sansurl.com/blueteamops
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

The Blue Teamer's Blueprint for Malware Triage Mar 30, 2021

Click here to send us your ideas and feedback on Blueprint!

Even if you're not a malware analyst, any blue teamer should be able to do some initial basic malware sample triage. The good news is that this is quite easy to do using freely available tools once you know what is available. Join John in this conversation with Ryan Chapman as they discuss how to reverse engineer malware and why you might want to do so.
Our Guest - Ryan Chapman
Ryan Chapman works as a Principal Incident Response analyst. He also teaches SANS FOR610: Reverse Engineering Malware and is the lead organizer for CactusCon, Arizona's hcaker conference. Ryan has worked in Security Operations Center and Computer Incident Response Team roles that handled incidents from inception all the way through remediation. Reviewing log traffic; researching domains and IPs; hunting through log aggregation utilities; sifting through pack captures; analyzing malware; and performing host and network forensics are all things that Ryan loves to do. With Ryan, it's all about the blue team!
Follow Ryan
Twitter: @rj_chap
LinkedIn: /in/ryanjchapman
Web: https://incidentresponse.training
Sponsor's Note:
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

SOC Metrics: Measuring Success and Preventing Burnout Mar 30, 2021

Click here to send us your ideas and feedback on Blueprint!

Looking for a new way to approach the difficult problem of measuring and improving your SOC? Check out this episode to hear how to use methods pioneered in the manufacturing and reliability industry to help wrap your head around, and solve this complex issue. You don’t want to miss this episode with Jon Hencinski, Director of Operations at Expel who covers all of this and more.
Our guest - Jon Hencinski
Jon Hencinski is the Director of Global Operations at Expel. In this role, he’s responsible for the day-to-day operations of Expel’s security operations center (SOC) and detection and response engineering. He oversees how Expel recruits, trains, and develops security analysts. Jon has over a decade of experience in the areas of SOC operations, threat detection, and incident response. Prior to Expel, Jon worked at FireEye, BAE Systems, and was an adjunct professor at The George Washington University.
Follow Jon
Twitter: @jhencinski
LinkedIn: /in/jonathanhencinski
Web: https://hencinski.medium.com
Support for the Blueprint podcast comes from the SANS Institute.
Since the debut of SEC450, we’ve always had students interested in a matching course covering the management and leadership aspects of running a SOC. If you like the topics in this podcast and would like to learn more about Blue Team leadership and management, check out the new MGT551: Building and Leading Security Operations Centers. This new course is designed for Security Team leaders looking to build, grow and operate a security operation center with peak efficiency. It’s a hands-on technical leadership course, that takes you through everything from scoping threat groups to use case creation, threat hunting, planning, SOC maturity and detection assessment and much much more.
Check out the course syllabus, labs and a free demo at sansurl.com/551
Follow SANS Cyber Defense: Twitter | LinkedIn | YouTube
Follow John Hubbard: Twitter | LinkedIn

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

A Machine Learning Primer for the Blue Team Aug 11, 2020

Click here to send us your ideas and feedback on Blueprint!

Austin Taylor discusses the promise and reality of cyber security-centric data science, and how you can use machine learning for solving practical security problems.
Twitter Handles: @HuntOperator | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Empowering Security Researchers Around the World! Aug 04, 2020

Click here to send us your ideas and feedback on Blueprint!

Roberto Rodriguez explains the awesome projects and initiatives he is working on to help blue teams perform advanced data collection, analysis, and threat hunting.
Twitter Handles: @Cyb3rWard0g | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Locking Down and Monitoring Cloud Infrastructure Jul 28, 2020

Click here to send us your ideas and feedback on Blueprint!

Cloud expert Kyle Dickinson discusses common cloud infrastructure attacks, and how you can detect and prevent them before they happen to your organization.
Twitter Handles: @KyleHaxWhy | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Passwordless - Can it Be Done? Jul 21, 2020

Click here to send us your ideas and feedback on Blueprint!

Mark and Libby share the new technologies in use at Microsoft to dramatically decrease the need for the use of passwords in the enterprise.
Twitter Handles: @markmorow | @TruBluDevil | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Training Yourself in a Quarantined World Jul 14, 2020

Click here to send us your ideas and feedback on Blueprint!

Dave and Ryan speak with John about resources for training yourself, and the challenges of setting up a large-scale cyber lab to simulate an advanced attack for their Splunk Boss of the SOC competition.
Twitter Handles: @daveherrald | @meansec | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Understanding and Applying Threat Intelligence Jul 07, 2020

Click here to send us your ideas and feedback on Blueprint!

Katie Nickels talks about what threat intelligence is, where to get it, what you should expect from it, and how the SOC should be using it.
Twitter Handles: @likethecoins | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Privacy Laws: The Future Driver of Cyber Security Jun 30, 2020

Click here to send us your ideas and feedback on Blueprint!

Mary Chaney shares what types of laws we should be concerned about. She discusses her thoughts on privacy laws and how that will drive cyber security, and what she’s doing to get more diverse representation in the industry at all levels.
Twitter Handles: @MaryNChaney | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Creativity and Choices: Talking About Thinking Jun 23, 2020

Click here to send us your ideas and feedback on Blueprint!

Chris Sanders and Stef Rand discuss qualitative research they conducted on how to use divergent or convergent thinking for improving the quality of your analysis.
Twitter Handles: @ChrisSanders88 | @techieStef | @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Shock to the System: Re-Evaluating Your Security Operations Jun 16, 2020

Click here to send us your ideas and feedback on Blueprint!

In our very first guest interview with Mark Orlando, John asks Mark questions to help us re-evaluate our security operations.
Twitter Handles: @MarkAOrlando | @SecHubb
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

The Art of Blue Teaming Jun 16, 2020

Click here to send us your ideas and feedback on Blueprint!

Hear host John Hubbard share info on his background, his inspiration and goals for this podcast and his insights on ‘The Art of Blue Teaming”.
Twitter Handles: @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Learn more about SANS' SOC courses at sans.org/soc

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Introducing Blueprint Jun 09, 2020

Click here to send us your ideas and feedback on Blueprint!

Blueprint brings you the latest in cyber defense and security operations from top blue team leaders. Blueprint is brought to you by the SANS Institute and is hosted by SANS Certified Instructor John Hubbard.
Twitter Handles: @SecHubb | @SANSDefense
All Blueprint Podcast Episodes: sans.org/blueprint-podcast

Connect with John:
- LinkedIn
- Take A Training Course with John
SOC Analyst and Leadership Training Courses:
- SEC450: Blue Team Fundamentals - Security Operations and Analysis
- LDR551: Building and Leading Security Operations Centers
SANS:
- Cyber Defense Course List
- Upcoming Training Events
- Free tools, VMs, cheat sheets and more for cyber defenders

Our TOPPODCAST Picks

Follow Us

Stay Connected

Blueprint: Build the Best in Cyber Defense

Related Podcasts

Links

Stay Connected