Make Blue Great Again

I get it, I really do. Red team engagements are amazing and they’re a great way to identify problems in our environments. They’re really cool to talk about to your CEO buddies, and while you pay the bill you get to imagine a crack military-style force attacking your perimeter and attempting to breach your defences. They’re the cool thing that every security guy wants to do, because Blue’s the boring one, right?



 Sure, Blue rarely gets to jump a fence and disable a camera while socially engineering the security guard into thinking it’s all approved, but they’re the ones that pushed the installer to ensure that camera’s credentials were changed from admin/123456 in the first place. They’re the ones that make sure you can read your email instead of the million spam messages that the Russian Business Network’s trying to deliver.

Red teams will use vulnerabilities in software to get around your tricky sixteen-character-password-rotated-every-7-days policy that you read about in a business magazine - or just skimmed it off the secretary’s post-it note. Good blue teams know about these problems and have already told management better ways to deal with them (diceware passwords, look them up). Good blue teams are already trying to protect your environment from 90% of things that red teams use by updating and protecting endpoints, or providing awareness training.

They’re spending days negotiating with all your business units to get a five minute window to cram in some much-needed updates that have been pending since the last time you refused to allow it. They’re pointing out (again) that if you’d just spend 10% more on staff and high availability systems, they wouldn’t spend 20% of their budget on overtime, or even need an outage when one node out of a cluster needs to restart.

They’re trying to talk the developers into including security testing into their processes by running one of the many OWASP top ten scanners against their web apps - or suggesting the windows admins turn on the host-based firewall and learning to configure it.

Time and time again Blue has to create reports showing how they’ve mitigated the latest spam/phishing campaign by filtering out a particular sender/subject. Something that wouldn’t be a problem if the CEO’s secretary didn’t use ZoomInfo to populate the spammer’s database in the first place - but was whitelisted because “engagement” and “productivity” are more powerful terms than “obvious scamware”.

We all know what needs to be done. Patch, check, log, teach, talk, understand. NIST, ASD, and a raft of others have lists of how to do it right, but you have to spend money and time on operations to make sure they’ve got the resources to do it.

I could go on, and I will in the future, but management, owners, leaders, anyone from the top to the bottom of every organisation, let’s re-take a phrase from our Cheeto-coloured northern overlord. Let’s…

Make Blue Great Again.