Blueprint Podcast

Corissa Koopmans & Mark Morowczynski: Azure AD Threat Detection and Logging | 31

Nearly every organization is using Microsoft Azure AD services in some respect, but monitoring Azure AD for threats is a significantly different skill that traditional Windows logging. In this episode we have 2 experts from Microsoft, Corissa Koopmans, and 3rd time returning guest Mark Morowczynski, to tell us about the important work that’s been done to help organizations understand their data and detect Azure AD attacks. We cover log sources, the new Microsoft security operations guide, standardized dashboards and visualizations you can leverage to jump right in with best practice, and much more. You don’t want to miss this one!

Tony Turner: Securing the Cyber Supply Chain | 30

John and Tony Turner share their wisdom on trends they are seeing in the cyber industry and offer advice as to how we should be looking at cyber defense in 2022 and beyond.

Mark Orlando: Building a Stronger Blue Team | 29

There are many technical factors that contribute to the success of a security operations team, but you need more than just tech skills for mounting a solid defense. In this episode of Blueprint we bring back previous guest Mark Orlando to talk about his BlackHat 2022 presentation with Dr. Daniel Shore (PhD in workplace psychology). We discuss team dynamics, how the mapping of multi-team systems can improve the flow of your incident response activities, and much more.

Blueprint Live at SANSFIRE 2022: A panel with Heather Mahalik, Katie Nickels and Jeff McJunkin | 28

Host John Hubbard, Blueprint host and SANS Cyber Defense Curriculum Lead, moderated a panel of cyber security experts including Heather Mahalik, Katie Nickels and Jeff McJunkin for this powerful discussion.

David Hoelzer: Threat Detection with Machine Learning and AI | 27

Many of us with the typical IT and security backgrounds might not have the slightest idea what to expect when we hear the terms “this product uses advanced machine learning…”, but that claim certainly conjures up a lot of skepticism due to the opaque nature of the algorithms in many of these products. In this episode we discuss what AI and ML are best used for, and what they can, can’t, and shouldn’t be used for with guest Dave Hoelzer.

Dean Parsons: Cyber Security for OT and ICS | 25

With ransomware and other highly disruptive attacks on the rise, there are few systems more important to defend than our critical infrastructure and ICS equipment. How should we think about defending these systems vs our typical IT network though? In this episode, Dean Parsons is here to give us that answer.  Resources mentioned in this episode:  OSINT / Site-visit Cheat Sheet https://www.sans.org/posters/i... ICS Cyber Kill Chain Whitepaper: https://www.sans.org/white-pap... ICS specific Network Security Monitoring: https://www.sans.org/posters/i... Top 5 ICS Incident Response Tabletops https://www.sans.org/blog/top-... My weekly ICS Defense Force LiveStream https://www.youtube.com/playli...

John Hubbard: Your Top Cyber Defense Questions Answered from Seasons 1 + 2 | 24

It's a special mailbag episode from John Hubbard! After two full seasons, John asks listeners what questions they have for him. In answering, he touches on the current XDR trend, how other teams can support SOC activities, defining security mindset, and more.

John Hubbard: Key lessons and takeaways from Blueprint Season 2 + A Special Announcement! | 23

In this solo episode to wrap up season 2, John discusses some of the key takeaways from the guests interviewed throughout this year, and has some very exciting news for all blue teamers on a brand new GIAC certification. GIAC GSOC

Mark Morowczynski & Thomas Detzner: Microsoft Incident Response Playbooks | 22

We all need solid, well though-out playbooks to help standardize our respons to common threat scenarios. In this episode we speak with Thomas Detzner and Mark Morowczynski about the brand new set of Microsoft incident response playbooks that were just released. This is a brand new effort to meticulously document prerequisites, investigation steps, and remediation process for common scenarios most commonly seen by the Microsoft incident response teams, and you definitely won't want to miss it. Resources mentioned in this episode: Playbooks discussed in this episode - https://aka.ms/irplaybooks Azure Event Hub - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub#access-data-from-your-event-hub Security Baselines - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093 Security Auditing and Monitoring Reference - https://www.microsoft.com/en-us/download/details.aspx?id=52630

AJ Yawn: Cloud, Compliance and Automating Security | 21

Compliance and audit checks can be painful, and that's before you introduce additional cloud services and technology. In this episode featuring AJ Yawn we discuss some incredibly useful and actionable cloud security concepts and tools that can help your team boost visibility and reduce user permissions to help prevent breaches before they happen. In addition, we discuss what a good compliance audit should be, and how to turn audits from painful to incredibly valuable. Resources mentioned in this episode: AWS CloudTrail: https://aws.amazon.com/cloudtrail AWS Well-Architected Framework: https://aws.amazon.com/architecture/well-architected AWS Config: https://aws.amazon.com/config AWS Organizations: https://aws.amazon.com/organizations AWS Service Control Policies (SCP): https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Jamie Williams: Adversary Emulation | 20

There are numerous ways to test your SOC's detection and prevention capabilities, but not all are created equal. Each has their own strengths and weaknesses, and can be done on a different time scale. This week, we focus on arguably one of the most important - adversary emulation. In this episode we speak with Jamie Williams from the MITRE ATT&CK team about why adversary emulation is important, how it works, how you can get started regardless of the size of your team, and how to track and run an adversary emulation test.

Josh Johnson: PowerShell for the Blue Team | 19

PowerShell may seem intimidating, but it can be one of the most amazing and useful tools at your disposal...if you know how to use it. In this episode, we have Josh Johnson giving you a masterful crash course in:The importance of PowerShellHow PowerShell works, and how to set yourself up to use itBlue team use cases for log analysis, incident response and moreHow to stopping attackers from leveraging PowerShellSome of the amazing automation and playbook opportunities you may be missing out on.Lots of actionable content for defenders here, don't miss in this episode!