Cybersecurity Blue Team Services
Lockard offers a robust offensive and defensive cybersecurity solutions. These services are known as Red Team Blue Team cybersecurity. On this page, we’re going to talk about our defensive cybersecurity services known as the Blue Team. We get asked what is the difference between our cybersecurity red team vs blue team services. We’re excited to answer this question along with any others you may have. Click the Red Team link to learn more about Lockard’s Red Team Cybersecurity services and check out what Wikipedia says. Our Cybersecurity Blue Team Services is a mix of the following people, processes and technology. Our folks are industry certified experts with backgrounds in cybersecurity architecture and engineering, penetration testing, incident handling and response, malware analysis, threat intelligence and threat hunting. The technology we leverage includes what we recommend and use, to supporting what technology our customers may bring. Our tactics, techniques and processes are crafted from years of experience from working in Fortune 500 companies, government agencies along with the military.
Lockard’s Cybersecurity Blue Team Service allows us to provide 24 x 7 x 365 coverage leveraging our experienced certified experts. We keep eyes on screens, hands on keyboards and ears and ready to answer calls or jump on conference calls. With our team of experts, they’ll be monitoring, alerting and responding to incidents in real time. Depending on the needs of your company, you can either leverage Lockard’s Cybersecurity Blue Team as your entire Information Security (InfoSec) department. Otherwise we can work closely together with your existing InfoSec team as needed. Our team will create run books, identify gaps and make recommendations where needed.
Blue Team Tools – SIEM
In order for an Information Security organization to be successful requires more than just head count, it also requires tooling. The main Blue Team Toolkit is what’s known as a Security Information and Event Management (SIEM). A SIEM is an extremely important tool in the arsenal as it provides organizations with next-generation detection, analytics and response capabilities. SIEM’s leverage advanced rule correlation paired with machine learning to alert on known bad and suspicious patterns of behavior. SIEM architecture can get fairly complex and complicated depending on the companies environments. For Lockard to be successful will require having a SIEM. Due to the extreme costs of buying and running a SIEM, we realize not all companies have one. That is why Lockard will include a SIEM if you don’t have one.
If you already have a SIEM, Lockard will work with it. Our experts will tune SIEM rules to improve signal to noise ratios, investigate alerts and drive incident response efforts to completion. Lockard experts will provide recommendations and suggestions to improve operations, meet any compliance needs and troubleshoot issues that may arise. SIEM’s are a living thing that keeps growing and changing. Ensuring all of the requirements are being met to take full advantage of the SIEM like having log data, net flow, EDR integration along with some more advance features like Security Orchestration and Response (SOAR). Otherwise Lockard will work with our SIEM and integrate it into your companies Eco system.
Blue Team Tools – SOAR
Once the SIEM has been tuned and running very smoothly for a period of time, the next logical step is to build in additional automation capabilities. Generally speaking this is referred to as Security Orchestration, Automation and Response (SOAR). The SOAR technology helps coordinate, execute and automate tasks between various people and tools typically referred to as run books.
To take full advantage of SOAR requires to have a complete Eco system of Security tools that all work together and support integrations between each other. Most commonly we see prebuild connectors between security tools is the easiest way to accomplish this task. More advanced integrations leverage API’s and/or other webhooks. Additionally SSHing and/or Remote PowerShell can be used to trigger scripts and other tasks as defined in said run books.
Typically SOAR is a long term goal for organizations to get to. What makes it so challenging is the risks of false positives interrupting business operations. Taking down production systems can have a detrimental impact on a companies bottom line so its important to slowly rollout SOAR capabilities to high confident levels of assurance on alerts. Most companies require run book validation, auditing and tracking changes, along with extensive testing prior to a production deployment. SOAR requires Security Engineers that understand code and can write and troubleshoot it as well. Otherwise companies will not get the full benefit of the SOAR tool. This is where Locakrd’s experts can help bridge that potential gap. As Lockard matures your companies InfoSec environment, we’ll introduce more advance capabilities and features like SOAR.
One thing that our customers love about us is our value you add. You can loop us into projects, important meetings or regular ongoing weekly status meetings. Our folks will work side by side with your folks to ensure things are being handled and nothing slips though the cracks. We’re also very skilled in automation and integration, which comes in handy when connecting tools and processes together. We can build out alerting pipelines that includes ticket generation and parse key data points to help speed up the mean time to acknowledgement, containment and mitigation.
Managed Detection, Response
Managed Detection, Response (MDR) is a very important security control for protecting endpoints. The days of Anti-Virus stopping malicious code are over as it is trivial to circumvent traditional Anti-Virus. Endpoint Detection, Response (EDR) is the replacement of Anti-virus, it’s also know as Next-Generation Anti-Virus and is a prerequisite for MDR. Companies can either bring their own EDR, or Lockard can bring ours. Either way, Lockard will manage EDR to ensure its running, installed on all hosts in scope, manage versioning, troubleshooting issues, creating policies and rules to tune it for the environments they live in. This entire services is referred to as MDR and is one of the extra features Lockard’s Cybersecurity Blue Team services offers.
In order to maximize the capabilities of the Blue Team, we highly recommend having a solid Endpoint Detection, Response (EDR) solution. It’s important to have deep visibility and telemetry from the endpoints, along with having a method to responding to issues via quarantining a device, which allows to contain an incident. Lockard is an MSSP partner of CrowdStrike and their product is the best for a reason. Gartner ranks them as the best and we’ll always recommend CrowdStrike to our customers, for as long as there is nothing else that is better. 15 years ago before EDR, Lockard recommended the paid versions of AVG and Malwarebytes. Unfortunately those days are long gone and to ensure our customers have the highest chance of winning the cyber war, Lockard will always as partner with the best vendor and products out.
Risk Management ism or than just patching, but patch management is equally important when it comes to a well rounded, defense-in-depth strategy. Lockard’s Cybersecurity Blue Team offers the ability to own the risk management facet of your company. This includes vulnerability scanning all internal and external facing assets and conducting a detailed assessment on the findings. Along with prioritization based on your companies threat landscape, vulnerability severity and likely hood of an exploit. Armed with this knowledge our teams can create a plan of attack to address the high risk items first. In the event vulnerabilities are identified that the business is unable to address (e.g. install latest patch), we’ll work together with the company to figure out risk exception and acceptable process to help mitigate the risks associated with the vulnerabilities discovered. This make take the form of reengineering and architecting a new solution and/or layering in additional security controls and capabilities in front of the vulnerable thing.
Ransomware is one of the biggest threats companies face and without solid security controls in place the damage can be catastrophic. This is why our Cybersecurity Blue Team will work to figure out the companies entire environment. We’ll look at the companies data classification levels and how they are managed and enforced. We’ll also look at the identity systems and work with the IAM folks to understand how authentication, authorization and auditing is taking place. If there is any local accounts, break glass accounts, federation, SAML, Single Sign On (SSO), and/or Multi-Factor Authentication (2FA) configured and where at. We’ll take a look at network architecture diagrams, cloud architecture diagrams, web application and database architecture diagrams. This process typically includes meeting with key folks like architects and engineers to understand the landscape completely from inside and out. Including how Ingress and Egress is configured and works in all of the environments. The information will space across SaaS, PaaS and IaaS cloud environments, HQ, branch offices and Colo data centers in our deep dive. By conducting such a through research and investigation will allow our team to fully understand the potential impact ransomware could have on the company.
Data retention is important in the event ransomware hits successfully, having working backups that are not infected, corrupted or encrypted by the ransomware is equally important as everything else listed above. Offsite and offline backups can be the saving grace in a situation that hackers break in and encrypt mission critical data and servers. Our Blue Team services can help identify what should be backed up, how often, the type of backup such as a full backup vs differential backup vs incremental backup. Auditing the permissions on the backup to prevent over privileged access to said backups. Along with copying backups to multiple locations and maintaining off network / offline copies as well.
Data Loss Prevention
Data Loss Prevention (DLP) is extremely important and is something that we find most companies aren’t doing and/or not doing correctly. DLP can come in many different forms and each have their own capabilities and limitations. It’s important when creating security standards, policies and guidelines that data loss prevention is taken into consideration. Insider threat is a real problem and your companies intellectual property (IP) is what makes your company unique, competitive and ultimately valuable. Industry espionage is a risk that can put a company out of business. DLP is the main line of defense from these threats and it requires eye on screens and hands on keyboards around the clock 24 x 7 to monitor and catch these attack in real time when they happen. This is where Lockard’s Cybersecurity Blue Team comes to to help offload this burden. Our folks can bring the technology, make recommendations, test and tune along with monitor and response to alerts 24 x 7.
Network Security is a very important part of the frontline defense posture. A companies firewalls are one of the first lines of defense, this includes Web Application Firewalls (WAF), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), stateful next-generation firewalls, cloud firewalls, load balancers, and VPN concentrators. Beyond these devices switches and wireless access points (WAP) / Wi-Fi are also included in the attack surface that must be configured, managed and monitored 24 x 7. Our services allows for our network security experts to make recommendations to existing network infrastructure or bring our own to help improve the overall security posture by raising the bar of security by starting at the network layer.
Our breath of experiences allows us to operate in on-prem, cloud and hybrid environments. We can review existing security standards, policies, and guidelines and make suggestions and recommendations for improvement. Or we can create these standards, policies, and guidelines from scratch as needed. These help to align controls and processes to be repeatable and establish baselines. In most situations, these items are required for compliance like ISO and HIPAA.
In closing, Lockard’s Cybersecurity Blue Team Services are tailored for each customers needs as we understand not every customer is the same or has the same requirements. Lockard prides ourselves being realistic with our customers. We do not offer a one size fits all and we do not use scare tactics. We approach everything based on risk and our conversations always includes a risk based approach that is backed by data and facts. Its because of these guiding principals allows our services to be flexible and fit within our customers budgets. Not every customer needs the kitchen sink, but when they do, we got it available!
Do I need a Cybersecurity Blue Team?
We hear this question a lot and the short answer is yes. However, the term Cybersecurity Blue Team is a very high level description of Security Operations Center (SOC) aka Cyber Defense Centre (CDC). For a company to build out a Blue Team in house typically can run the company millions of dollars a year. What makes this number so high is when you factor in the required head count of Full Time Employees (FTE), along with tools for these folks to be able to be effective. Security tools like SIEM, SOAR, EDR, Firewalls, investigation and ticketing system, etc. The tools requires High Available (HA) architecture and due to the nature of the sensitivity of the data and reach, the engineering efforts required to ensure everything is hardened and locked down. Architecting, engineering, maintaining and troubleshooting the tools. Along with monitoring, alerting, response and conducting investigations that are 24 x 7 x 365 is extremely expensive. Junior Security Analysts FTE run a company anywhere from $90k – $150k a year. Mid level Security Analysts and Security Engineers start $110k and can go up to $200k a year. Senior Security Analysts and Engineers start at $125k and can easy go over $250k. Staff Security Analysts and Engineers start at $150k and can reach $300k. Principal Security Engineers start around $200k and can reach over $500k. Not to mention the managers, directors and project management managers, etc… On average to staff a well rounded shift of tiered experts in a 24 x 7 x 365 requires at a minimum of 7 FTEs, but we recommend 15.
This is why companies elect to outsource their Cybersecurity Blue Team requires to a Managed Security Services Provider (MSSP), like Lockard. Our experts are standing by to hit the ground running and we can onboard and start protecting your company for a fraction of what it would cost to bring this capability fully in-house. Our terms are very flexible and we offer multi-year discounts and bundled discounts on adding capabilities on to our Blue Team services.
We look forward to discussing how Lockard can help protect your company from domestic threats, international threats, insider threats. The threat landscape is ever changing and the companies that lack the knowledge, tooling, and personal capabilities will be at risk of a successful cyber attack. This risk includes damaging the companies reputation, loss of revenue, regulatory fines and fees from legal and other unforeseen damages.
Allow Lockard to Protect Your Business | Protect Your Data | Protect Your Reputation.