The Legend Of Blue Team Pat
In the bosom of one of those spacious second-tier digitally transformed technology tax zones that dot the coast, you can find the small newly gentrified section of the city in which resides Blue Team Pat.
Blue Team Pat had always been considered an odd lot by friends — never having worked a shift in a SOC and with no desire to be a red teamer. The doctor that birthed Blue Team Pat still to this day swears that Pat mouthed the word, “syslog”, at birth.
Blue Team Pat had joined the security team out of college about 10 months ago. The team had done a good job of setting expectations with their leadership around, around “assume breach” so they knew there would be little penalty when the inevitable breach did occur. Not much else needed to be done except for whatever tidbits could be gleaned from the latest compromises of other organizations that had been made popular on social media.
But while Blue Team Pat had the same few followers on social media that followed in real life, Pat over time became quite the legend for successfully defending networks and systems. At first, it was the people on Pat’s own security team that realized that Pat had an unusual knack for getting identified security risks under treatment plans and closed. But, little else was noticed, because, well, blue teams were simply not that interesting and few (if any) talked about blue team successes on social media. Prevailing wisdom said that networks can’t be secured. The budget for the team that Blue Team Pat was a part of would never be large enough to have any chance at success. Blue teams were for the big organizations. Small teams like this one decided that purple teams were instead warranted.
When Pat’s co-workers on the purple team sufficiently marveled at the blue team’s progress and they realized that the network remained safe by something other than blind luck, they finally worked up the courage to ask Pat about the secret of defending the network.
Blue Team Pat, initially mistaking the interest for a lunch invitation, rolled back the brightly accented gaming chair being ever so carefully to stay on the clear plastic chair mat that the company provided to protect the wood flooring. Sam was the only one who formed the question being the most recent hire onto the information security team. Sam could feel the awkwardness in the air with everyone gathered around Pat’s desk, but took the initiative to pierce right through it by asking, “how do you do it? How can you defend the network so well?”
Blue Team Pat thought about the question for a moment, readjusted the bluetooth headset which always seemed to move just a tad out of place when talking in real life, and at a barely audible volume responded with, “the basics.” “The basics?” asked Sam. “Yes, the basics” reaffirmed Pat in a slightly louder tone.
Everyone else listening to Pat’s response looked at each other, nodding approvingly. Of course, none of them really knew what Blue Team Pat meant by “the basics”. They then left for their pre-agreed lunch spot in such a rush that they forgot to mention to Pat where they were going.
Once the purple team had sat down for lunch and posted their obligatory selfies onto social media, Alex was in the process of asking if the team had forgotten to invite Blue Team Pat, only to be interrupted just a few seconds later by Terry who asked, “what do you think that Blue Team Pat meant by ‘the basics’?”
A long pause followed in which everyone hoped that someone else would verbalize the answer. But, even after a few minutes of everyone silently looking at their food, no one had.
Alex, then said, “the basics must be some sort of AI enabled, machine learning software that defends any network right out of the box”. Clearly, this could be the only way that the blue team was able to keep track of the ever increasing data points needed to protect the network. Everyone loudly agreed that this must be the case, especially after Terry added that the software must be one of the latest which were known to have zero false positives.
After lunch, they all smugly returned to their cubicles around the cubicle in which Blue Team Pat sat and told stories about what had happened at lunch while holding the restaurant’s take out cups in their hands. They were smug because they had obviously reverse engineered Blue Team Pat’s secret. Blue Team Pat quickly dropped from their topics of conversations, everyone returned to posting on social media during the work day to influence others about information security, and everything was soon back to normal and forgotten.
A few weeks later, an external audit team had been contracted to conduct the annual risk assessment and the usual small pen test. After the exercise, the contractors provided an executive summary to the managers because, normally, none of the executives had any interest in the pen test results. They knew what the results would be….exactly the same as last year. The auditors mentioned how they were continually been stymied during the pen test by the inability to gain access or privileges they needed and that once machines were finally compromised, those same machines were immediately pulled off line. Blue Team Pat just smiled and returned to her desk.
The managers, upon hearing the news about the findings, couldn’t stop smiling. For years, the annual risk assessment and pen test had returned the exact same set of findings and, this year, none of those findings were on the new, and obviously much shorter, list.
In the midst of the excitement and back slapping among the team and managers, Alex briefly thought about making a mental note to ask Blue Team Pat how last year’s pen test findings might have been resolved. That’s when Alex realized that Blue Team Pat had already left. Pat sure seemed to like spending inordinate amounts of time talking to other IT teams and understanding their priorities and issues rather than spending the appropriate amount of quality time complaining about the users and commiserating about the lack of resourcing with the rest of the security team.
Meanwhile, the managers wanted to know how the findings had been remediated. With the usual air of confidence, Terry spoke for the entire team by saying that they had found a free demo version of new AI, machine learning enabled software that magically fixed everything. The managers listened intently and, after hearing what they had hoped for, then decided as a group that they’d need to share the news with the executives.
Alex wasn’t as confident in sharing the news with the executives. The security team barely knew anything about the software themselves. It didn’t matter though; Alex’s concerns didn’t matter and were soon forgotten. The managers had apparently rushed out of the meeting room so fast to share the news with the executives that none of them had asked for more details.
After sharing the audit results, the managers had never seen such excitement in the executives. They were high fiving and making comments about how the Board would be so pleased. The executives insisted to know how this development had all come about. The managers couldn’t withhold their pleasure in explaining that they had approved hiring of more internal purple teamers over the past year and these purple teamers had spearheaded a proof of concept of new AI, machine learning enabled software. Since, in this particular case, causation obviously equaled correlation, the software’s proof of concept scope used by the new purple team members must have included fixing of the perennially unfixed audit findings. That was the only explanation that made sense and clearly justified the investment in the purple team.
The executives clearly liked the logic as much as they liked the AI, machine learning enabled aspect of the software. They declared that they would expand the information security team’s budget to buy all of the required licenses for this software and also open more budget next year for an additional expansion of the purple team.
Unfortunately, Blue Team Pat wouldn’t get any more help. And, no one even considered that Pat should be in the discussions with the software vendors. It wouldn’t have mattered anyway as Blue Team Pat had already left on a much needed three week vacation.
The managers didn’t want to lose any momentum. “Of course, we have exactly what you need,” vendor after vendor exclaimed early in the discovery calls. By week’s end, the mangers had a stack of vendor quotes more than an inch high. One of the managers had heard someone once say on social media that “you get what you pay for in cyber security” so it only made sense to choose the most expensive solution that was quoted. The selected vendor, having not had a single sale that entire year, pulled all of the idle professional consultants off of the bench, and had the solution configured by the end of the second week.
Blue Team Pat had always performed the coordination of security software deployments since being hired. This was largely because the purple team couldn’t be bothered with these details — they had more important work to do. Since Blue Team Pat was out on vacation and Terry and Alex still could sign in as domain administrators, Terry and Alex decided to own deploying the agents themselves instead of putting in a ticket, or otherwise coordinating, for the platform team to deploy the agents. Terry and Alex deployed the agents from their own list of assets that they believed was a year old but was probably closer to two years old. There were a fair number of complaints and the easiest fix seemed to be whitelisting the complaining users within the application on some operating system versions and rolling back the deployment on others. However, even the rollback didn’t work for some users that were having issues so, since they were in a rush, Alex and Terry simply made the users local administrator on their machines. This seemingly fixed all of the problems so Alex and Terry simply didn’t respond to questions and complaints from the IT platform team.
Alex and Terry also didn’t feel the need to send any messages to Blue Team Pat as they figured that, based on what the vendor told them, this was probably the software that Blue Team Pat had tested anyway. The deployment was finished by the time that Blue Team Pat was landing at the airport and heading home from vacation.
Blue Team Pat returned to work the next Monday. Something seemed strangely amiss. Pat had fresh metrics generated just that morning showing that local admin had been restored to a seemingly random set of users and new software had been installed on some large set of machines. Pat even doublechecked the date. Blue Team Pat thought, “this is just how things were when I started.”
Blue Team Pat went to speak to Alex who was an informal leader on the security team and express some concerns. Just as the conversation started, both of their phones blew up with alerts. There was an incident!
Blue Team Pat worked all day with the rest of the team and when they left at 3pm for the day, Pat continued working through the night and into the wee hours of the morning to respond to the incident. The other team member supported Pat by posting on social media about the incident until they went to sleep. The new software did not play a role in stopping the incident that night. Blue Team Pat was able to contain the incident by ensuring full coverage on assets, limiting privileges, and returning to a known baseline.
“The basics,” muttered Pat.
And on that fateful night, the legend of Blue Team Pat was born.
The next day, the other team members were thrilled that the incident had been handled by Blue Team Pat. They high fived with Pat and talked about how powerful the AI, machine learning enabled software was and how it completely stopped the incident. The managers received spot bonuses from the executives and Alex and Terry received kudos from the managers for having deployed the software that stopped the incident in the most powerfully worded kudos in the history of the company.
But Blue Team Pat became the legend. The one who’d found the software that saved the day.
Despite the new legend status and a set of lunch invitations, Blue Team Pat returned to the cubicle and went back to work.
If you are looking for a moral to the story: Things will never change for security practitioners that work in a vacuum…..even if they are doing all of the right things to secure their network and systems.
