Blurple Teaming: Open Source Continuous Security Testing in the SOC

Channel:
United States SANS Cyber Defense
Subscribers:
23,600
Published on ● Video Link: https://www.youtube.com/watch?v=AfLCNH-ndwk


Duration: 33:46
179 views
6

SANS Blue Team Summit 2023
Blurple Teaming: Open Source Continuous Security Testing in the SOC
Speaker: David Hunt, Co-Founder & CTO, Prelude

We'll begin this talk with a brief history of purple teaming, TTPs, and security testing, and the technical and organizational pitfalls that hinder scalability. We'll then immediately dive into an introduction of open source Verified Security Tests (VSTs)(https://github.com/preludeorg/test) - a more structured, scale ready format of the TTP. VSTs have characteristics that encourage scale and safety. In the context of this presentation, we'll focus on VSTs that are designed to test the efficacy of defensive technologies. Verified Security Tests can be mapped to classification systems, such as MITRE ATTACK, CVE or NIST controls. Mapping tests provides a natural grouping so you can analyze results through a lens you're familiar with. The second component to introduce are open source probes (https://github.com/preludeorg/libraries) - temporary processes that requires no special privileges and no installation to run. A probe can just be started. Probes are designed to be very lightweight - measuring between 1-50KB on disk - and to run anywhere you have code. As such, probes can deploy out on devices ranging from laptops to servers to cloud environments and OT infrastructure. Combining probes and VSTs provides a foundation for continuous security testing of production endpoints. This presentation will then dive into a brand new concept, Blurple Teaming: deploying continuous security testing at scale, integrating defensive controls, and embedding the process within the SOC to better improve defenses. By attaching an EDR control, users are able to send all missed detections to a vendor in real time. Every time a VST should have been caught - but wasn't the event can be sent to a vendor for analysis. By running VSTs continuously, you can validate whether or not a fix is deployed in a reasonable time period. After outlining the technology/process, we'll begin an interactive session where attendees can follow along a quick start tutorial for deploying probes and running verified security tests. By the end of the session, attendees will have been able to deploy multiple probes, create a schedule of VSTs, and begin collecting results.

View upcoming Summits: http://www.sans.org/u/DuS



Other Videos By SANS Cyber Defense


2023-07-28Zero Trust Architecture: Beyond Proxy or Point Solutions
2023-07-28Ecosystem of Insights: Building Operation Dashboards That Enable Teams
2023-07-28Bridging the Gap: Improving Rules Effectiveness by Integrating Detection and Response
2023-07-28Blueprint Live - 11 Strategies of a World-Class Cybersecurity Operations Center
2023-07-28Cloudy with a Chance of Breaches: OSINTAdventures in Tracing Exposed Credentials
2023-07-28Hunting OneNote Malware: A Practical Guide for Blue Teams
2023-07-28BlueHound: Blue Teams of the World Unite!
2023-07-28The Cyber Pilfer Chain: detecting and disrupting post-exploitation data theft
2023-07-28Keynote | How to Save Your SOC from Stagnation
2023-07-28Keynote | Leave Only Footprints: When Prevention Fails
2023-07-28Blurple Teaming: Open Source Continuous Security Testing in the SOC
2023-07-18Strategies of a World-Class SOC | Host: John Hubbard | July 18, 2023
2023-07-17Strategy 11: Turn up the Volume by Expanding SOC Functionality
2023-07-14Threat Hunting via DeepBlueCLI v3
2023-07-10Strategy 10: Measure Performance to Improve Performance | SANS Blueprint Podcast
2023-07-03Strategy 9: Communicate Clearly, Collaborate Often, Share Generously | SANS Blueprint Podcast
2023-06-26Strategy 8: Leverage Tools and Support Analyst Workflow | SANS Blueprint Podcast
2023-06-19Strategy 7: Select and Collect the Right Data | SANS Blueprint Podcast
2023-06-15Blueprint Live at the SANS Blue Team Summit 2023 [SPECIAL EPISODE]
2023-06-14Strategy 6: Illuminate Adversaries with Cyber Threat Intelligence | SANS Blueprint Podcast
2023-06-13The Dark Knight of OSINT, Matt Edmondson | Host: Rob Lee | June 13, 2023


Tags:
cyber defense
cyber security
cyber defense training
cyber security training
cybersecurity
cybersecurity training
soc training
soc training course
security operations center
security operations center (soc)
security operations center - soc training
blurple teaming
sans blue team summit
purple teaming
continuous security testing
David Hunt
verified security tests
verified securiity tests (VST)
TTPs
security testing
VSTs
blue teaming
soc analyst training