Blue Team
If the [red-team] is playing offense, then the blue team is on defense. Typically, this group consists of incident response consultants who provide guidance to the IT security team on where to make improvements to stop sophisticated types of cyberattacks and threats. The IT security team is then responsible for maintaining the internal network against various types of risk.
While many organizations consider prevention the gold standard of security, detection and remediation are equally important to overall defense capabilities. One key metric is the organization’s “breakout time” — the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network.
CrowdStrike typically recommends a “1-10-60 rule,” which means that organizations should be able to detect an intrusion in under a minute, assess its risk level within 10 minutes and eject the adversary in less than one hour.