BRSE terminology and objectives incorporated into the paperwork and adopted in practice
There is one cybersecurity team with virtual roles covering all BRSE functions being rotated among ALL personnel except the director and the manager.
The same cybersecurity team is dedicated to the same set of IT environments with limitations on size and complexity. IT estate is limited to the attack tree of the relevant breach types.
There is no traditional escalation, however there are senior personnel available to help as well as, auto-escalation due to missed acknowledgment of alarms. There is also "major incident commander" type centralized management.
There are two analysts always on-shift available for breach response 24/7 on rotation basis (ideally 8 hour shifts). Both receive the same alerts and coordinate with each other.
Vulnerability management, Hardening, Patching, Security Engineering all feed into and driven by [threat] breach modeling with the end goal to deny and disrupt as many TTPs as possible. Always link to TTP within the context of your IT estate.
Detection is done across all the domains of IT Estate as per [threat] breach modeling. Coverage for detection is measured against selected TTPs applicable to the IT Estate.
Threat Hunting is done as detection engineering as per MITRE TTP-based Hunting
Response is pre-authorized and tested. Manual and automatic readiness to respond is measured against TTPs identified by [threat] breach modeling
Practices in place for striving for 80/20 balance [1] automatic vs manual response