Join us in-person in Scottsdale or attend the Summit Live Online for FREE

Summit: Oct 3 - 4 | Training: October 5th - 10th | Summit CPE Credits: 12 | Summit Co-Chairs: John Hubbard, Justin Henderson


Level Up Your Blue Team Skills

The blue team represents information security professionals on the front line of defending an organizations critical assets and systems against attacks and threats from adversaries. Defending against attacks is an ongoing challenge with new threats emerging all the time. At the SANS Blue Team Summit, enhance your current skill set and become even better at defending your organization and hear the latest ways to mitigate the most recent attacks!

Blue team professionals are highly skilled at deploying actionable techniques for timely detection, responding to compromises, and monitoring adversary activities to maintain and improve security over time. Its an ongoing effort, day in & day out. Whether hunting for threats, designing a defensible security architecture, or analyzing log data, its the skills and agility of blue teams that enable world-class detection and defensive capabilities.

Attend Blue Team Summit to experience:

  • Highly technical talks and panel discussions - The industry's top practitioners will share their latest cyber defense research, solutions, tools, and case studies.
  • Exclusive networking opportunities - Connect with your fellow blue teamers and the wider cyber defense community via virtual chat rooms. For in-person attendees, enjoy the exclusive evening receptions in Scottsdale to network with speakers and attendees!
  • Hands-on workshops - Available for those attending the Summit in Scottsdale, you'll choose between several practical, cyber defense focused workshops.
  • Closely aligned SANS Cyber Defense courses - Following the Summit, enhance your knowledge base with an in-depth, immersive course taught by top SANS Instructors.

Over two days, Blue Team Summit talks will deliver diverse viewpoints and actionable advice on key topics, including:

  • Detecting advanced post-exploitation
  • Modern security architecture (zero trust and micro segmentation)
  • Log analysis and anomaly detection at scale
  • Network security monitoring in an increasingly encrypted world
  • Operationalizing endpoint detection
  • Cloud security monitoring tools and techniques
  • Threat hunting techniques and tools
  • Managing, measuring, and improving security operations
  • Leveraging industry frameworks to improve and measure detection, prevention, and response (ATT&CK, etc.)
  • How to jump-start a career in blue teaming
  • Securing an increasingly remote workforce
  • Blue teams & IT leadership

Follow Us

Stay current with all things SANS Blue Team on Twitter, Linkedin, YouTube, Blueprint Podcast and BTO News. Follow and interact with our community, using the hashtags #BlueTeamSummit

    We're working hard to finalize the agenda, so please check back soon for the exact schedule.  In the meantime, here are some of the great sessions we've got confirmed for you: 

    Opening Keynote | Confidence in Chaos: Strategies for World-Class Security Operations

    • Carson Zimmerman, Microsoft
    • Ingrid Parker, The MITRE Corporation 

    You've just found out the smart-lights in the cafeteria are connected to your corporate network and can be dimmed from anywhere in the world, the sales team has been spinning up unmanaged AWS accounts to do customer demos, and CISA says you need to put your Shields Up. You know you need to accelerate building your detection and response capabilities - and you can't risk making mistakes while you sort out your priorities. Today's cybersecurity operations centers (SOCs) are under more pressure than ever to adjust defense and detection techniques on-the-fly to address adversaries hiding in the corners of your IT. To help you accelerate, we've cultivated an actionable strategic roadmap for any size organization to up their security ops game. This is based on in-depth interviews with dozens of SOC teams in a broad range of environments, and decades of working in SOCs ourselves. Attendees will leave this presentation with practical, pragmatic action items to help their SOC to excel at these challenges. At the end, a link will be provided to a completely free, newly released book that discusses all of this in greater detail.

    Workshop | Implementing and Optimizing Alert Investigations with ReflexSOAR

    Brian Carroll, Holman 

    SOC Analysts are typically inundated with high alert volume and repetitive manual actions that lead to alert fatigue, analyst burnout, and an overall decrease in job satisfaction. All these lead to a gap in security posture and impact on human capital. Yet, there are open-source and commercial solutions that help solve this problem. This workshop showcases ReflexSOAR, an open-source as well as commercially supported investigation platform. This workshop will show how SOC Analysts can leverage the open-source tool ReflexSOAR to: - Simplify alert triage - Work an alert or group of alerts via Cases and alert deduplication - Automating away noise or routine actions using the Reflex Query Language Workshop Sections: - Installing ReflexSOAR with Docker - Creating Detection Rules in ReflexSOAR - Navigating Alert Cards and working with cases - Automating using Reflex Query Language Individuals who attend this workshop can expect to leave the session with a better understanding of not only ReflexSOAR but how tooling and automation can help ease the burden. Hopefully individuals leave with ideas about how they can improve their own process through writing their own tools or adopting other open-source capabilities

    A Deep Dive into AWS IAM Privilege Escalation Attacks: Defenders’ Edition 2022

    • Ashwin Patil, Microsoft
    • Roberto Rodriguez, Microsoft

    Cloud misconfiguration remains one of the top threats for cloud security based on recent surveys and security incident trends. Majority of these misconfiguration are associated with Identity and Access management (IAM) as identity and credentials are crown jewel for adversaries to gain access to critical infrastructure. Understanding IAM in the cloud world can be daunting task for Administrators and even more for Defenders who investigate IAM attacks without having a good understanding of the adversary tradecraft. In this presentation, we will start by covering the fundamentals of IAM and telemetry available for security researchers to understand the underlying adversary behavior and develop detections. Then, we will go over the design and deployment of a research lab to empower security researchers to simulate adversaries abusing IAM services to escalate privileges, collect samples of data, and analyze the adversary tradecraft. Even though the simulation scenarios presented are primarily focused on publicly known IAM Privilege escalation techniques, we believe they can help security researchers understand the basics of other IAM attack vectors as well. Furthermore, we will open source the lab deployment templates to automate the provisioning of several sources of data sources such as CloudTrail, and other built-in threat detection services such as Guard duty to evaluate various detection methodologies. Finally, we will share all the data generated in our research lab through the open-source project created by the Open Threat Research community known as "SecurityDatasets" so that others can use it to validate detections and learn about the adversary behavior from a data perspective.

    Baby Steps to the Future: Evolving into the Next-Gen SOC

    Craig Bowser, Guidepoint Security

    Most SOCs are unable to keep up with the attacks of today because they are constrained by a structure built to address the opt tempo of yesterday. That structure does not scale to protect the rapidly changing, distributed environments that SOCs are required to defend from attackers that have risen in both number and sophistication. To counter, SOCs must evolve to become 'Next-Gen'. This talk will discuss what that means and present concrete steps organizations can take to evolve from today's rigid structures into a dynamic, agile entity that can quickly react to threats of today and tomorrow. The presentation groups these steps into three phases demonstrating clear paths to grow people, modify processes, and change technologies. Because organizations have different requirements and resources, recommendations will be given for adaptations that still provide the advance capabilities needed to protect the enterprise in the future. Organizations can use the strategies discussed in this talk to help them develop multi-year plans that can protect the enterprise today and into the future.

    Enabling Defenders to Conduct Incident Response Investigations with Open-Source Tools

    Logan Flook, GreyCastle Security

    Today's current threat climate has organizations stretched thin in their budgets for security tools. While this is understandable, many defenders are left with a limited capability to adequately protect their organization. Combine this with the difficulty of implementing proprietary software that does get approved, defenders struggle to conduct in-depth investigations in their organization's environment. To improve this, this presentation will examine four stages of a cyber-attack/incident and discuss use cases for open-source tools that defenders can immediately implement to conduct initial Incident Response investigations. I will conclude by discussing how defenders can scale these investigations to a large environment. After this presentation, viewers will be able to immediately deploy incident response tactics in their organization without the need for proprietary software or licenses.

    Prioritizing Defensive Capabilities

    Benjamin Langrill, RangeForce 

    How can a security team prioritize what's important to safeguard their organization? Many teams simply want "maximum coverage of MITRE attack" in their defensive controls but this is infeasible for most organizations as the list of ATT&CK techniques continually grows. This talk introduces the Defensive Readiness Index which prioritizes skills and controls based on threats because not every organization needs to worry about every possible threat. It includes a framework for stratifying ATT&CK techniques based on level of effort to account for varying skill and effort level for each. From here, we can use the inferred relationships between ATT&CK and D3FEND techniques to create a set of focused defensive controls for different levels of attacker effort. Threat modeling with this approach becomes easier as we can make estimates based on broad level of effort and ROI for a given organization. We will walk through several examples of recent threats to see how they map into the framework as well as methods for continuous measurement since threat capabilities and defensive technology change day-to-day.

    IR Prep and Detection Engineering When the Cloud is your Data Center

    Don Murdoch, SANS Institute 

    Public clouds have changed how organizations build their data centers, moving from on-prem to the browser and API calls over the commodity Internet. Attackers are determined to find your weaknesses and mistakes. This presentation will go over major attacks, highlight lessons learned, and provide you with a road map for evaluating your public cloud usage to improve your operational posture to minimize exposure and your threat profile. • Topics: MITRE ATT&CK Cloud Matrix, Top Cloud Attack Kill Chains and disruption, Common attacker activity, and log configuration within Azure and AWS to detect these patterns.

    Important Dates

    Refund Date Hotel Group Discount Deadline
    September 16, 2022 September 12, 2022


    Hilton Scottsdale Resort & Villas

    6333 North Scottsdale Road
    Scottsdale, AZ 85250
    : 480-948-7750
    Hilton Scottsdale Resort & Villas

    Enjoy views of Camelback Mountain from our resort, located within three miles of Old Town Scottsdale and Spring Training at Scottsdale Stadium. Our hotel features three restaurants, a spa, and an outdoor heated pool, plus a free two-mile shuttle service for area exploring. Two-room villas offer more room to relax, with private patios and an exclusive pool.

    Hotel Special Rates and Reservations

    A special discounted rate of $199.00 S/D plus applicable taxes will be honored based on space availability.

    A limited number of Government Per Diem rooms at the prevailing rate are available with proper ID.

    These rates include Internet in your room and are only available through Monday, September 12, 2022.

    To make a regular reservation, please visit this link.

    To make a government per diem reservation, please visit this link.

    Top 3 reasons to stay Hilton Scottsdale Resort & Villas

    1. No need to factor in daily cab fees and the time associated with travel to alternate hotels. Everything is in one convenient location!
    2. By staying at the Hilton Scottsdale Resort & Villas, you gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the conference.
    3. SANS schedules evening events at Hilton Scottsdale Resort & Villas that you won't want to miss!

    Experience Scottsdale

    3 Quick Facts about Scottsdale

    1. Chili has been the official food since 1994.
    2. Scottsdale receives 315 days of a sun a year.
    3. Firetrucks in Scottsdale aren’t red…they are chartreuse.

    Travel Arrangements and Directions

    Complimentary valet/self-parking is available for all attendees.

    From Phoenix Sky Harbor International Airport (PHX): Approximately 12.8 miles.

    Google Maps

    Recommended Web Links