We're working hard to finalize the agenda, so please check back soon for the exact schedule. In the meantime, here are some of the great sessions we've got confirmed for you:
Opening Keynote | Confidence in Chaos: Strategies for World-Class Security Operations
- Carson Zimmerman, Microsoft
- Ingrid Parker, The MITRE Corporation
You've just found out the smart-lights in the cafeteria are connected to your corporate network and can be dimmed from anywhere in the world, the sales team has been spinning up unmanaged AWS accounts to do customer demos, and CISA says you need to put your Shields Up. You know you need to accelerate building your detection and response capabilities - and you can't risk making mistakes while you sort out your priorities.
Today's cybersecurity operations centers (SOCs) are under more pressure than ever to adjust defense and detection techniques on-the-fly to address adversaries hiding in the corners of your IT. To help you accelerate, we've cultivated an actionable strategic roadmap for any size organization to up their security ops game. This is based on in-depth interviews with dozens of SOC teams in a broad range of environments, and decades of working in SOCs ourselves.
Attendees will leave this presentation with practical, pragmatic action items to help their SOC to excel at these challenges. At the end, a link will be provided to a completely free, newly released book that discusses all of this in greater detail.
Workshop | Implementing and Optimizing Alert Investigations with ReflexSOAR
Brian Carroll, Holman
SOC Analysts are typically inundated with high alert volume and repetitive manual actions that lead to
alert fatigue, analyst burnout, and an overall decrease in job satisfaction. All these lead to a gap in
security posture and impact on human capital. Yet, there are open-source and commercial solutions
that help solve this problem. This workshop showcases ReflexSOAR, an open-source as well as
commercially supported investigation platform.
This workshop will show how SOC Analysts can leverage the open-source tool ReflexSOAR to:
- Simplify alert triage
- Work an alert or group of alerts via Cases and alert deduplication
- Automating away noise or routine actions using the Reflex Query Language
- Installing ReflexSOAR with Docker
- Creating Detection Rules in ReflexSOAR
- Navigating Alert Cards and working with cases
- Automating using Reflex Query Language
Individuals who attend this workshop can expect to leave the session with a better understanding of not
only ReflexSOAR but how tooling and automation can help ease the burden. Hopefully individuals leave
with ideas about how they can improve their own process through writing their own tools or adopting
other open-source capabilities
A Deep Dive into AWS IAM Privilege Escalation Attacks: Defenders’ Edition 2022
- Ashwin Patil, Microsoft
- Roberto Rodriguez, Microsoft
Cloud misconfiguration remains one of the top threats for cloud security based on recent surveys and security incident trends. Majority of these misconfiguration are associated with Identity and Access management (IAM) as identity and credentials are crown jewel for adversaries to gain access to critical infrastructure. Understanding IAM in the cloud world can be daunting task for Administrators and even more for Defenders who investigate IAM attacks without having a good understanding of the adversary tradecraft.
In this presentation, we will start by covering the fundamentals of IAM and telemetry available for security researchers to understand the underlying adversary behavior and develop detections. Then, we will go over the design and deployment of a research lab to empower security researchers to simulate adversaries abusing IAM services to escalate privileges, collect samples of data, and analyze the adversary tradecraft. Even though the simulation scenarios presented are primarily focused on publicly known IAM Privilege escalation techniques, we believe they can help security researchers understand the basics of other IAM attack vectors as well. Furthermore, we will open source the lab deployment templates to automate the provisioning of several sources of data sources such as CloudTrail, and other built-in threat detection services such as Guard duty to evaluate various detection methodologies.
Finally, we will share all the data generated in our research lab through the open-source project created by the Open Threat Research community known as "SecurityDatasets" so that others can use it to validate detections and learn about the adversary behavior from a data perspective.
Baby Steps to the Future: Evolving into the Next-Gen SOC
Craig Bowser, Guidepoint Security
Most SOCs are unable to keep up with the attacks of today because they are constrained by a structure built to address the opt tempo of yesterday. That structure does not scale to protect the rapidly changing, distributed environments that SOCs are required to defend from attackers that have risen in both number and sophistication. To counter, SOCs must evolve to become 'Next-Gen'. This talk will discuss what that means and present concrete steps organizations can take to evolve from today's rigid structures into a dynamic, agile entity that can quickly react to threats of today and tomorrow. The presentation groups these steps into three phases demonstrating clear paths to grow people, modify processes, and change technologies. Because organizations have different requirements and resources, recommendations will be given for adaptations that still provide the advance capabilities needed to protect the enterprise in the future. Organizations can use the strategies discussed in this talk to help them develop multi-year plans that can protect the enterprise today and into the future.
Enabling Defenders to Conduct Incident Response Investigations with Open-Source Tools
Logan Flook, GreyCastle Security
Today's current threat climate has organizations stretched thin in their budgets for security tools. While this is understandable, many defenders are left with a limited capability to adequately protect their organization. Combine this with the difficulty of implementing proprietary software that does get approved, defenders struggle to conduct in-depth investigations in their organization's environment. To improve this, this presentation will examine four stages of a cyber-attack/incident and discuss use cases for open-source tools that defenders can immediately implement to conduct initial Incident Response investigations. I will conclude by discussing how defenders can scale these investigations to a large environment. After this presentation, viewers will be able to immediately deploy incident response tactics in their organization without the need for proprietary software or licenses.
Prioritizing Defensive Capabilities
Benjamin Langrill, RangeForce
How can a security team prioritize what's important to safeguard their organization? Many teams simply want "maximum coverage of MITRE attack" in their defensive controls but this is infeasible for most organizations as the list of ATT&CK techniques continually grows.
This talk introduces the Defensive Readiness Index which prioritizes skills and controls based on threats because not every organization needs to worry about every possible threat. It includes a framework for stratifying ATT&CK techniques based on level of effort to account for varying skill and effort level for each.
From here, we can use the inferred relationships between ATT&CK and D3FEND techniques to create a set of focused defensive controls for different levels of attacker effort. Threat modeling with this approach becomes easier as we can make estimates based on broad level of effort and ROI for a given organization.
We will walk through several examples of recent threats to see how they map into the framework as well as methods for continuous measurement since threat capabilities and defensive technology change day-to-day.
IR Prep and Detection Engineering When the Cloud is your Data Center
Don Murdoch, SANS Institute
Public clouds have changed how organizations build their data centers, moving from on-prem to the browser and API calls over the commodity Internet. Attackers are determined to find your weaknesses and mistakes. This presentation will go over major attacks, highlight lessons learned, and provide you with a road map for evaluating your public cloud usage to improve your operational posture to minimize exposure and your threat profile.
â€¢ Topics: MITRE ATT&CK Cloud Matrix, Top Cloud Attack Kill Chains and disruption, Common attacker activity, and log configuration within Azure and AWS to detect these patterns.