2 Days Left to get an iPad, ASUS Chromebook or Take $250 Off with Online Training!

Blue Team Summit & Training 2019

Louisville, KY | Thu, Apr 11 - Thu, Apr 18, 2019
Event starts in 79 Days

Blue Team Summit Agenda

Summit Speakers

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates. The following talks and speakers have been confirmed for the 2019 SANS Blue Team Summit:

Azure AD Security Recommendations and the Customer Stories That Prove It

Azure Active Directory has lots of features to help increase your organization’s security posture. But which ones should you prioritize deploying? This session will discuss the key security quick wins you can go back and do immediately, best practices of deployment, and what has happened to other customers when they didn’t deploy the security features they needed.

Mark Morowczynski, Principal Program Manager, Microsoft

Skill Sharpening @ the CyberRange: Developing the Next-Generation Blue Team

How do you gain defender skills? Do you know exactly how offense should inform defense? Are you learning on the job in the heat of the moment? How to you measure outcomes and ensure success? The development of blue team cyber operation skills depends on reusable, repeatable, and measurable scenarios that reflect complex networks to pit the blue team against a modern attacker. It isn’t enough to take a class and run through a lab. Attackers and red teams have dozens of options (including your network), and so does the blue team. You can practice on a cyber range, but it’s about much more than a few virtual machines. It’s about a real outcome achieved by trained operators armed with tools, techniques, and practices that enable them to get in the hunt. This presentation will introduce you to a modern range, survey best-of-breed tools and capabilities, and highlight how a range can support skill development for the blue team operator.

Don Murdoch, Author, Blue Team Handbook: Incident Response and Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases

To Blue with ATT&CK-Flavored Love

MITRE ATT&CK was originally created by red and blue teamers working together in a giant lovefest known as the Fort Meade Experiment. Building on that history, this talk will provide a love letter rekindling that flame. The talk is more than an ATT&CK overview. The presenter will use his unique perspective from real-world red teaming experience to cover insights, lessons learned, and a general perspective of defense and the hunt in order to show how ATT&CK is a valuable tool to help red and blue teams work together to improve their defenses. Specific topics to be covered include:

  • Research Soap Boxes vs. the Mad, and Expensive, Real World – How the field of red team research is different from the real world and what that means for blue teamers.
  • Sensing and Analytics Done Right…Maybe – The sensor data blue teamers should be collecting in order to have the best chance to catch red teamers and adversaries, as well as how to write behavioral analytics to catch them.
  • What Does It Mean to Hunt and How Can Your Red Team Help? – Advice for blue teamers trying to undertake the mammoth task of threat hunting, and what that actually means.
  • How Do You Really Use ATT&CK? – ATT&CK is the new hotness. That’s great and all, but how can we use it for real to make our defenses stronger?

Jamie Williams, Cyber Adversarial Engineer, MITRE

Seriously, I Can Still See You

Last year in Deadwood, South Dakota, strangers broke into my hotel (i.e., my network) and thought no one would notice the sound of the crashing front door. And no one did. Then they broke into an empty room (i.e., a desktop) and thought no one would notice that sound either. Again, no one did. Then they started to crack the locks between adjoining rooms and moving between them, thinking no one would notice. But I did, because my room was occupied, and I can show you how easy it was to see them. Silly thieves! I was there and my lights were on! And who uses the side doors anyhow?! This year the same thing happened, and it started the same way, but the attackers were smarter. Instead of breaking into the rooms one by one, they just slid notices under each door that said: “When you're ready to check out, don't dial zero as that extension is currently out of service. Instead, dial extension 666, and confirm your payment details there. Sorry for the inconvenience, and we hope you had a nice stay! – Management.” Again, the attackers thought this would work nicely because guests wouldn’t think anything of it, and because the real hotel management wouldn't notice until it was too late. Normally that would have worked, as it almost always does. But I watched them do it because, again, I was paying attention. When the room party at extension 666 was raging, I was standing outside the door. Imagine their surprise! Abuse of the Link Local Multicast Name Resolution (LLMNR) and Web Proxy Auto Detection (WPAD) protocols are probably the easiest way for an attacker to hijack your entire fleet’s credentials and web traffic from right under your nose, LAN by LAN. Pay attention. I'll show you how easy it is to see. [Caveat venditor: no commercial tools are required!]

Jonathan Ham, Principal Systems & Security Architect, jham International Corporation

Using Statistical Analysis to Reduce Noise and Improve Efficacy

Security analysts and engineers in Security Operations Centers all around the world are treading water. They come to work and respond to alerts. But there’s a queue of alerts when they get to work, and the queue is still there when they leave. A few of the alerts may be legitimate indicators of malicious activity, but many are false positives, and still others are impossible to classify as either malicious or benign. This talk will demonstrate how to track the amount of time your blue team is spending on alerts and analyze relevant statistics to “tune” or even get rid of those alerts that are unnecessarily bogging you down. You’ll learn what to measure and how to calculate useful data points, handle outliers, and build a security scoreboard. You’ll also see when to take action, what “tuning” means for you, and how to track the impact of the decisions you end up making. Also included are specific examples in Splunk and Python and lessons learned along the way. Ultimately, this talk will empower you to optimize team resources, allowing your analysts to spend more time on fulfilling, proactive work. In other words, they can spend more time swimming and less time treading water or drowning.

Keshia Levan, Detection Engineering Lead, Red Canary

Zero-Trust Networks: The Future Is Here

The traditional perimeter-based security architecture used in sectors ranging from education to government and communications has basically failed to protect internal assets. New technologies such as the Internet of Things and mobile devices will force a new approach to network security architecture. Zero-trust networks (ZTNs) assume that the network is hostile, attackers are already inside the net, and segmentation isn't sufficient to determine trust, among other characteristics. This talk will describe zero-trust network properties and how we are integrating this architecture with existing cybersecurity defense strategies. We believe all sectors will have to adopt this strategy in the near future. In this talk, we’ll explore ZTN components and their relationships, determine what off-the-shelf software can be used to build a ZTN, and help you improve your overall security posture by integrating ZTN concepts into your existing network architecture.

Randy Marchany, CISO, Virginia Tech; Certified Instructor, SANS Institute

Cloud Security Challenges for the Blue Team

It seems like we are being bombarded by reports of exposed data due to misconfigurations in cloud services. Gartner estimates that up to 95 percent of cloud security failures will be “the customer’s fault” by 2020. There are many security benefits for the blue team, but it seems we are lacking the skills necessary to take advantage of these. This talk will focus on the security benefits provided by the cloud and the necessary skill sets that the blue team must focus on developing in order to ensure that our organizations do not become another cloud security failure.

Marc Baker, Online Training Subject-Matter Expert, SANS Institute