Ending Soon: Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Best Offers of the Year!

Cyber Solutions Fest 2020 - Live Online

Virtual, US Eastern | Thu, Oct 8 - Fri, Oct 9, 2020

Cyber Solutions Fest Agenda

October 8 - 9 | Virtual, US Eastern

FOUR TRACK OFFERINGS

Thursday, October 8th: Cloud & Cloud Native | DevSecOps

Friday, October 9th: Threat Intelligence | Network Security


October 8th - US Eastern Cloud & Cloud Native Track Presentation Lineup

10:30 - 11:00 AM

Event Kickoff

11:00 - 11:40 AM

Opening Remarks & Cloud Keynote

Dave Shackleford, @daveshackleford, Senior Instructor, SANS Institute, @SANSInstitute

As more organizations shift to using a wide variety of cloud services, the nature of many security controls we’ve relied on is changing, and in some cases vanishing. With the new threat surface cloud brings, there’s a definitive need for new, more cloud-friendly (and cloud-native) security tools and services that can help align with SaaS, PaaS, and IaaS deployments across all business cases. The focus of the Cloud/Cloud-Native Track at the SANS Cyber Solutions Fest will be to showcase innovation and new security tools and services that help organizations adapt to cloud deployments in areas such as network security, data protection, threat intelligence, endpoint and workload security, container and serverless security, identity and access management, and many more.

11:45 AM - 12:30 PM

Cisco

How to Solve Today’s Network and Security Challenges

Kate MacLean, Head of Product & Content Marketing, Cisco Umbrella, @CiscoUmbrella

Threats, network complexity, and inefficient tools are driving the need for a new approach to network security. With more mobile devices, more cloud access, and a wide assortment of point tools, it’s hard for organizations to get a handle on threats and respond quickly. Find out why migrating your security to the cloud can help. In this presentation, we’ll discuss how the secure access service edge (SASE) framework can address complex networking and security challenges, and how cloud-delivered security can provide the flexible protection you need as your network evolves.

12:30 - 12:45 PM Break

12:45 - 1:20 PM

Qualys

Managing Your Multi-cloud Attack Surfaces

Badri Raghunathan, Director of Product Management, Qualys, @qualys

Sean Nicholson, Security Solutions Architect, Qualys, @qualys

Traditional IT, security and compliance paradigms are ill-suited to the cloud-native era. As an industry, we need to rethink these paradigms. This talk will provide a framework for measuring and managing the risks associated with the multi-cloud attack surface in a cloud-native world. Via examples and demos, we will walk through multi-cloud asset visibility, real-time security assessment and comprehensive detection & response across cloud accounts, infrastructure (Hosts, Containers, Serverless) and applications.

1:25 - 2:00 PM

CloudPassage

A Practical Guide to Securing Container, Docker Host, and Kubernetes Environments

Carson Sweet, CEO and Co-founder, CloudPassage, @cloudpassage

Bryan Jones, Senior Solutions Engineer, CloudPassage, @cloudpassage

As organizations implement serverless and microservice architectures in the cloud, the number of containers in the cloud is growing exponentially. Traditional security approaches will not work for containers due to their dynamic, distributed, and ephemeral nature. This session will detail several popular container deployment architectures and the resulting components that need to be secured, including IaaS accounts, container images, container image registries, container runtimes, and the hosts on which they run. The session will include a best-practice demonstration of shifting security left by automating container security throughout the CI/CD pipeline.

2:00 - 2:30 PM

Introducing the SANS Cloud Ace

Frank Kim, @fykim, SANS Fellow, SANS Institute, @SANSInstitute

SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.

SANS Cloud Security Curriculum provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and applications in the cloud against the most dangerous threats. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your office. The curriculum has been developed through a consensus process involving industry leading engineers, architects, administrators, developers, security managers, and information security professionals, and address public cloud, multicloud, and hybrid-cloud scenarios for the enterprise and developing organizations alike.”

2:30 - 2:35 PM

Afternoon Kickoff

Dave Shackleford, @daveshackleford, Senior Instructor, SANS Institute, @SANSInstitute

2:40 - 3:15 PM

Automox Logo

Trust The Cloud: Bridging the Endpoint Management Gap Between SecOps and IT

Jay Goodman, @jsg7440, Manager of Product Marketing, Automox, @AutomoxApp

As cybersecurity threats have increased in complexity, SecOps has evolved their security protocols and procedures to the cloud to enable them to keep pace with adversaries. But IT teams are still operating with legacy on-prem products and flows designed for a different era, decreasing their efficiency and increasing their frustration. It’s time to bring the IT organization up to parity and bridge the gap between the two organizations, minimizing a corporate attack surface, increasing collaboration, and saving money.

3:20 - 3:55 PM

Portshift


MITRE ATT&CK Framework for Kubernetes and Container Runtime Security

Zohar Kaufman, VP R&D, Portshift, @portshift

Ariel Shuper, @ArielShuper, VP Product, Portshift, @portshift

The MITRE ATT&CK framework provides a threat matrix that guides administrators, developers, DevOps, security teams and others in protecting their networks, systems and endpoints from undesirable access and manipulation.

But what about Kubernetes? What we are missing is a MITRE ATT&CK matrix that is interpreted for the Kubernetes environment – a matrix that connects the dots and provides the missing security context for Kubernetes security best-practices.

At Portshift, we’ve brought this matrix to life. We’ve taken the concepts presented by Microsoft and the theory of a threat-based model from MITRE and implemented a matrix that is tailored for Kubernetes, helping our users actively detect potential threats in their Kuberetes clusters but also to create, implement and monitor their defense strategies and the security of their applications and deployments. With our K8SHIELD™ Framework, we’ve also released a graphical view that connects the dots for you with the familiar ATT&CK matrix, displaying the risks and their applicability to deployed clusters.

4:00 - 4:35 PM

CloudKnox

Properly Enforcing the Principle of Least Privilege (PoLP) in a Cloud-Native World

Balaji Parimi, @vimAPIGuru, Founder and CEO, CloudKnox Security, @cloudknox

Implementing the principle of least privilege in the cloud is often seen as the holy grail for even the most mature security organizations. The challenge stems from the unprecedented levels of automation that enterprises depend on to achieve efficiency and scale. However, automation has also created tens of thousands of permissions that have inadvertently bestowed identities with the ultimate power to create or destroy entire data centers with one keystroke.

Recent well-publicized breaches have proven that strict adherence to the principle of least privilege in the cloud is the only way to protect your critical cloud infrastructure from accidental misuse or malicious exploitation of permissions. The problem is that the methods and tools that exist today are not designed to work in the cloud.

Join Balaji Parimi, CloudKnox Security CEO and founder, as he examines and compares the efficacy of legacy static models such as Role-based Access Controls (RBAC) with a new data-driven dynamic approach to enforcing the principle of least privilege in hybrid and multi-cloud environments.

4:35 - 4:50 PM Break
4:50 - 5:35 PM
Menlo Security Logo
Cisco


Automox Logo


Panel Discussion

Navigating the Challenges of Network Security Beyond the data Center

Moderator: Dave Shackleford, @daveshackleford, Senior Instructor, SANS Institute, @SANSInstitute

Chris Bilodeau, Technical Marketing Engineer, Cisco Umbrella, @CiscoUmbrella

Stuart Pickard, Director Sales Engineering - Cloud Security, Menlo Security, @menlosecurity

Christopher Hass, Director of Information Security and Research, Automox, @AutomoxApp

Your users and data have left the building, and network security is no longer confined to the data center. As data and workloads shift to the cloud, cybersecurity professionals are contending with an entirely new set of security challenges.

We’ll talk about how changing work styles have led to new security problems, where the cloud security landscape is heading, and the steps you can take to keep your organization safe and secure.

5:35 - 5:45 PM

Closing Remarks

Dave Shackleford, @daveshackleford, Senior Instructor, SANS Institute, @SANSInstitute

October 8th - US Eastern DevSecOps Track Presentation Track Presentation Lineup
10:30 - 11:00 AM

Event Kickoff

11:00 - 11:40 AM

Opening Remarks & DevSecOps Keynote

Ismael Valenzuela, @aboutsecurity, Certified Instructor, SANS Institute, @SANSInstitute

The DevSecOps track brings together CISOs, developers, IT and information security professionals that are seeking to successfully integrate security in their software development environment and vendors that are offering effective solutions to shift security left and right in the DevOps lifecycle.

Gone are the days when the role of the security team was limited to running a ‘pentest’ in the final stages of the application development cycle. That old model was already often ineffective back in the days when development cycles lasted months or years, moreover now when code is pushed to multi-tenant cloud environments in short cycles of days or weeks.

Under this new paradigm, what are the most effective practices and tools to include security in the DevOps cycle? What are the new threats and challenges that CISOs need to consider when pushing applications in this new agile cloud centric landscape? How do you continuously assess your risk posture and ensure you are gathering adequate logs and event data for continuous monitoring purposes?

To answer these questions, join SANS author and instructor Ismael Valenzuela, as he chairs the DevSecOps track in SANS Cyber Fest 2020 that will bring together vendors, developers, IT and security professionals that will share their experience on integrating security into every stage of the DevOps lifecycle.

11:45 AM - 12:30 PM

OpenText

The Application of Threat Detection, Data Discovery, and Forensics to DevSecOps

Anthony Di Bello, @CyberResponder, VP, Strategic Development, OpenText, @OpenTextSecure

In August 2019, the US Department of Defense released version 1.0 of the DoD Enterprise DevSecOps Reference Design, which “showcases a sampling of software factory reference designs and application security operations”. With the DoD Reference Design as our backdrop, we will discuss the benefits of extending your data discovery, threat detection, incident response and digital forensics capabilities to the software development environment.

In this talk we will cover:

  • The application of continuous monitoring to the software development environment and lifecycle
  • Data discovery and forensic methods to audit and enforce secure coding practices
  • The benefits of a forensic approach to analyzing runtime behavior for vulnerabilities
12:30 - 12:45 PM Break
12:45 - 1:20 PM

Siemplify

Using SOAR to Detect and Respond to Threats at the Speed of Business

Nimmy Reichenberg, Chief Marketing Officer, Siemplify, @Siemplify

Bogged down by alert overload and manual processes, most security operations teams are unable to detect and respond to threats at the speed of business. This session will explain the basics of security orchestration, automation and response (SOAR) as well as provide practical use cases and implementation tips for security teams looking to do more with less, reduce response times and identify areas for improvement.

1:25 - 2:00 PM

CrowdSec Logo

Behavior & Reputation Based Filtering Reloaded!

Philippe Humeau, @philippe_humeau, CEO, CrowdSec, @Crowd_Security

Thibault Koechlin, CTO, CrowdSec, @Crowd_Security

Cybersecurity is not only a problem of means. We are still unable to wipe cyberattacks out for several reasons: time, unfiltered access, changing perimeters, money. At CrowdSec, we think that the solution to large scale hacking is to harness the power of the crowd and have each other's back. Discover our security automation engine, using both local IP behavior detection & our community-driven IP reputation database enabling us to make the Internet safer, together.

2:00 - 2:30 PM Break
2:30 - 2:35 PM

Afternoon Kickoff

Ismael Valenzuela, @aboutsecurity, Certified Instructor, SANS Institute, @SANSInstitute

2:40 - 3:15 PM

Elastic

Who’s Watching the Helm?

Neil Desai, Elastic Solutions Architect - Security Specialist, Elastic, @elastic

There have been great talks about attacking and defending Kubernetes environments, but no one talks about monitoring them. We will go over what is available with AWS’s Kubernetes offering to see:

  • What’s available to us as a PaaS (Platform as a Service), in regards to Kubernetes infrastructure and logging.
  • How to translate IaC (Infrastructure as Code) into events of interest
  • What happens if your logging infrastructure gets taken out and what we can do about it
3:20 - 3:55 PM


Veracode

DevSecOps Done Right

John Smith, Director Solution Architects, Veracode, @Veracode

Application security is not a one-and-done project, and there is no AppSec silver bullet. Application security is an ongoing program that assesses software at different stages of the development lifecycle in different ways. In this way, DevOps becomes DevSecOps. However, there are a few common obstacles that often hinder AppSec progress. Tune into this session to learn how to overcome the following:

  • Developers not empowered to fix what they find
  • AppSec solutions that are hard to manage and scale
  • Security teams with limited bandwidth to manage an AppSec program
4:00 - 4:35 PM

Cloud Security and DevOps Automation: Keys for Modern Security Success

Eric Johnson, @emjohn20, Certified Instructor, SANS Institute, @SANSInstitute

Modern development teams deliver features at a rapid pace using new technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams support these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and Cloud infrastructure automation. However, security teams are using traditional security approaches that don’t keep up with the rate of accelerated change. Security must be reinvented in a DevOps world by taking advantage of the opportunities provided by automated continuous integration, delivery, and monitoring tools. This session will introduce attendees to 5 key phases of DevOps: pre-commit, commit, acceptance, production, and operations. In each phase, we identify a key cloud security control and discuss several open source tools for implementing the control. Attendees will walk away with a practical and modern approach for building a successful Cloud and DevSecOps program.

4:35 - 4:45 PM

Closing Remarks

Ismael Valenzuela, @aboutsecurity, Senior Instructor, SANS Institute, @SANSInstitute

October 9th - US Eastern Threat Intelligence Track Presentation Lineup
10:30 - 11:00 AM

Event Kickoff

11:00 - 11:40 AM

Opening Remarks & Threat Intelligence Keynote

Jake Williams, @MalwareJake, Senior Instructor, SANS Institute, @SANSInstitute

Every year at major security conferences, you can tell the trends in security because seemingly every product and service is being positioned as “look at how we make things easier/cheaper/better.” A few years ago, that was cyber threat intelligence (CTI). Then, it inexplicably changed to threat hunting. But practitioners know that you can’t really separate threat hunting and threat intelligence any more than you can separate logs from a SIEM. Just as a SIEM is useless without log sources, threat hunting without threat intelligence suffers the same fate – maximum value is not achieved for the org and practitioners are left high and dry.

Of course, threat intelligence is useful for so much more than threat hunting, from enabling organizations to understand trends in threat groups, to creating real-time detections, to helping an organization’s analysts contextualize incidents and attempted attacks for stakeholders.

But far too often, purchasing threat intelligence platforms and feeds doesn’t provide the organization with the desired value. In part that’s because the value of intelligence is hard to quantify – how do you quantify the return on investment of knowing the tradecraft or indicators used by an attacker before they target your organization? This problem is further complicated by the fact that many orgs struggle to operationalize the intelligence that they buy – sure the list of IOCs sounded great and you heard some use cases, but how will YOU use it?

Similar problems exist in the threat hunting space, even when fed with high quality intelligence. When threat hunting operations uncover intrusions, the value-add is obvious. But when they don’t, orgs struggle to differentiate between “we looked and didn’t find anything” and “there was nothing to find.” As technicians struggle to differentiate these situations in their reports, the task is much more difficult for leadership who bankroll the threat hunting budgets.

Another problem is the lack of consistency among the data for use in SIEM/SOAR. SOC teams that do not process or enrich their data before putting it into their security tools are often disappointed to find they experience additional integration costs and challenges when they had expected clear sailing with their new SIEM/SOAR. At best, the task of data processing gets off-loaded on threat hunting teams, creating unexpected costs and strain because it lacks context and relevant details.

The Threat Hunting and Intelligence Track will feature vetted vendors who will help you separate the wheat from the chaff. Solution providers will present solutions and offer tips for how you can operationalize those solutions in your environment and extract enough value to justify their costs.

11:45 AM - 12:30 PM

Broadcom

The Search for Intelligence in a Data-driven World

Adam Licata, Endpoint Security Director, Symantec, @Symantec

Kevin Haley, Security Response Director, Symantec, @Symantec

You bought your threat intelligence. But, “Is this the right data?” you ask. And where exactly is the intelligence? In a world where attacks and attackers keep evolving, it’s critical to take data from all your control points for threat analysis. The challenge is having a way to simply and cost-effectively normalize it so you can assess and compare behaviors from your endpoints to your email and onto your network. In this lively presentation and two-way dialogue between product management and threat intelligence engineering experts, our speakers will discuss the pitfalls of relying on data from disparate platforms for finding attacks and stomping them out.

With interactive examples, they will illustrate:

  • What happens when threat hunters are left to piece together attack details of an Advanced Persistent Threat manually?

  • What affect can normalized threat intelligence have on speed of threat detection?

  • What solutions are available to help SOC and threat intelligence teams to maximize efficiencies in connecting the dots about attacks and attackers in their organizations?

12:30 - 12:45 PM Break
12:45 - 1:20 PM

RSA

Ready, Set, Hunt

James Pope, @BlesstheInfoSec, Sr. SysEng & Threat Hunter, RSA Security, @RSAsecurity

Whether your organization has an entire team of threat hunters or is starting from the beginning without any official incident response posture, this session will cover tips and tricks on how to add value to your organization through incident response and threat hunting. We'll discuss tactics and techniques used by world class hunters around the globe, and give you a framework for analysts, regardless of what level.

1:25 - 2:00 PM

Gigamon

Ransomware Loitering Presents an Opportunity for Network Detection

Steve Porcello, Senior Security Engineer, ThreatINSIGHT, Gigamon, @gigamon

The recent surge of ransomware attacks has highlighted a shift in tactics employed by threat actors looking to extort organizations. Their methodology has changed from a quick, opportunistic attack to a prolonged, targeted approach. This shift in methodology presents threat groups with the opportunity to encrypt more critical data, but also presents security teams with the opportunity to detect activity before data is encrypted. In this talk we'll explore how this allows security analysts to use network detection and response capabilities to discover malicious activity between initial compromise and encryption.

2:00 - 2:15 PM

Establishing Your Digital Forensics Foundations: The Need for a Foundation Course in Digital Forensics

Jason Jordaan, @DFS_JasonJ, Certified Instructor, SANS Institute, @SANSInstitute

SANS has been a leader in providing digital forensics training with an impressive number of digital forensics courses being offered by its DFIR Faculty. In keeping with the SANS promise, students attending these digital forensic courses were provided the skills and knowledge to go back to work and immediately begin applying what they had learnt. However, we realized that many students were asking us questions about some of the foundational aspects of digital forensics, that we didn’t cover in detail in any one of the other courses that we had. To address that we have taken the time to develop a foundational digital forensics course that addresses the fundamental aspects of digital forensics, crucial to success in this field, and supplementing the knowledge and skills of our existing digital forensics courses.

This presentation will discuss why there was a need to develop a course like this, and explore the various components of this new course.

2:15 - 2:30 PM

FOR498: Battlefield Forensics & Data Acquisition

Kevin Ripa, @kevinripa, Certified Instructor, SANS Institute, @SANSInstitute

Heather Mahalik, @HeatherMahalik, Senior Instructor, SANS Institute, @SANSInstitute

Gaps. Digital Forensics and Incident Response are full of them. A variety of classes exist that attempt to cover various different areas. FOR498: Battlefield Forensics & Data Acquisition was written specifically to fill two very important gaps. The Battlefield Forensics portion is designed to address the fact that there is far too much data to acquire and process in a time sensitive way. It covers getting the most important data as quickly as possible. In fact, we take you from seizure to actionable intelligence in 90 minutes or less! The Data Acquisition portion addresses the lack of acquisition methodologies that exist, especially in today’s world of complete data disparity. We have data on removable hard drives, non-removable drives, servers, networks, the cloud, Internet of Things, and more. In other words, we bridge the gap from, “I know generally what DFIR is, but how do I collect the evidence and examine it quickly?

2:30 - 2:35 PM

Afternoon Kickoff

Jake Williams, @MalwareJake, Senior Instructor, SANS Institute, @SANSInstitute

2:40 - 3:15 PM

DomainTools

Closing the Loop on Hunting and Detection with DomainTools Iris

Taylor Wilkes-Pierce, Senior Sales Engineer, DomainTools, @DomainTools

The decisions made in the SOC are rarely going to be better than the data that informs them. From enrichment to blocking rules, in this session we’ll use adversary campaign research to explore how unifying the DNS and infrastructure intelligence utilized by SIEM and SOAR applications in the SOC can help hunt threats both inside and outside our networks.

3:20 - 3:55 PM


Blackberry


Threat Spotlight on Cobalt Strike

T.J. O'Leary, Principal BlackBerry GUARD Analyst, BlackBerry, @BlackBerry

Kevin Finnigin, Distinguished Threat Researcher, BlackBerry, @BlackBerry

Cobalt Strike is Threat Emulation software used by Red Teams and abused by malicious Threat Actors. It has become a highly prevalent threat employed by a growing number of APT groups. It’s widespread use created a need to hunt for active Team Servers, obtain Cobalt Strike Beacons and integrate any generated data into our workflows. We will be discussing how we’ve been tackling this problem internally.
In this talk we will cover:

  • Hunting for and pillaging Cobalt Strike Teamservers
  • Operationalizing Beacon Indicators into Cyber Threat Intelligence
4:00 - 4:35 PM

Exabeam

Using the MITRE ATT&CK Framework for Detection and Threat Hunting

John DiFederico, Sales Engineering Manager, Exabeam, @exabeam

This presentation will introduce the MITRE ATT&CK knowledge base, discuss how pairing MITRE tactics and techniques with behavior analytics can creates a powerful tool for SOC teams, and explore how security teams to leverage this “ATT&CK + Analytics” approach to turbocharge their threat detection and pro-active threat hunting capabilities.

  • In this session, attendees will learn:
  • What is MITRE and how it’s used
  • The pitfalls of using IoCs and TTPs
  • How TTPS and Analytics work together
  • Tips for turbo charging threat detection with Analytics and TTPs
4:35 - 4:50 PM Break
4:50 - 5:35 PM

Analyst1

BTB Security

Symantec Logo
Panel Discussion

Food for Thought on Datafeeds

Moderator: Jake Williams, @MalwareJake, Senior Instructor, SANS Institute, @SANSInstitute

Hugh Clapp, @hughclapp, CEO, Analyst1, @UseAnalyst1

Ron Schlecht, @btb_schlecht, Managing Partner, BTB Security, @thebtbgroup

Vikram Thakur, Director, Security Technology and Response, Symantec, @Symantec

To strengthen defenses against attacks and attackers, many organizations consider threat intelligence feeds an important part of their toolkits – for detection as well as for prevention. Yet, few perform efficacy tests before purchase. Without this validation, threat teams are in the dark as to whether a particular feed is relevant to their business, their industry or their network.

In this discussion, the panelists will illustrate:

  • Consequences of oversight

  • How to understand the differences in quality of vendor source data

  • How to select data that is most relevant to your needs

  • What alternatives to third-party intelligence feeds are available in the market
5:35 - 5:45 PM

Closing Remarks

Jake Williams, @MalwareJake, Senior Instructor, SANS Institute, @SANSInstitute

October 9th - US Eastern Network Security Track Presentation Lineup
10:30 - 11:00 AM

Event Kickoff

11:00 - 11:40 AM

Opening Remarks & Network Security Keynote

Matt Bromiley, @_bromiley, Certified Instructor, SANS Institute, @SANSInstitute

There’s one common denominator in every organization in the world. Every attacker - advanced or simple, persistent or opportunistic - needs it. Malware can’t move without it, but neither can your system administrators. And it remains one of the most underutilized sources of data to prevent, detect, and respond to cyber incidents. We’re talking about the network.

The network is what links your enterprise together. It is endpoint agnostic; packets move where they’re allowed to go. Users are able to access the resources they need to do their job. It’s the network that has allowed so many businesses to quickly transition to work-from-home models due to the complexities of 2020. However, without proper security, the network can also give a huge advantage to a wily attacker, who can move as freely as your users do without the proper security in place.

The Network Security Track will focus on how we can better secure the network within our enterprises. We’ll look at the network as an attack surface, and discuss how enterprises can use network data to better detect and respond to incidents. We’ll also look at novel techniques to harness a corporate network, gleaning insight into normal day-to-day operations and systems within your environment that may be outside of endpoint monitoring. The network is a common point for all technologies within your environment - don’t miss the chance to learn how to secure it properly!

11:45 AM - 12:30 PM

Corelight

Open NDR and the Value of Encrypted Traffic

Greg Bell, Co-founder and Chief Strategy Officer, Corelight, @corelight_inc

Richard Bejtlich, @taosecurity, Chief Security Strategist, Corelight, @corelight_inc

NDR is a new product category with an unexpectedly rich history. In this talk, Greg Bell will trace the open source heritage of NDR, explain its growing prominence in the ‘SOC triad’ (especially as a growing percentage of Internet hosts are unmanaged), and make the case for community solutions to network defense. After this introduction, Richard Bejtlich will explain the value of NDR for security operations, even when a rising percentage of network traffic is encrypted.

12:30 - 12:45 PM Break
12:45 - 1:20 PM

ExtraHop

Ties That Bind: Why Network Detection and Response is Information Security's Common Thread

John Smith, Principal Security Engineer, ExtraHop, @ExtraHop

In the last ten years, there have been four different Linux Kernel releases with 21 different updates. On the Windows server side, there have been four different Windows server releases with over 10 different versions of the Windows OS. Consulting a compatibility matrix can be exhausting and agent/forwarder compatibility with operating system updates can make portability a challenge. Couple these developments with the introduction of containers, cloud and "smart" IoT devices and we can see that in contemplating the Cyber Triad of Logs, EDR and NDR, monitoring specific individual devices is a moving target. Individual devices must be configured to send logs and will require endpoint detection and response agents to be installed. Apart from the fact that these solutions can be un-configured and uninstalled, just getting them deployed in the day-to-day entropy of today's enterprises makes visibility and monitoring of critical assets a significant challenge. The common thread in all devices using all applications and protocols is the network. Network Detection and Response remains the only way to ensure visibility into critical infrastructure without the burden of installing, configuring or deploying forwarders or agents. Given the covert nature of NDR, it is also the most resilient as it is not liable to being uninstalled or un-configured as the only prerequisite is an IP address. In this talk, we will discuss ways to augment and improve our investment in Logs and EDR concluding with making the case to lead with Network Detection and Response.

1:25 - 2:00 PM

ESET

The Network is the New Endpoint - Lessons Learned from Defending Network Against Complex Modern Threats.

Cameron Camp, Specialized Security Researcher, ESET, @ESET

Today’s threats hit the network first to get to the endpoint, so today’s defense needs to move upstream and treat the network like its own endpoint. The defense strategy is determined by the threat modality, but here we look at recent threats, how they traversed the network for ingress, egress and lateral movement, and ways your organization can stop them before they get to the crown jewels.

2:00 - 2:30 PM

SEC 599: Purple Team Tactics & the new Purple Team Graduate Certificate from SANS.edu

Alissa Torres, @sibertor, Principal Instructor, SANS Institute, @SANSInstitute

Danna Wiseman, Assistant Director of Admissions - STI, SANS Institute, @SANSInstitute

As the information security industry continues to evolve and mature, organizations are increasingly implementing a more collaborative alternative to the old-fashioned red team vs. blue team methodology. SEC 599 offers the first step into purple teaming, including: emulation and implementation of controls (prevention) & an introduction to security controls aimed at stopping, detecting, and responding to adversaries. We will also cover details on the new Purple Team graduate certificate program that leads to 5 GIAC certifications, including GDAT, offered by SANS.edu, an accredited SANS college.

2:00 - 2:30 PM Break
2:30 - 2:35 PM

Afternoon Kickoff

Matt Bromiley, @_bromiley, Certified Instructor, SANS Institute, @SANSInstitute

2:40 - 3:15 PM

Infoblox


Leveraging Foundation Network Services to Secure the Borderless Enterprise

Anthony James, @malwarewarfare, Vice President, Product Marketing, Infoblox, @Infoblox

Foundational network services are not only is critical for connectivity but cannot be overlooked as a comprehensive set of security control, especially in times of crisis and change, like the recent influx of home/remote workers A recent independent study surveyed over 200 enterprise Security and Response (S&R) professionals, revealing their reliance on foundational network services to detect and block threats early in the kill chain, identify compromised devices, and accelerate incident investigation and response times by making it more efficient.

This will discuss some of the top findings from forward-looking enterprises that underscore the role of foundational network services in cybersecurity practices including:

  • Prioritizing threat investigations

  • Detect and block modern threats

  • Protect from cyberattacker techniques that other security tools miss

  • Automating and accelerating incident response.

3:20 - 3:55 PM

CyberGRX

Protecting your Network from Third-Party Vulnerabilities

Shane Hasert, Director of Assessment Operations, CyberGRX, @CyberGRX

While network security is a must for all organizations, many still struggle to identify and address the network vulnerabilities created by third party and partner organizations. This session will walk through some examples of when it is appropriate to provide network access to third parties, how third party vulnerabilities may affect your network security, and how to identify and address those vulnerabilities.

4:00 - 4:35 PM

IronNet

Automating Context: The Key to Lower False Positives

Dean Teffer, @DeanTeffer, Vice President, Detection and Prioritization, IronNet, @IronNet

How can we reduce false positives when we are trying to detect indicators of compromise on our networks? That’s easy: make more accurate detectors! Threat research and data analytics teams receive constant — and conflicting — complaints about missing important detections, while generating too many false positive alerts. These are usually mutually exclusive problems — but is there a different approach that can help with both?

Threat hunters spend all day sifting through events and logs for context and correlations to corroborate alerts, hunches, and develop investigations. More and more, security vendors are making an effort to combine data from many sources and many different observation points throughout the network, from endpoint to network to cloud.

But the key is to make it easy. Streamlining the search across disparate data sources and applying automatically correlated data within behavioral and other “pattern of life” analytics can provide more relevant, contextual information and result in lower false positives.

4:35 - 4:50 PM Break
4:50 - 5:35 PM
Corelight

IronNet


Panel Discussion

Githubification of InfoSec: Let's Discuss

Brian Dye, @dye_brian, Chief Executive Officer, Corelight, @corelight_inc

John Lambert, @JohnLaTwC, Distinguished Engineer, Microsoft, @Microsoft

Thomas Patzke, Cyber Security Analyst, Sigma project

Samir Bousseaden, @SBousseaden, Security Researcher, Elastic, @elastic

Dean Teffer, @DeanTeffer, Vice President, Detection and Prioritization, IronNet, @IronNet

In his influential essay on the ‘Githubification of InfoSec’, Microsoft’s John Lambert explores the growing ecosystem of open SOC tools, highlighting the impact of Sigma, MITRE ATT&CK, and Jupyter notebook. The most powerful tools in this ecosystem are extensible platforms that facilitate the efficient exchange of knowledge, and they gather communities around them. In this panel, Lambert and others will explore the operational, cultural, and commercial implications of a compelling new paradigm.

5:35 - 5:45 PM

Closing Remarks

Matt Bromiley, @_bromiley, Certified Instructor, SANS Institute, @SANSInstitute