Pen Test Austin - Two NEW courses, NetWars, CyberCity, Challenge coins all in Austin, TX!

Security Operations Summit 2019

New Orleans, LA | Mon, Jun 24, 2019 - Mon, Jul 1, 2019
Event starts in 89 Days

Security Operations Summit Agenda

June 24-25 | New Orleans

Summit speakers

The Security Operations Summit brings together prominent practitioners from leading organizations for two days of in-depth talks and panel discussions around building, operating, and maturing a successful security operations program. Speakers will share innovative approaches and techniques they've used to enhance the key operational functions of a SOC: network monitoring, incident response, threat intelligence, forensics, self-assessment, and the command center.

Confirmed Sessions:

Virtuous Cycles: Rethinking the SOC for Long-Term Success

Many Security Operations Centers (SOCs) have a burnout problem that leads to negativity and constant turnover. With the increasing cybersecurity talent shortage, keeping the people we have will only become increasingly important. The problem is that "Tier 1" and other SOC roles seem destined to burn people out. So what do we do? While the field of psychology understands the factors that cause burnout, many SOCs do not take the time to do the research and create an environment to fight it. Though meticulously defined process and tiering may be the norm, does it lead to sacrificing quality in the long term? Using science-backed research on intrinsic motivation and studies on SOC burnout factors, this talk will make the case that it's time to reconsider how we structure SOCs in order to create long-term success that benefits both the individual and the organization.

John Hubbard (@SecHubb), Author and Certified Instructor, SANS Institute

The Call Is Coming from Inside the House: How Does Your SOC Respond When Attackers Are On-Site?

Many of the most agile and well-trained blue teams rehearse response procedures and conduct tabletop scenarios to better prepare for incidents as overt as targeted phishing campaigns by outsiders, as subtle as illicit data exfiltration by a data breach, and as innocuous as unauthorized network activity by over-zealous employees. And while you may think you've prepared and practiced for a wide range of threats, have you ever considered how your Security Operations Centers (SOC) would react during a physical compromise? My team engages in physical security penetration, inserting ourselves within your perimeter and proceeding on-site through corporate campuses, office buildings, and data centers. During the course of such operations, we engage in a wide range of tactics specifically geared to frustrate and confuse SOC teams. This talk will walk attendees through a series of case studies of what can happen if attackers have direct access to doors, compromise your communication system, or don your own company uniforms. How would your SOC react to attackers who don't simply show up on network maps, but rather show up at the front door?

Deviant Ollam (@deviantollam), CORE Group

Mental Models for Effective Searching

One of the most intimidating challenges many analysts face is a blank search bar. That search bar is the only thing standing between you and a mountain of data containing the answers you need to determine if a compromise has occurred on your network. It’s for this reason that effective searching is a core competency for investigators. This presentation will provide a conceptual framework for effective searching, show how to master any search tool faster, and offer strategies to combat the biases and limitations of the mind that can negatively affect your ability to process search results.

Chris Sanders (@chrissanders88), Founder, Applied Network Defense; and Founder, Rural Technology Fund (@RuralTechFund)

Rapid Recognition and Response to Rogues

The need to detect rogue devices on a network is part of the first control listed in the CIS Top 20 Critical Security Controls (Actively Manage Inventory and Control of all Hardware Assets). There are many solutions to monitor, detect, and respond to rogue devices on enterprise networks. These include commercial, open-source, and home-grown capabilities. Each solution uses different methods of determining what a rogue device is. In this talk we will cover several of those methods along with their strengths and weaknesses. We’ll also discuss the pros and cons of different responses that enterprises can take when rogues are found. But we will focus on using different techniques to show how a simple detection, which is usually just an IP address, can be enhanced to provide enough details to the analyst to speed up response decisions and even automate some responses based on business logic. We’ll demonstrate this by using one rogue detection tool to tackle a simple detection of a suspicious IP, add information to the event to make analysis easier, and show how that enhanced event can be used for automated responses.

Craig Bowser (@reswob10), Senior Security Engineer, U.S. Department of Energy

Use Case Development Utilizing an ARECI Chart

This presentation will describe use case development from the perspective of a Managed Security Service Provider (MSSP) but that is also useful for internal SOCs/CERTs. The case starts with a simple requirement statement, through scenario development, and on to the Analysis of Required Evidence for Correlation and Investigation (ARECI) chart to help inform engineers about alert development and system owners about detection development. The ARECI chart consists of a list of data/sources that analysts and engineers will rely on to conduct their respective work. This data/source list will be categorized, broken down into specific sources, and then analyzed for its value to alert development as well as incident response investigation. Data and sources are not limited to ingested log/event streams. Data can include data retained in the SIEM from system infrastructure, asset databases, configuration databases, org personnel data, threat intelligence, etc. Once a few team members (OPs and engineering alike), have derived what data/sources they think they need to complete their work, attention turns to the environment to ascertain if those data are available, available in the SIEMS, or not available at all. This then completes the ARECI chart and allows for conducting a feasibility assessment to determine whether the use case should move forward into an engineering phase, the environment needs to be adjusted, or new capability needs to be added to satisfy (remove gaps from) the chart requirements. Multiple ARECI charts from similar enough use cases can then be stacked to produce a compound list of gaps, which can then be ranked, prioritized, and packaged for advice to the customer. Finally, a key component to the use case development life cycle is teamwork. The fusion of security operations/analytics staff and SIEMS engineering staff at the early stage of the development life cycle helps both sides appreciate their distinctly different work and discreet goals. It creates a developer/user relationship that enhances the overall development of detection and alert presentation, and helps SOCs keep ahead of efforts to evade detection while improving their own capability and avoiding atrophy.

Nathan Clarke (@GeekNathn), APAC Advanced SOC (ASOC) Manager, Verizon Australia

Use Case Development as a Driver for SOC Maturation

When developing a Security Operations Center (SOC), it is important to define what you want to accomplish and to develop a road map to get there. The road map initially includes the development of policies, procedures, and process implementation to mature the SOC to a point where it is defined and repeatable. It is capped off by identifying and reporting on metrics, and having management review the program on an annual basis for effectiveness. At the heart of process development is identifying and maturing use cases. When standing up a Security Operations Program, whether it is a stand-alone program in large organizations or involves conducting security operations as another aspect of everyday information security policies, it is important to understand what a mature program should look like. Example goals and objectives might focus on understanding what is “on the wire” and “how endpoints are behaving.” This means knowing what protocols, connections, and data are in use, being made, and flowing in, out, and through the network. It also requires understanding what services, processes, and applications are running on each endpoint. Attendees will learn about developing the desired outcomes for the SOC, identifying use cases, and the understanding the process of maturing the use cases. Two examples of use cases developed and consistently matured will be shared, including identifying malicious user agent strings and suspect SMB connections. Attendees will learn how effective alerting becomes when the use cases that are employed are matured over time, focusing on attack vectors specific to threats the entity faces and specific protocols, services, and processes available internally. By the end of the presentation you will be armed with activities that you can begin using on your first day back at the office.

Eric C. Thompson (@ectcyberhipaa), Director of Information Security and IT Compliance, Blue Health Intelligence

Managing Security Operations in the Cloud

Our goal is to prevent unexpected access to cloud resources. To do this we must maintain strong identity and access policies (IAM) and effectively detect and react to changes. In this session we will discuss tools within the cloud for managing IAM in order to control access to cloud resources. We will also cover how to deploy and control cloud infrastructures using code templates that include change management policies.

Marc Baker, Online Training Subject-Matter Expert, SANS Institute

Lessons Learned Applying ATT&CK-Based SOC Assessments

The ATT&CK framework has seen a rise in popularity in the security community, with more and more Security Operations Centers (SOCs) wanting to ATT&CK. To help SOCs get into the game of using ATT&CK, MITRE has developed a process to quickly gauge a SOC’s detective capabilities as they relate to the ATT&CK framework, producing a “coverage heatmap” as well as a set of recommendations the SOC can use to improve its operations. The process is low-overhead, focusing only on interviews and documentation analysis, but it provides useful results for SOCs that want to understand how their current capabilities stack up to ATT&CK. In this talk, we’ll call on our practical experiences to describe some of the key lessons learned we’ve discovered when applying ATT&CK-based SOC assessments, ranging from the best ways to conduct the assessment to how to effectively communicate results to leadership. The lessons and tips that we present will be widely accessible, helping those who are interested in conducting third-party assessments, who want to assess their own SOCs, or who just want to learn about the assessment process in general. Attendees should walk away with a better understanding of how they can run and use ATT&CK-based SOC assessments, including tips on avoiding traps and pitfalls in the process.

Andy Applebaum (@andyplayse4), Lead Cyber Security Engineer, MITRE

Shared Security Services: How to Adjust to an Ever-growing Landscape of Security Operations Center Responsibilities

As organizations have grown to understand the importance of growing their Security Operations Centers (SOCs) to support the needs of their business units, security teams have also had to take on greater workloads and demands. SOCs are forced to accommodate to the growth of the business at the expense of the quality of their own work. This talk will help you realize the full potential of your SOC and consolidate its success for years to come. Topics of takeaway will include metrics that can be used to track a SOC that is being overworked; how to approach upper management to ask for resources to help grow and strengthen a shared SOC; how using threat intelligence can make more informed and smarter alerts to help reduce workloads; how to grow SOCs using a risk-based approach; and how growth spurs the need for a SOAR-based approach, and how to implement such an approach.

Kevin Garvey (@TheKevinGarvey), Manager - Incident Response and Threat Management, Warner Media