One More Day to get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training

Security Operations Summit 2019

New Orleans, LA | Mon, Jun 24, 2019 - Mon, Jul 1, 2019
This event is over,
but there are more training opportunities.

Security Operations Summit Agenda

June 24-25 | New Orleans

Summit speakers

The Security Operations Summit brings together prominent practitioners from leading organizations for two days of in-depth talks and panel discussions around building, operating, and maturing a successful security operations program. Speakers will share innovative approaches and techniques they've used to enhance the key operational functions of a SOC: network monitoring, incident response, threat intelligence, forensics, self-assessment, and the command center.

Monday, June 24
9:00-9:15 am
Welcome and Opening Remarks

Chris Crowley (@CCrowMontance), Summit Chair and Principal Instructor, SANS Institute

9:15-10:00 am

Lessons Learned Applying ATT&CK-Based SOC Assessments

The ATT&CK framework has seen a rise in popularity in the security community, with more and more Security Operations Centers (SOCs) wanting to ATT&CK. To help SOCs get into the game of using ATT&CK, MITRE has developed a process to quickly gauge a SOC’s detective capabilities as they relate to the ATT&CK framework, producing a coverage heatmap as well as a set of recommendations the SOC can use to improve its operations. The process is low-overhead, focusing only on interviews and documentation analysis, but it provides useful results for SOCs that want to understand how their current capabilities stack up to ATT&CK. In this talk, we’ll call on our practical experiences to describe some of the key lessons learned we’ve discovered when applying ATT&CK-based SOC assessments, ranging from the best ways to conduct the assessment to how to effectively communicate results to leadership. The lessons and tips that we present will be widely accessible, helping those who are interested in conducting third-party assessments, who want to assess their own SOCs, or who just want to learn about the assessment process in general. Attendees should walk away with a better understanding of how they can run and use ATT&CK-based SOC assessments, including tips on avoiding traps and pitfalls in the process.

Andy Applebaum (@andyplayse4), Lead Cyber Security Engineer, MITRE

10:00-10:30 am Networking Break
10:30-11:05 am

Use Case Development Utilizing an ARECI Chart

This presentation will describe use case development from the perspective of a Managed Security Service Provider (MSSP) but that is also useful for internal SOCs/CERTs. The case starts with a simple requirement statement, through scenario development, and on to the Analysis of Required Evidence for Correlation and Investigation (ARECI) chart to help inform engineers about alert development and system owners about detection development. The ARECI chart consists of a list of data/sources that analysts and engineers will rely on to conduct their respective work. This data/source list will be categorized, broken down into specific sources, and then analyzed for its value to alert development as well as incident response investigation. Data and sources are not limited to ingested log/event streams. Data can include data retained in the SIEM from system infrastructure, asset databases, configuration databases, org personnel data, threat intelligence, etc. Once a few team members (OPs and engineering alike), have derived what data/sources they think they need to complete their work, attention turns to the environment to ascertain if those data are available, available in the SIEMS, or not available at all. This then completes the ARECI chart and allows for conducting a feasibility assessment to determine whether the use case should move forward into an engineering phase, the environment needs to be adjusted, or new capability needs to be added to satisfy (remove gaps from) the chart requirements. Multiple ARECI charts from similar enough use cases can then be stacked to produce a compound list of gaps, which can then be ranked, prioritized, and packaged for advice to the customer. Finally, a key component to the use case development life cycle is teamwork. The fusion of security operations/analytics staff and SIEMS engineering staff at the early stage of the development life cycle helps both sides appreciate their distinctly different work and discreet goals. It creates a developer/user relationship that enhances the overall development of detection and alert presentation, and helps SOCs keep ahead of efforts to evade detection while improving their own capability and avoiding atrophy.

Nathan Clarke (@GeekNathn), APAC Advanced SOC (ASOC) Manager, Verizon Australia

11:05-11:40 am

Use Cases Development as a Driver for SOC Maturation

When developing a Security Operations Center (SOC), it is important to define what you want to accomplish and to develop a road map to get there. The road map initially includes the development of policies, procedures, and process implementation to mature the SOC to a point where it is defined and repeatable. It is capped off by identifying and reporting on metrics, and having management review the program on an annual basis for effectiveness. At the heart of process development is identifying and maturing use cases. When standing up a Security Operations Program, whether it is a stand-alone program in large organizations or involves conducting security operations as another aspect of everyday information security policies, it is important to understand what a mature program should look like. Example goals and objectives might focus on understanding what is “on the wire” and “how endpoints are behaving”. This means knowing what protocols, connections, and data are in use, being made, and flowing in, out, and through the network. It also requires understanding what services, processes, and applications are running on each endpoint. Attendees will learn about developing the desired outcomes for the SOC, identifying use cases, and the understanding the process of maturing the use cases. Two examples of use cases developed and consistently matured will be shared, including identifying malicious user agent strings and suspect SMB connections. Attendees will learn how effective alerting becomes when the use cases that are employed are matured over time, focusing on attack vectors specific to threats the entity faces and specific protocols, services, and processes available internally. By the end of the presentation you will be armed with activities that you can begin using on your first day back at the office.

Eric C. Thompson (@ectcyberhipaa),Director of Information Security and IT Compliance, Blue Health Intelligence

11:40 am - 12:15 pm am

A SOC Technology/Tools Taxonomy – And Some Uses for It

There are literally hundreds of different tools and technologies that are in use for monitoring and managing security operations. There is no such thing any more as “a quick walk through the vendor expo” at any major security conference. Security managers looking to establish or evolve a SOC face a confusing array of choices when looking to justify technology funding, as well as staffing and training.

Chris Crowley will present a taxonomy of SOC tools and technologies he has developed, taking a portfolio view and mapping across moderate/advanced budget levels and showing typical owned by/used by patterns. John Pescatore will share a decision methodology for using that information to optimize your strategy for increasing your SOC capabilities and maturity level based on common business drivers and security operations patterns.

Chris Crowley (@CCrowMontance), Summit Chair and Principal Instructor, SANS Institute

John Pescatore, Director of Emerging Technologies, SANS Institute

12:15-1:15 pm Lunch & Learn Sessions
1:15-1:50 pm

Mental Models for Effective Searching

One of the most intimidating challenges many analysts face is a blank search bar. That search bar is the only thing standing between you and a mountain of data containing the answers you need to determine if a compromise has occurred on your network. It’s for this reason that effective searching is a core competency for investigators. This presentation will provide a conceptual framework for effective searching, show how to master any search tool faster, and offer strategies to combat the biases and limitations of the mind that can negatively affect your ability to process search results.

Chris Sanders (@chrissanders88), Founder, Applied Network Defense; and Founder, Rural Technology Fund (@RuralTechFund)

1:50-2:25 pm

Managing Security Operations in the Cloud

Our goal is to prevent unexpected access to cloud resources. To do this we must maintain strong identity and access policies (IAM) and effectively detect and react to changes. In this session we will discuss tools within the cloud for managing IAM in order to control access to cloud resources. We will also cover how to deploy and control cloud infrastructures using code templates that include change management policies.

Marc Baker, Online Training Subject-Matter Expert, SANS Institute

2:25-2:55 pm Networking Break
3:00-3:35 pm

Virtuous Cycles: Rethinking the SOC for Long-Term Success

Many Security Operations Centers (SOCs) have a burnout problem that leads to negativity and constant turnover. With the increasing cybersecurity talent shortage, keeping the people we have will only become increasingly important. The problem is that "Tier 1" and other SOC roles seem destined to burn people out. So what do we do? While the field of psychology understands the factors that cause burnout, many SOCs do not take the time to do the research and create an environment to fight it. Though meticulously defined process and tiering may be the norm, does it lead to sacrificing quality in the long term? Using science-backed research on intrinsic motivation and studies on SOC burnout factors, this talk will make the case that it's time to reconsider how we structure SOCs in order to create long-term success that benefits both the individual and the organization.

John Hubbard (@SecHubb), Author and Certified Instructor, SANS Institute

3:35-4:30 pm

2019 SANS SOC Survey Preview: Live Simulcast

The 2019 SANS SOC Survey will be released in early July. Join Chris Crowley live or via simulcast for a discussion of what's new in this year's survey, and a sneak peek into topics and responses from this year's results. He will talk about the detailed interviews included this year, and highlight the methodology used to develop the results that many organizations use to direct SOC activities for the following year.

If you can't attend the 2019 SANS Security Operations Summit in New Orleans, attend the simulcast! Registration details to be announced.

Chris Crowley (@CCrowMontance), Summit Chair and Principal Instructor, SANS Institute

4:30-4:45 pm
Day 1 Wrap-Up and Action Items
6:00-8:00 pm

Summit Night Out

Join us at Fulton Alley for an evening of food, fun, networking and gaming.

Tuesday, June 25
9:00-9:45 am

How to Disrupt an Advanced Cyber Adversary

The number of cyber actors that utilize a high degree of tool sophistication and tradecraft techniques has skyrocketed in the last few years. We usually refer to them as “advanced persistent threats.” As the number of capable threat actors grow in number, it is imperative for organizations to have a clear picture and good understanding of actions they can take to disrupt, deny or even prevent cyber-attacks. Whether the actors are nation states, cybercrime gangs or cyber mercenaries, this talk will share lessons learned from actual cyber activities, investigations and best practices that can help you improve your own cyber defenses.

Manny Castillo (@cyberwarrior777), Senior Information Security Technical Executive, Federal Bureau of Investigation

9:45-10:15 am Networking Break
10:15-10:50 am

Breach -> ATT&CK -> Osquery: Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring

There’s plenty of news about breaches, but the reporting is usually so vague that as defenders we don’t get good enough useful information about what actually happened to help us improve our defenses. However, in 2018, both the SingHealth (Singapore) and Equifax (United States) breaches resulted in significant, detailed reports. In this talk, we will look at significant findings from these reports and map them to the MITRE ATT&CK framework in order to understand if our defenses are effective. We will then look to see how we can monitor our systems with the open-source and cross-platform tool Osquery in order to detect such breaches on Windows, Mac, and Linux.

Guillaume Ross, Lead Security Researcher, Uptycs

10:50-11:25 am

Shared Security Services: How to Adjust to an Ever-growing Landscape of Security Operations Center Responsibilities

As organizations have grown to understand the importance of growing their Security Operations Centers (SOCs) to support the needs of their business units, security teams have also had to take on greater workloads and demands. SOCs are forced to accommodate to the growth of the business at the expense of the quality of their own work. This talk will help you realize the full potential of your SOC and consolidate its success for years to come. Topics of takeaway will include metrics that can be used to track a SOC that is being overworked; how to approach upper management to ask for resources to help grow and strengthen a shared SOC; how using threat intelligence can make more informed and smarter alerts to help reduce workloads; how to grow SOCs using a risk-based approach; and how growth spurs the need for a SOAR-based approach, and how to implement such an approach.

Kevin Garvey (@TheKevinGarvey), US IT Security Manager, CLS International Bank

11:25 am - 12:10 pm

The Call Is Coming from Inside the House: How Does Your SOC Respond When Attackers Are On-Site?

Many of the most agile and well-trained blue teams rehearse response procedures and conduct tabletop scenarios to better prepare for incidents as overt as targeted phishing campaigns by outsiders, as subtle as illicit data exfiltration by a data breach, and as innocuous as unauthorized network activity by over-zealous employees. And while you may think you've prepared and practiced for a wide range of threats, have you ever considered how your Security Operations Centers (SOC) would react during a physical compromise? My team engages in physical security penetration, inserting ourselves within your perimeter and proceeding on-site through corporate campuses, office buildings, and data centers. During the course of such operations, we engage in a wide range of tactics specifically geared to frustrate and confuse SOC teams. This talk will walk attendees through a series of case studies of what can happen if attackers have direct access to doors, compromise your communication system, or don your own company uniforms. How would your SOC react to attackers who don't simply show up on network maps, but rather show up at the front door?

Deviant Ollam (@deviantollam), Director of Education, The CORE Group

12:10-1:30 pm Lunch
1:30-2:05 pm

How to Literally Think Like an Attacker to Become a Better Defender

For years, defenders have been educating themselves on the tradecraft being used by adversaries. At the same time, defenders continue to lose the battle, even when armed with some of the greatest talent and technologies in the world. Why is this? This talk will examine why technology alone is not helping close the gap and explain the importance that our own minds play in the role of defense. Attendees will learn:

• Key similarities between defenders and attackers

• How to avoid counterfactual thinking that focuses on past negative events

• The role our thoughts play in behavior and outcomes

• Strategies for adopting a new forward-looking mindset that instills ownership, pride, and confidence

Eric Groce, Incident Handler, Red Canary

2:05-2:40 pm

Arming SecOps with a Special Forces Targeting Process

In the face of high demand and limited resources, it is critical for security operations programs to work smarter, not harder. Using the F3EAD targeting process, we maximize our small unit resources to hunt and respond to threats in a large and highly complex environment. Find, Fix, Finish, Exploit, Analyze, Disseminate or F3EAD, is a methodology originating from military special forces doctrine that fuses the operations and intelligence cycles. F3EAD uses intelligence and targeting to increase the effectiveness and efficiency of hunt and response activities. This talk will provide key lessons learned from our experience using F3EAD and MITRE ATT&CK to protect high-value people and assets at a tier-one research institution.

Andrew Stokes (@_andrewstokes), Information Security Officer, Texas A&M Engineering

2:40-3:00 pm Networking Break
3:00-3:35 pm

The Case for Building Your Own SOC Automations

Security Orchestration, Automation and Response (SOAR) platforms are promising easy automation of security operations center (SOC) tasks, but can it be as easy as the product vendors say it is? Is there still a case to be made for learning how to automate SOC processes for yourself? Is all hope lost for those that do not have the latest SOAR products? What can be done when you ask your product vendor if they have compatibility with an existing network device and they respond with “We have an API”? Attendees will be given examples of how to automate security operations and intelligence gathering that they can use to mature their security operations.

Nathanael Kenyon, Mentor, SANS Institute

3:35-4:10 pm

Rapid Recognition and Response to Rogues

The need to detect rogue devices on a network is part of the first control listed in the CIS Top 20 Critical Security Controls (Actively Manage Inventory and Control of all Hardware Assets). There are many solutions to monitor, detect, and respond to rogue devices on enterprise networks. These include commercial, open-source, and home-grown capabilities. Each solution uses different methods of determining what a rogue device is. In this talk we will cover several of those methods along with their strengths and weaknesses. We’ll also discuss the pros and cons of different responses that enterprises can take when rogues are found. But we will focus on using different techniques to show how a simple detection, which is usually just an IP address, can be enhanced to provide enough details to the analyst to speed up response decisions and even automate some responses based on business logic. We’ll demonstrate this by using one rogue detection tool to tackle a simple detection of a suspicious IP, add information to the event to make analysis easier, and show how that enhanced event can be used for automated responses.

Craig Bowser (@reswob10), Senior Security Engineer, U.S. Department of Energy

4:10-4:45 pm

This Will Never Work: Tales from Disappointingly Successful Pen Tests

The deck is stacked against cyber defenders. Budget and responsibility scope seem to obey the inverse square law, budget shrinking exponentially as scope grows. Worse yet, internal breakdowns can be much more useful to an adversary than the latest zero day. Lapses in communications, unclear delineations of ownership, and neglecting to time-box security exceptions can cause far reaching blind spots. Over the years I've had the privilege of participating in engagements working closely with the SOC and forensic analysts, witnessing some forehead slapping, groan inducing moments that have made the words "This will never work" just as infamous as "Hold my beer" on my teams. Enjoy my cautionary tales, but learn from our previous blunders so you don't have to learn from your own!

Derek Rook @_r00k_, Senior Manager – Offensive Security, Teradata; Instructor, SEC504, SANS Institute

4:45-5:00 pm
Wrap-Up and To Do List

Chris Crowley (@CCrowMontance), Summit Chair and Principal Instructor, SANS Institute