Top Instructors Share Their Expertise ONLINE at SANS - Special Offers Available NOW!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SANS Threat Intelligence Briefing

  • Thursday, November 05, 2015 at 10:30 AM EST (2015-11-05 15:30:00 UTC)
  • Robert M. Lee


  • RecordedFuture
  • LogRhythm

You can now attend the webcast using your mobile device!



The SANS Threat Intelligence Vendor briefing will educate participants on current capabilities and products available in the marketplace for satisfying their threat intelligence needs. This will be done through a focus on educating the participants what threat intelligence is, how to identify their information attack space, what internal network data and analytics help save analysts time, and how to use actionable intelligence to drive security at their organizations. During the event SANS will also give a presentation on its brand new FOR578 - Cyber Threat Intelligence course that is now officially out of BETA and already selling out at venues in the U.S. and Europe.

Join SANS on November 5, 2015, for a half day, morning breakfast briefing on this critical topic. This event will be both LIVE and SIMULCASTED.

In the Denver area? Join us at the Live Event. Register here:
Thursday, November 5, 2015
Time Event
8:00am - 8:30am Registration & Breakfast Networking
8:30am - 8:45am Welcome & Opening Remarks

Rob M. Lee, SANS Institute

8:45am - 9:30am How to Build a World-Class Threat Intelligence Capability From Scratch

Threat intelligence is a broad subject and the natural tendency is to produce intelligence on any topic or event regardless of its applicability to the company. True success in threat intelligence depends on focusing intelligence efforts to very specific business objectives, which removes the large surface area and leaves only a challenging sliver of ultra-high value to pursue. This presentation will reveal critical concepts and practical details, where necessary, to produce a world-class threat intelligence capability from scratch.

Levi Gundert, Vice President of Threat Intelligence, RecordedFuture

9:30am - 10:15am Panel Discussion: Challenges Facing the Threat Intelligence Industry

This panel will focus on insights from the expert members on what challenges face the threat intelligence industry today and how they might impact the community. Threat intelligence is an extremely useful capability but is often misunderstood and mislabeled. More so, some vendors have promised threat intelligence will serve as a silver bullet for security. This panel will focus on dispelling the hype and focusing on the value of threat intelligence.


  • Robert M. Lee, SANS Institute


  • Levi Gundert, Vice President of Threat Intelligence, RecordedFuture
  • Soren G. Frederiksen, Sales Engineer, LogRhythm
  • Toni Gidwani, Director of Analysis and Production, ThreatConnect

10:15am - 10:30am FOR578 - Cyber Threat Intelligence: What to Expect

This presentation will explain the thought process behind the new SANS class: FOR578 - Cyber Threat Intelligence, what went into its development, and what students can expect from taking it. The talk will present a detailed look at the course while also focusing on a few key takeaways such as the value of threat intelligence training for individuals and the role of the analyst.

Robert M. Lee, SANS Institute

10:30am - 10:45am Networking Break
10:45am - 11:30am Presentation by ThreatConnect

Toni Gidwani, Director of Analysis and Production, ThreatConnect

11:30am - 12:15pm Using Threat Intelligence in a SIEM

Threat Intelligence needs to be incorporated into a Security Information and Event Management (SIEM) system. This presentation will discuss the requirements of a SIEM and how Threat Intelligence can be incorporated into a SIEM. Also learn about the Security Intelligence Maturity Model and how Threat Intelligence helps with the security posture of a company.

Soren G. Frederiksen, Sales Engineer, LogRhythm

12:15pm - 12:30pm Closing Remarks

Robert M. Lee, SANS Institute

Speaker Bio

Robert M. Lee

Robert M. Lee is the CEO and Founder of the critical infrastructure cyber security company Dragos Security LLC where he has a passion for control system traffic analysis, incident response, and threat intelligence research. He is a SANS Certified Instructor and the course author of SANS ICS515 - "Active Defense and Incident Response" and the co-author of SANS FOR578 - "Cyber Threat Intelligence." Robert is also a non-resident National Cyber Security Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure and a PhD candidate at Kings College London. For his research and focus areas, he was named one of Passcode's Influencers, awarded EnergySec's 2015 Cyber Security Professional of the Year, and named to the 2016 Forbes' 30 Under 30 list.

Robert obtained his start in cyber security in the U.S. Air Force where he served as a Cyber Warfare Operations Officer. He has performed defense, intelligence, and attack missions in various government organizations including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Robert routinely writes articles in publications such as Control Engineering and the Christian Science Monitor's Passcode and speaks at conferences around the world. Lastly, Robert, is author of the book "SCADA and Me" and the weekly web-comic

"Rob is the best instructor I have seen. Real world examples, humor, time efficient, [and] effective."
- Toni Benson, Cyber Analyst

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.