Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Architecting for Security Operations: Divide and Conquer!

  • Wednesday, February 26, 2020 at 3:30 PM EST (2020-02-26 20:30:00 UTC)
  • Ismael Valenzuela, Rob Gresham

You can now attend the webcast using your mobile device!



Do you SOC? If so, you probably know how hard it can be to make the most of your existing security technologies in a way that supports your mission. Chances are you didnt have the opportunity to design and build your security architecture from scratch either, and that you have a mix of endpoint, network, and cloud security solutions to defend both legacy and newer mission-critical systems. At this point, you have also probably realized that prevention will often fail, and that, ironically, traditional security architectures were built with a focus on protection, not detection, hunting or response. Thats why its important that we, as all-around defenders, learn how to architect and engineer with security operations in mind. 

Using the concepts presented in Security 530: Defensible Security Architecture and Engineering, and leveraging community projects like MITRE ATT&CK and TTP0, Ismael Valenzuela & Rob Gresham will explain how divide & conquer aka. architecting around zones and tiers can help blue teamers to defend their organization, considering both IT and business context, to simplify building effective Use-Cases, as well as setting the stage to build efficient processes for prevention, detection, threat hunting, and response.

Speaker Bios

Ismael Valenzuela

SANS Certified Instructor Ismael Valenzuela ( is coauthor of the CyberDefense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering, and holds many professional certifications, including the highly regarded GIAC Security Expert (GSE #132).

Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous projects across the globe over the past 19 years. Prior to his current role as Senior Principal Engineer at McAfee, where he leads research on threat hunting using machine-learning and expert-system driven investigations, Ismael led the delivery of SOC, IR & Forensics services for the Foundstone Services team within Intel globally. Previously, Ismael worked as Global IT Security Manager for iSOFT Group Ltd, one of the world's largest providers of healthcare IT solutions, managing their security operations in more than 40 countries.

Rob Gresham

Rob has over 15 years of experience in building and providing security operations teams while providing incident response, security architecture, forensics and threat intelligence to public/private entities in support of civil/criminal investigations. His experience includes years of instructing on cyber threat intelligence, incident response and overall security operations processes, architecture and design. He currently works as a global Senior Manager, Security Solutions Architect at Splunk specializing in Security Orchestration, Automation and Response. Below are some of the videos and presentations Rob has done.

Hacking your SOEL at SANS SOC Summit

Threat Intelligence: Not a Wild Goose Chase

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.