Top Instructors Share Their Expertise ONLINE at SANS - Special Offers Available NOW!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Force Multiplier: How we use SOAR to maximize our own SOC analyst efficiency while minimizing fatigue and burnout

  • Thursday, July 16, 2020 at 3:30 PM EDT (2020-07-16 19:30:00 UTC)
  • Chris Gebhardt, Chris Crowley


  • Stratozen

You can now attend the webcast using your mobile device!



As SANS notes: "Today, security operations do not suffer from a "Big Data" problem but rather a "Data Analysis" problem."

This session will discuss how StratoZen took a new approach to SOC challenges by building our own SOAR tools with DevOps principles to make SOC analysts more efficient and increase performance. StratoZen developed our SOAR tools based on observations of SOC analyst behavior, analysis of over 20 billion logs per day, and a vast inventory of logged repetitive actions. With our new tools and practices, we've achieved over 50% increase in individual SOC analyst efficiency, no voluntary turnover in over a year, and an analyst-to-device ratio of well over 1:10,000.

This session will not be a product demonstration. We will focus on showcasing the practices and philosophies we used to create these efficiencies in order to share our experience with the larger cybersecurity community. These principles can be used by any organization.

Speaker Bios

Chris Gebhardt

Chris Gebhardt is the Vice President of Cybersecurity Operations for Stratozen in Draper, UT. Chris was exposed to technology early in life growing up in New York. His career focused on the use of technology and security for government and corporate entities including the FBI, DOJ, BJS, eBay,, and numerous private equity firms. Chris is a dynamic speaker often challenging the widely held beliefs of the cybersecurity community. He is experienced with SOC 2, SOX, HIPAA, GDPR, ISO, and other compliance frameworks.

Chris Crowley

Christopher Crowley is the course author for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management. Chris holds several industry certifications including the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN, and CISSP. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities." Mr. Crowley spends his spare time mountain biking, rock climbing and savoring epicurean treats.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.