XDR/EDR Solutions Forum 2023

  • Friday, 15 Sep 2023 10:30AM EDT (15 Sep 2023 14:30 UTC)
  • Speaker: Matt Bromiley

Adversaries get to hone and change their tradecraft whenever it suits them. If they notice a subtle difference in an environment, they pivot to avoid and/or delay detection. Who says defenders cannot do the same, pivoting with technology to enable smarter defenses? With the detection and investigation, automation, and integration capabilities available in today’s security solutions, this should be a no brainer!

In the 2023 XDR/EDR forum, we’re going to examine how to best utilize the advanced technologies available to security teams today. With a focus on detection and response capabilities, we’ll look at the latest offerings that provide enterprise-class security teams the power they need to: 

  • Craft multi-source detections, 
  • Perform in-depth response and triage, and 
  • Automate “all the things” to prioritize strengths and find efficiency in their security teams

Join us on September 15th for this forum, which guarantees to be a collection of industry leaders, practitioners, and like-minded individuals all heading towards one objective: Make it harder, if not impossible, for adversaries to achieve their objectives.

Connect with fellow attendees and our event chairs in the SANS Solutions Forum Interactive Slack Workspace Sign in once and you'll be all set for the rest of our 2023 Solutions Forums. We'll see you there!


Thank You to Our Sponsors

Primary_Logo_(2)_(2)_(1).pngLogoLockup_Horz_RGB_Blue_190103.pngVMRay Logo - Dark Blue

Agenda | September 15, 2023 | 10:30AM - 1:00PM EDT

Time (EDT)



Welcome and Opening Remarks

Matt Bromiley, Certified Instructor, SANS Institute


Checkmate: How Malware Anti-Sandbox Evasion Checks Can Stall Automation of EDR/XDR Alert Triage

Fully automating EDR/XDR alert validation using older hooking or kernel-mode sandbox technologies can disrupt SOCs and stall submission queues. In high-volume alert environments such as an Enterprise or MDR SOC, the time and resources spent identifying EDR alert false positives and manually triaging “suspicious” or benign malware samples that fail sandbox analysis is extremely costly.

To understand the “How and Why” of automating EDR/XDR alert triage;

  • Discover which top malware families use Anti-Sandbox evasion techniques and why they are a threat to you
  • Learn how to stop stalled analysis, partial detonations, timeouts and timebombs from sabotaging your automated workflows

  • Calculate your own SOC costs associated with malware false positive alerts using VMRay’s Cost Calculator

  • Uncover some simple tests SOC teams can use to verify sandbox efficacy

  • Understand which platforms integrate with VMRay and how quickly you can get up and running

Join the VMRay Team on September 15th as they walk you through the best sandbox architectures for SOC automation, why automated EDR/XDR Alert triage can fail, and how to fix it.

Andrew Maguire, Senior Product Marketing Manager, VMRay

Ben Abbott, Security Solutions Engineer, US Team Lead, VMRay


Choosing the Right XDR Strategy: A Comparative Analysis of SIEM-Driven and Alternative Approaches

As cyberthreats continue to evolve, organizations are increasingly exploring Extended Detection and Response (XDR) to fortify their cybersecurity stance. Unlike Endpoint Detection and Response (EDR), which primarily focuses on endpoint protection, XDR collects and analyzes data across a wider range of sources such as endpoints, networks, cloud infrastructure, and applications.

While traditional EDR solutions offer valuable protection, particularly with granular endpoint visibility, they also come with their set of challenges—like the need for additional security tool integration and a high volume of alerts requiring manual triage.

One intriguing avenue organizations are exploring is SIEM-driven XDR, which integrates Security Information and Event Management (SIEM) as a foundational layer.

Here are some key advantages of this approach:

  • Comprehensive Data Collection: Centralized aggregation of data from multiple sources enables a more holistic view of the security landscape.
  • Advanced Threat Correlation: Leveraging the complex event correlation engine in SIEM helps connect seemingly isolated events, allowing for more effective detection of multi-stage attacks.
  • Integrated Workflows for Rapid Response: Coordinated and automated response capabilities reduce the time between detection and remediation.
  • Scalable Architecture: Being built on a SIEM foundation allows for scalability to adapt to growing or complex environments.

However, it's crucial to note that SIEM-driven XDR is not the only viable approach. Other strategies, such as cloud-native and AI-driven XDR, each offer their unique advantages and challenges.

For example, while SIEM-driven XDR excels in historical and real-time data correlation, cloud-native XDR may offer more agility and reduced overhead. Similarly, AI-driven XDR solutions might offer superior machine learning algorithms for threat detection but may have limitations in other areas.

Join me as we explore specific case studies to compare and contrast the benefits and challenges of various XDR approaches, including SIEM-driven models. Whether you view adopting a specific XDR strategy as an important consideration or a strategic choice, this session aims to provide a balanced, comprehensive guide to making well-informed security decisions.

Matt Warner, CTO, Blumira




PANEL: Is an XDR Strategy Right for Me?

eXtended Detection and Response, or XDR, is a term we’ve seen around the industry for years now as the “new” way to approach security. However, for many organizations, XDR feels like EDR++; the same capabilities but a new label. Perhaps it’s time we clear the air. Join us in the final session of our XDR/EDR forum for an interactive panel, where we will field questions from our audience as well as reflect on the thoughts from the day’s events. Our panel will also look at XDR as a strategy, how security teams can benefit, and what are some of the key components to get started with XDR today.


Matt Bromiley, Certified Instructor, SANS Institute


Matt Warner, CTO, Blumira

Andrey Voitenko, Product Manager, VMRay


Closing Remarks

Matt Bromiley, Certified Instructor, SANS Institute