SANS Security East 2021 features 20+ courses - Register now to get a MacBook Air or Microsoft Surface Pro 7 or Take $350 Off


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Adversary Detection and Response Solutions Forum

  • Friday, October 30th | 10:30 AM - 1:30 PM EDTFriday, October 30, 2020 at 10:30 AM EDT (2020-10-30 14:30:00 UTC)
  • Jake Williams


  • Blue Hexagon
  • DomainTools
  • Palo Alto Networks
  • Viavi Solutions
  • Cisco Security

You can now attend the webcast using your mobile device!





Forum Format: Virtual

Event Overview

The SANS Adversary Detection and Response Solutions Forum brings security vendors that have proven solutions for dealing with cybersecurity threats together with information security professionals seeking current best practices and effective tools for both detecting and responding to adversary threat activity. Practitioners need ways to both detect intrusions and remediate issues quickly. This forum will present carefully curated technologies proven to address these issues.


10:30 - 10:50 AM EDT - Welcome & Keynote

Jake Williams, @MalwareJake, Chairperson, SANS Institute

Organizations are being targeted by increasingly sophisticated cybersecurity threats. Advanced attackers routinely bypass traditional endpoint controls and ubiquitous encryption has rendered other controls (like network intrusion detection systems) more difficult and costly to operate. New solutions are needed that empower the analyst to:

  • Maximize early detection of threats, without relying on fragile signatures
  • Investigate anomalies and rapidly eliminate false positive detections
  • Quickly respond to detected behavior, rapidly remediating threats

The tried and true model of "consolidate the logs and generate an alert" neglects the question of "how do we respond?" While this model certainly isn't dead, many alerts require rapid response. After all, how valuable is an alert if you can't action it in time to make a measurable difference in the outcome?

This isn't just a hypothetical issue either: research has shown that attacker breakout times, the delta between initial access and lateral movement, is decreasing. As such, organizations need to continuously reevaluate not only their monitoring posture, but their response posture as well. An acceptable response time for an alert only a few years ago may be viewed as unacceptable today.


10:50 - 11:25 AM EDT - Trick or Treat: How to Stop Spooky Ransomware Attacks

Irena Damsky, Director of Research - Cortex, Palo Alto Networks, @PaloAltoNtwks

Brock Bell, Breach Response

Ransomware attacks continue to evolve to bypass security and maximize impact. Adversaries are borrowing cyberwarfare techniques such as lateral movement and privilege escalation to infect as many endpoints as possible. Join Irena Damsky and Brock Bell, threat research and breach response experts, as they delve into the scariest ransomware attacks of 2020. In this session, they'll explore:

  • Ransomware attacks in the wild, including Sodinokibi ransomware (AKA REvil)
  • Best practices for ransomware prevention, containment, and incident response
  • Technologies and services that can protect your organization

White11:25 AM - 12:00 PM EDT - Exploring Adversary Infrastructure for Practical Blue Team Wins

Tim Helming, @timhelming, Security Evangelist, DomainTools, @DomainTools

Michael Schwartz, Director Information Security - Threat Intelligence, Target Corporation, @Target

Defenders can get a lot of traction against emerging campaigns by studying and mapping the infrastructure that adversaries use in existing and future (staged) campaigns. Everything a malicious actor does depends on domains and IP addresses on the Internet, which means that there are always network observables to assist your risk assessment, hunting, and blocking. Michael will share how these techniques have helped with incident response, threat hunting, and proactive defenses, while Tim will describe what kinds of data sets can be used in these techniques.

Attendees will learn how to:

  • Quickly assess the risk associated with a domain or IP address--even when it is not in any threat intel feeds
  • Map infrastructure tied to an indicator seen in the protected environment, exposing larger campaigns that may be in the staging phase
  • Build high-confidence indicator lists for creating new detections as well as block rules
  • Stay ahead of emerging threat campaigns


12:00 - 12:10 PM EDT - Break


12:10 - 12:45 PM EDT - Bridging the Divide Between NetOps & SecOps: Learning the Language

Matt Allen, Sr. Solutions Engineer and Certified Ethical Hacker, VIAVI Solutions, @ViaviSolutions

Now, more than ever NetOps and SecOps are finding that they need to work together to identify and resolve security threats. While this is becoming more the norm than the exception, it's important to understand the differences between priorities and the languages they use in their respective disciplines. This session covers those differences and provides insight on how to communicate for effective and efficient teamwork.


12:45 - 1:20 PM EDT - Cloud Threat Detection and Response-as-Code

Saumitra Das, CTO Founder, Blue Hexagon, @bluehexagonai

James Wenzel, Sr. Solutions Architect, Amazon Web Services (AWS), @awscloud

Cloud security significantly benefits from the availability of cloud-native tools that deploy as code reducing the burden of deployment and maintaining security posture while developers and users bring instances, networks and workloads up and down. 

In this online session, AWS and Blue Hexagon will discuss how to use cloud-native tools that deploy and maintain security posture automatically to ensure security and compliance in minutes. We will review how to best combine native AWS tools like Inspector, Config, Guard Duty and Trusted Advisor to ensure best practices and hygiene and how to augment them with Blue Hexagon - an AI-based system that extends security further with deep packet and storage inspection. We will present how this security architecture can be deployed and maintained automatically as the underlying network, storage and compute dynamically evolves. 

Attend this session to learn how to:

  • Assess security exposure for your cloud instances, storage, serverless, virtual networks, Kubernetes and services
  • Deploy security within minutes - hygiene, vulnerabilities, network security, malware, logs and deep inspection
  • Use traffic mirroring to get instant deep visibility about your cloud traffic and assets 
  • Optimize security spend by dynamically altering the inspectionWhite

1:20 - 1:30 PM EDT - Closing Statements



Speaker Bio

Jake Williams

Jake Williams is a SANS analyst, senior SANS instructor, course author and designer of several NetWars challenges for use in SANS' popular, "gamified" information security training suite. Jake spent more than a decade in information security roles at several government agencies, developing specialties in offensive forensics, malware development and digital counterespionage. Jake is the founder of Rendition InfoSec, which provides penetration testing, digital forensics and incident response, expertise in cloud data exfiltration, and the tools and guidance to secure client data against sophisticated, persistent attacks on-premises and in the cloud.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.