Forum Format: Virtual
The SANS Adversary Detection and Response Solutions Forum brings security vendors that have proven solutions for dealing with cybersecurity threats together with information security professionals seeking current best practices and effective tools for both detecting and responding to adversary threat activity. Practitioners need ways to both detect intrusions and remediate issues quickly. This forum will present carefully curated technologies proven to address these issues.
10:30 - 10:50 AM EDT - Welcome & Keynote
Organizations are being targeted by increasingly sophisticated cybersecurity threats. Advanced attackers routinely bypass traditional endpoint controls and ubiquitous encryption has rendered other controls (like network intrusion detection systems) more difficult and costly to operate. New solutions are needed that empower the analyst to:
The tried and true model of "consolidate the logs and generate an alert" neglects the question of "how do we respond?" While this model certainly isn't dead, many alerts require rapid response. After all, how valuable is an alert if you can't action it in time to make a measurable difference in the outcome?
This isn't just a hypothetical issue either: research has shown that attacker breakout times, the delta between initial access and lateral movement, is decreasing. As such, organizations need to continuously reevaluate not only their monitoring posture, but their response posture as well. An acceptable response time for an alert only a few years ago may be viewed as unacceptable today.
10:50 - 11:25 AM EDT - Trick or Treat: How to Stop Spooky Ransomware Attacks
Brock Bell, Breach Response
Ransomware attacks continue to evolve to bypass security and maximize impact. Adversaries are borrowing cyberwarfare techniques such as lateral movement and privilege escalation to infect as many endpoints as possible. Join Irena Damsky and Brock Bell, threat research and breach response experts, as they delve into the scariest ransomware attacks of 2020. 'In this session, they'll explore:
11:25 AM - 12:00 PM EDT - Exploring Adversary Infrastructure for Practical Blue Team Wins
Defenders can get a lot of traction against emerging campaigns by studying and mapping the infrastructure that adversaries use in existing and future (staged) campaigns. Everything a malicious actor does depends on domains and IP addresses on the Internet, which means that there are always network observables to assist your risk assessment, hunting, and blocking. 'Michael will share how these techniques have helped with incident response, threat hunting, and proactive defenses, while Tim will describe what kinds of data sets can be used in these techniques.
Attendees will learn how to:
12:00 - 12:10 PM EDT - Break
12:10 - 12:45 PM EDT - Bridging the Divide Between NetOps & SecOps: Learning the Language
Now, more than ever NetOps and SecOps are finding that they need to work together to identify and resolve security threats. While this is becoming more the norm than the exception, it's important to understand the differences between priorities and the languages they use in their respective disciplines. This session covers those differences and provides insight on how to communicate for effective and efficient teamwork.
12:45 - 1:20 PM EDT - Cloud Threat Detection and Response-as-Code
Cloud security significantly benefits from the availability of cloud-native tools that deploy as code reducing the burden of deployment and maintaining security posture while developers and users bring instances, networks and workloads up and down. '
In this online session, AWS and Blue Hexagon will discuss how to use cloud-native tools that deploy and maintain security posture automatically to ensure security and compliance in minutes. We will review how to best combine native AWS tools like Inspector, Config, Guard Duty and Trusted Advisor to ensure best practices and hygiene and how to augment them with Blue Hexagon - an AI-based system that extends security further with deep packet and storage inspection. We will present how this security architecture can be deployed and maintained automatically as the underlying network, storage and compute dynamically evolves. '
Attend this session to learn how to:
1:20 - 1:30 PM EDT - Closing Statements