One More Week for MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

SANS Attack Surface Management Virtual Conference

  • Wednesday, April 14th | 10:30 AM - 2:30 PM EDTWednesday, April 14, 2021 at 10:30 AM EDT (2021-04-14 14:30:00 UTC)
  • David Cowen, David Wolpoff, Dan MacDonnell, Aaron Portnoy, Kyle Howson, Pierre Lidome, Eric McIntyre, Phil Neray, Joseph Menn


  • LogicHub
  • Randori

You can now attend the webcast using your mobile device!




You will earn 6 CPE credits for attending this virtual event.

Forum Format: Virtual - US Eastern

Event Overview

Designed for security leaders tasked with managing a growing attack surface, the SANS Attack Surface Management Virtual Conference will take place on April 14, 2021 as a virtual event. This half-day event will bring together thought leaders, subject matter experts and practitioners to discuss, share and discover best practices for addressing the operational challenges associated with work-from-home transitions, cloud migrations, M&A, shadow IT and the rise of ransomware attacks.

Attendees will gain valuable lessons on how to operationalize attack surface management in order to improve their threat intelligence, vulnerability management and offensive security programs.


10:30 - 10:35 AM EDT - Event Welcome

Dave Cowen, @HECFBlog, Forum Chair, SANS Institute, @SANSInstitute


10:35 - 11:05 AM EDT - Defending Forward in Todays Exposed World

David "Moose" Wolpoff, @HexadeciMoose, CTO, CO-Founder, Randori, @RandoriSecurity

Dan MacDonnell, Retired Rear Admiral, Former Deputy Chief NSA/CSS, Randori, @RandoriSecurity

Whether we like it or not, organizations today are on the front lines of an ongoing and growing geopolitical cyberwar. We need look no further than Solarwinds for proof. In this session, former Deputy NSA Chief Rear Admiral Dan MacDonnell and Randori Co-Founder & CTO David Wolpoff will take attendees on a behind the scenes look into forces driving todays cyber landscape and what they tell us about the future of security.

Attendees will leave with a firm understanding of the macro-forces driving todays cyberwar, clarity into why todays approaches wont cut it tomorrow, and why its essential organizations defend forward - adopting proactive strategies that leverage the attackers perspective to anticipate threats and test resiliency.


11:05 - 11:35 AM EDT - Getting on Target: Looking at Your Attack Surface Like An Attacker

Aaron Portnoy, @aaronportnoy, Principal Scientist, Randori, @RandoriSecurity

Fundamental to the rise of attack surface management is a growing recognition that attackers see the world differently. In this session, Aaron Portnoy, Principal Scientist at Randori will break down why that is the case and how red teams, like the Randori Attack Team, can often come to dramatically different conclusions than security teams about an asset - even when both are looking at the same information. He will look at real examples taken from customer environments and break down some of the ways he's see security teams adopting the attacker's perspective to reduce noise, prioritize risk and get on target faster.


11:35 AM - 12:05 PM EDT - Hunting Threat Actors with Attack Surface Management

Kyle Howson, Cyber Security Operations Centre Specialist, Air Canada, @AirCanada

Dan Pistelli, Security Solutions Engineer, LogicHub, @Logichubhq

With a third of successful breaches now originating with unmanaged or unknown assets, understanding your attack surface and being able to prioritize new risks as they emerge has never been more essential.

In this session, Air Canadas Kyle Howson and LogicHub's Dan Pistelli will break down how Air Canada is integrating the attackers perspective into their asset, vulnerability, and threat management workflows through LogicHub to hunt for APTs and quickly find, prioritize, and act upon issues as they are discovered.

In this session, Kyle and Dan will walk through tangible examples and break down how attendees can replicate these actions in their organization, by:

  • Establishing an external source of truth for threat prioritization between Security and IT
  • Increasing the efficiency of remediation efforts by combining threat intelligence with real time visibility into their attack surface
  • Identifying process failures and shadow IT that poses categorical risks.
  • Leveraging the attackers perspective to turn threat data into actionable narratives both executives and practitioners can agree-on.
  • Saving time and money by focusing teams on the specific threats that pose the greatest risk to Air Canada.


12:05 - 12:15 PM EDT - Randori Attack Platform

See how Randori Recon empowers enterprise organizations to understand their attack surface in order to identify blindspots, process failures and dangerous misconfigurations.


12:15 - 12:45 PM EDT - Evaluating Attack Surface Management Tools

Pierre Lidome, @texaquila, SANS Instructor and Cyber Hunter, SANS Institute, @SANSInstitute

Attack surface management (ASM) is an emerging category that aims to help organizations address these challenges by providing a continuous perspective of an organization's external attack surface.

In this session, SANS course author Pierre Lidome will provide an overview of Attack Surface Management, the key use-cases and benefits and limitations of todays solutions. Based off his research developing the SANS Guide to Evaluating Attack Surface Management, Pierre will also provide attendees with actionable guidance they can use when crafting RFPs and PoCs for ASM projects.


12:45 - 12:55 PM EDT - Randori Attack Platform

See how Randori Recon empowers enterprise organizations to understand their attack surface in order to identify blindspots, process failures and dangerous misconfigurations.


12:55 - 1:25 PM EDT - Top IOT/OT Security Attack Vectors

Eric McIntyre, @pwnpnw, Director of Research and Development, Randori, @RandoriSecurity

Phil Neray, Director of Azure IoT & Industrial Cybersecurity, Microsoft, @Microsoft

IoT and OT devices are now everywhere, helping individuals and businesses collect real-time data and automate tasks for greater productivity and efficiency.

This is increasingly true in enterprises, as workers rely on a diverse set of smart devices to get their work done. These devices are often unpatched, unmanaged, and invisible to IT and OT teams making them soft targets for adversaries seeking to gain access to corporate networks in order to steal sensitive intellectual property or deploy ransomware.

In this talk, join Phil Neray from Microsoft and Randori's Eric McIntyre for a look into the top IT and OT Attack Vectors and how organizations are using ASM to reduce their exposure.


1:25 - 2:15 PM EDT - Fireside Chat: Exchanging Zero Days - Where Do We Go From Here?

Moderator - Joseph Menn


Window Snyder, @window, former CISO at Square, Square, @Square

Richard Puckett, CISO, SAP, @SAP

Stewart Baker, Former General Counsel of NSA

David "Moose" Wolpoff, @HexadeciMoose, CTO and CO-Founder, Randori, @RandoriSecurity

SolarWinds and Microsoft Exchange were not the first, and they won't be the last, major cyber attacks to leverage zero days to infect tens of thousands of organizations. In this session - attendees will hear from a panel of leading experts from the commercial and public sector on how they see our approaches to security evolving post these two seismic supply chain attacks. Topics discussed will include - what role policies/regulations can play in reducing cyber risk? How can we as a society work together to build more resilient systems? And what role active defense, or "Defending Forward," has in the future of security.


2:15 - 2:25 PM EDT - Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World

Joseph Menn, Reuters Cybersecurity Journalist and author

Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers. They contributed to the development of Tor, the most important privacy tool on the net, and helped build cyberweapons that advanced US security without injuring anyone.


2:25 - 2:30 PM EDT - Wrap-up


Speaker Bios

David Cowen

David started his career as a penetration tester in 1996, doing information security consulting. While he enjoyed the technical challenges of the work, he quickly found that his clients were focused on satisfying a requirement rather than fixing the problems he uncovered. In 1999 David got the chance to do his first DFIR investigation and found the challenge and career fulfillment he was looking for.

“Not only did I find huge technical challenges to tackle and master I also found clients who deeply cared about the work I was doing and directly benefitted from its results,” he says. “The job satisfaction I get from DFIR, along with the endless new tools and artifacts to be found, means I’ve never grown bored or jaded with the work.”

Today, he is the Managing Director at KPMG LLP, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He’s also a certified SANS instructor—teaching FOR500: Windows Forensic Analysis—and he keeps up his information security knowledge by acting as the Red Team Captain for the National Collegiate Cyber Defense Competition, a role he’s held for the last nine years.

David Wolpoff

David Wolpoff (Moose) is co-founder and CTO of Randori. David is a recognized expert in digital forensics, vulnerability research and embedded electronic design. Prior to founding Randori, David held executive positions at Kyrus Tech, a leading defense contractor, and ManTech where he oversaw teams conducting vulnerability research, forensics and offensive security efforts on-behalf of government and commercial clients. David holds a Bachelor of Science and Master of Science degrees in Electrical Engineering from the University of Colorado.

Dan MacDonnell

Dan MacDonnell has hands-on leadership, deep operational cyber subject matter expertise, and progressive roles across high-level technology, medical device, and military organizations. Extensive experience in small pre-IPO companies as well as starting up cyber organizations within larger companies. Started security function as Chief Information Security Officer (CISO) for medical device firm, held first Chief Resiliency Officer role for large financial services firm, led customer technical and application support in network and data storage sector, and serve as technical advisor to a startup cyber company and a venture firm. Served as Chairman, Department of Defense (DOD) Reserve Military Intelligence Steering Committee; the Deputy Chief for the National Security Agency/Central Security Service (NSA/CSS), as the principal advisor to Director, NSA/Chief CSS and Board of Directors on military cryptologic and cyber issues; and served as the senior U.S. Navy Reserve Information Warfare and Signal Intelligence Officer in the U.S. Navy.

Aaron Portnoy

Aaron Portnoy is Principal Scientist and member of the Randori Attack Team. The original architect of the Pwn2Own contest, co-founder of Exodus Intelligence and former manager of the Zero Day Initiative, Aaron brings unrivaled experience in developing advanced offensive capabilities to the Randori team. In this role, Aaron focuses on accelerating Randori’s ability to scale the red team experience through the development of new attack techniques and delivery systems.

Kyle Howson

Kyle Howson is a Security Operations Center manager at Air Canada. Kyle is a very passionate and energetic security professional who feels lucky enough to have a job that is also his hobby. He started his career doing some network security compliance work, which led to Security Consulting and Penetration Testing and then ultimately pivoted into Security Operations Blue Team work. He is an active member of the security community and believes we can work together to make our world more secure.

Pierre Lidome

Pierre Lidome is a SANS course author and a cyber threat hunter for a large oil and gas company. With more than 25 years' experience in network engineering, firewall management, security services delivery, data management, forensic analysis and e-discovery, he has worked on numerous digital forensics and incident response (DFIR) cases involving vectors such as insider threats and nation-state actors. Pierre's latest projects include migrating on-premises processes and tools to the cloud to efficiently conduct DFIR. He is a member of the GIAC advisory board and holds the GCTI, CCE and CISM certifications.

Eric McIntyre

Eric is the Director of Research & Development at Randori. Starting in 2012, Eric supported research efforts at Kyrus Tech, a defense contractor, where he developed cyber capabilities for federal and commercial clients. Prior to entering the cybersecurity field, Eric was the owner of a software prototyping firm EM Technology. He has held engineering positions in weather radar and consumer electronics startups, and was an adjunct faculty member at the University of Colorado-Boulder, where he taught undergraduate courses in electrical engineering. As postgraduate researcher in the field of sub-orbital passive microwave radiometry, he conducted experiments under NASA, NOAA, and USDA contracts.

Phil Neray

Phil Neray is Director of Azure IoT & Industrial Cybersecurity at Microsoft. He joined Microsoft after its acquisition of CyberX, a leader in agentless security and behavioral analytics for industrial and critical infrastructure networks. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as an engineer with Hydro-Quebec and as a Schlumberger engineer on oil rigs in South America. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a First-Degree Black Belt in American Jiu Jitsu.

Joseph Menn

Joseph Menn has been a professional journalist for three decades, specializing in technology stories since 1999. His most recent book, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, was published in June 2019 and named one of the best 10 nonfiction works of the year by Hudson Booksellers. Inducted into the Cybersecurity Canon Hall of Fame, the Wall Street Journal named it one of the all-time "Five Cybersecurity Books That Everyone Should—and Can—Read." The New York Times Book Review said: “The tale of this small but influential group is a hugely important piece of the puzzle for anyone who wants to understand the forces shaping the internet age."

An adaptation of the book for Reuters revealed that Beto O'Rourke had been a member of the enormously influential group and drew the most engagement on in its history.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.