SANS Automation & Integration Security Briefing: SOARing to New Heights - Using Orchestration & Automation Tools in the Way They\\'re Intended

In the Denver area? Join us at the Live Event.

Register here: '

Security Orchestration, Automation and Response tooling is intended to increase efficiency and consistency. These tools also promise to diminish the cost of operating a Security Operations Center (SOC) for most organizations. If used properly, these tools can do all of these things. The challenge is that the tools are frequently bought to avoid the one thing that most organizations don't seem to be able to do on their own: figure out the sequence of actions that need to be automated, and bring together the mass of data from disparate tools.

This Inaugural SANS Automation & Integration Vendor Briefing will provide practical and actionable examples of the sequence of steps that an organization needs to take to utilize these tools. It will also provide customer examples of what has and has not worked for organizations.

Earn 4 CPE Credit hours for attending this event.


8:00am - 8:30am: Registration & Coffee Networking

8:30am - 9:15am: Welcome & Keynote

In the introductory keynote, Christopher Crowley will differentiate the concepts between orchestration and automation. He'll suggest some examples of things that are easy to do, and some stretch goals for both orchestration and automation. The talk will be largely tool agnostic, setting the stage for the vendors to address how they approach the nuance of these topics and apply them specifically in their solutions. The material promises to be thought provoking and a call to action, giving you specifics on what you can start to do when you return to work.

Chris Crowley - Briefing Chair & SANS Course Author/Instructor

9:15am - 9:30am: Special Guest Speaker

Title: Community Driven Security


We know that there is a need for Orchestration and Automation in Security, but why? Alex will explore 2 key drivers why SOAR is a must to keep up. SOAR isn't our only saving grace though. Alex will also discuss a community driven approach to solving our security woes.

Alex Wood, CISO Pulte Financial Services

9:30am - 10:15am: The 12-step SOAR model: Breaking your old school SecOps addiction

Automation is sweeping through security operations, but many teams are stuck trying to figure out how to break from their existing security operations models. By assessing years' worth of lessons learned, best practices and real-world use cases, we will provide not only a glimpse of what your security operation program could be but also how to get there.

Cody Cornell, Swimlane Founder & CEO

10:15am - 10:30am: Networking Break

10:30am - 11:15am: The Beginner's Guide to Building Your Incident Response Playbook

Cybersecurity as an industry is seeing an ever increasing number in relation to our skills gap according to the recent ISC2 research, Cybersecurity Workforce Study, that states the shortage of cybersecurity professionals around the globe is nearing 3 million.

As these roles go unfilled, our practitioners are finding themselves increasingly unable to meet the needs of their organizations as severe/critical incidents rise to an average of 224 per day according to the 2018 EMA Megatrends Report. Security Orchestration, Automation, and Response (SOAR) has the ability to help organizations with security processes, automation of specific actions, and intelligently inform teams, with the end goal of efficiency.

Join DomainTools Senior Security Advisor, Corin Imai, to learn how to combine comprehensive intelligence gathering, incident management, workflows, and analytics to implement SOAR successfully at your organization. 'In this session you will learn:

  • Strategies to build out complementary datasets with your SOAR tools
  • Best practices in the deployment and use of SOAR tool

Corin Imai, DomainTools Senior Security Advisor

11:15am - 12:00pm: AWS & Anitian Speaking Session



AWS has announced a new program, Authority to Operate, that aims to accelerate clients through compliance.'the cloud offers a fundamentally new way to do compliance. 'Rather than spending months (years) manually building compliant environments, cloud automation can build audit-ready environments in hours.

When compliance is automated, it becomes easy. There is no remembering to deploy things. There is no manual checking. 'Controls and configurations are integrated into the code, and therefore always deployed, and always configured correctly. Moreover, monitoring and remediation can also be automa- ted, accelerating incident response to levels well beyond the capacity of humans.

However, codifying an environment is a profound change for many organizations. 'Existing tools, techniques, and technologies do not directly translate to the cloud. '

In this presentation, we will discuss the goals and vision of the AWS ATO program, as well as demonstrate how compliance can be automated. '

Tim Sandage, Amazon Web Services (AWS) Senior Security Partner Strategist '& Andrew Plato, Anitian CEO

12:00pm - 12:15pm: Closing Remarks