New In-Person Event locations added! Choose your event, and join us for practical cyber security training.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SANS Automation & Orchestration Solutions Forum

  • Thursday, January 30, 2020 at 9:30 AM EST (2020-01-30 14:30:00 UTC)
  • Chris Crowley, Jay Spann


  • Swimlane
  • ThreatConnect
  • SaltyCloud
  • Siemplify

You can now attend the webcast using your mobile device!



In the Austin area? Join us at the Live Event. Register here.

Security Orchestration, Automation and Response tooling is intended to increase efficiency and consistency. These tools also promise to diminish the cost of operating a Security Operations Center (SOC) for most organizations. If used properly, these tools can do all of these things. The challenge is that the tools are frequently bought to avoid the one thing that most organizations don't seem to be able to do on their own: figure out the sequence of actions that need to be automated, and bring together the mass of data from disparate tools.

The session will provide practical and actionable examples of the sequence of steps that an organization needs to take to utilize these tools. He will provide examples of what can be orchestrated, and what can be automated. Plus, some examples of how to deal with the remaining work to be done.

Topics will include:

  • Security Operations Centers (SOC)
  • Security Incident and Event Management (SIEM)
  • Automation
  • Configuration Management
  • Anti-Malware
  • Orchestration
  • Vulnerability Assessments & Penetration Testing
  • Threat Intelligence
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • Log Management & Security Monitoring
  • Security Incident Management
  • Containment
  • Incident Handling
  • Network, Filesystem, and Memory Forensics

Not many classes specifically deal with SOAR tools. Vendors are trying to develop mature customers. Customers are trying to understand how to use these tools:

  • Which tasks should I automate?
  • What is orchestration and what is it supposed to do to help me? How do I use it?
  • What is the best vendor solution to address X?
  • What resources are out there so I don't have to reinvent the wheel?

SANS has worked hard to maintain its reputation as a vendor-neutral provider of world-class training and facilitator of security research. We also recognize that many of our students come from vendor organizations and that these vendors make a significance to the community. For this reason, and true to the SANS mission, we are excited to host this exchange of ideas in the form of the SANS Automation & Orchestration forum.

Earn 4 CPE Credit hours for attending this webcast.


8:30am - 9:15am - Opening Remarks/Keynote - Chris Crowley, SANS Senior Instructor

9:15am - 10:00am - The Past, Present and Future of Security Orchestration, Automation and Response

Manual incident response processes and difficulty hiring experienced personnel leaves security teams struggling to keep up with the growing volume of alerts. Security orchestration, automation and response (SOAR) streamlines and speeds up the incident response process. In this presentation, you'll get an in-depth look into the past, present and future of SOAR with research, use cases and real-life customer data supporting these insights. In this webinar, Swimlanes SOAR Evangelist Jay Spann will discuss:

  1. A short history of and the current state of SOAR
  2. How organizations are currently implementing SOAR
  3. Common and not-so-common SOAR use cases
  4. Upcoming trends and exciting use cases that will affect the future of SOAR

Jay Spann, SOAR Evangelist, Swimlane

10:00am - 10;30am - Networking break

10:30am - 11:15am - Alex Valdivia, Director of Research, ThreatConnect (speaker information coming soon)

11:15am - 12:00pm - Before SOAR was a thing - Lessons Learned from 10+ Years of Security Integration & Automation with Panopticon at UT Austin

Within Texas and across the world, the complexities and demands of an institutional cybersecurity program are growing at an exponential pace, while the resources and sustained talent pools have become scarcer and more constrained. Since 1999 US Austin's Information Security Office has been pioneering the cybersecurity field through innovative research & the development of novel security automation to address growing cybersecurity challenges at Texas-sized scale. This talk will provide an overview of UT's security approach with a focus on end-to-end incident response IR/SOC integration and automation with Panopticon SOAR.

Cam Beasley, CISO and Adjunct Professor with Computer Science at UT Austin

12:00pm - 12:15pm - Closing address

Speaker Bios

Chris Crowley

Christopher Crowley is the course author for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management. Chris holds several industry certifications including the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN, and CISSP. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities." Mr. Crowley spends his spare time mountain biking, rock climbing and savoring epicurean treats.

Jay Spann

Jay Spann is the SOAR Evangelist for Swimlane, a leading provider of Security Orchestration, Automation and Response (SOAR) based in Louisville, Colorado. Over the last 26 years, Jay has delivered more than 35,000 hours of training as an instructor, speaker and consultant in the fields of Information Technology and IT Security. Mr. Spann obtained his masterís degree in Computer Science and holds numerous industry certifications such as Certified Information Systems Security Professional (CISSP), CyberSec First Responder (CFR), Certified Technical Trainer (CTT+), CompTIA A+, Network+ and Security+ and several additional certifications from Microsoft, Check Point, Nokia and others. Over his career, Jay has developed and instituted technology initiatives for Raytheon, the Department of Health and Human Services, Sprint, the Internal Revenue Service, McGraw-Hill, the Department of Defense and many other Fortune 500 companies and US Government Agencies.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.