Blue Team Summit 2021 - SOC Solutions Track

A security operations center (SOC) act as the centralized command center for a corporation dealing with security issues on an organizational and technical level. Responsible for protecting an organization from cyber attacks, a SOC continuously monitors network infrastructure, desktops, servers, endpoint devices, IoT devices, applications, and databases, among other systems for security threats.

Modern SOCs are comprised of four components ' monitoring and detection, incident response and threat hunting, threat intelligence, and detection engineering. With this construct, teams aim to constantly stay one-step ahead of attackers. In recent years, this has becoming increasingly more difficult due to a shortage of cybersecurity skills, too many alerts, and operational overhead.

Join this SANS lead forum as we explore various SOC topics through invited speakers while showcasing current capabilities available today. Presentations will focus on technical case-studies and thought leadership using specific examples relevant to the industry.

Featured Speakers From Our Platinum Sponsors

Cisco Secure LogoDevo.pngDomainTools_Logo_Color_(1).pngElastic_Logo.pngIronNet_Primary_Logo.pngcortex_RGB_logo_Vertical_Lockup_Positive.pngSumo_Logic_Logo.pngthreatconnect-signature.pngTorq Logo Color

Silver Sponsors

Anomali_Logos_Anomali Full Color Primary - NEW.pngAutomox LogoKeysight_Color.png




Session Description

10:00 AM
Welcome & Introduction
10:10 AM
Going Beyond SOAR: Making Security Automation for Everyone

Security professionals face more change, more alerts, and more attacks than ever before. They’re tasked with protecting increasingly complex environments from a multiplying range of threats, each and every day.

While automation is a powerful tool for staying ahead of increased complexity - for security teams, automation has been largely limited to the world of Security Orchestration, Automation and Response (SOAR) platforms. This has limited the usefulness of automation to many security professionals, and created a world where many teams are stuck between repetitive daily tasks and reacting to alerts.

In this session, Torq Field CTO Marco Garcia will share how to design and implement a modern security automation practice. He’ll highlight where SOAR platforms succeed - and where they fall short, and discuss how to bring powerful automation into the hands of every member of a security team. Attendees will learn how to start with automation at any size - and how to iteratively build out a security automation practice that reduces risks, saves time, and helps them stay ahead of threats.

Marco Garcia
, Field CTO, Torq
10:50 AM
Security vs. Observability: Two Roads Converge

Observability and security are complimentary use-cases which appear likely to converge, organizations seeking resilience and efficacy should consider data-driven approaches that foster compatibility between the two.

Devon Kerr, Team lead for Elastic Security Intelligence & Analytics, Elastic

11:30 AM

Optimize Threat Investigations in the SOC with Domain Intelligence

According to a Forrester Consulting Thought Leadership Paper, 74% of security operations teams spend more than 4 hours investigating a single threat incident. Considering that security operations teams are facing ever increasing volumes of log data every day, gaining efficiencies into investigation workflows and quickly determining which threats are highest priority is critical.

Join Kevin Libby, Threat Intelligence Advisor, as he walks through a sample investigation to learn how to use domain and DNS intelligence to:

  • Quickly assess risk and track infrastructure surrounding a domain
  • Discover new and identify related domains to take timely action
  • Create efficient alert triage and investigation workflows

Kevin Libby, Enterprise Sales Engineer, DomainTools

12:05 PM


12:25 PM

Intelligence-Driven SOAR: Uniting Threat Intelligence and SOC Teams with Intelligence-Driven SOAR

How smart is your Security Orchestration, Automation, and Response (SOAR) platform? The answer to that question is critical to determining how protected your organization is from the next data breach or ransomware attack.

Imagine for a moment that you’re sitting in a restaurant between sessions at a major industry conference and you receive an email from your boss, the Chief Information Security Officer, that says he/she not only wants to be made instantly aware of potential incidents that could lead to a data breach or ransomware attack on your company’s new clinical trial database but he/she also wants to ensure that the new state-of-the-art threat library developed by the CTI team is driving better decisions and executes controls automatically based on changes in the threat landscape.

Did you make the right investment decisions? Is your SOAR smart enough to handle that? Join us for the ThreatConnect Intelligence-Driven SOAR presentation, where we will walk you through a fictional scenario that is based on a generic testing and therapeutics company concerned about ransomware targeting its COVID-19 testing data.

Chris Ralph, Security Architect, ThreatConnect

1:00 PM

How to Confidently Defend Against Threats with Next-Gen SIEM

Why do you need a next-gen SIEM? Advanced adversaries, applications moving rapidly to the cloud, more data — there are many reasons a legacy SIEM just doesn’t cut it anymore.

Devo Security Operations empowers security teams to confidently defend their organization, providing teams the ability to:

  • Gain full visibility—without compromise
  • Leverage real-time detection and enriched investigations
  • Maximize analyst productivity and punch above their weight

Join this session to learn how SOC teams from the US Air Force, American Express GBT, Manulife, Rubrik, and more have transformed their operations with the Devo next-gen SIEM.

Josh Klick, Cybersecurity Specialist, Devo

1:40 PM

Winning the War Against Ransomware: How the SOC Can Lead the Charge

According to published data, ransomware shows no sign of slowing in 2021 and beyond. For this year through June, we have seen a 160% increase in the publicized ransomware attacks over the same time period from last year. With the current cybersecurity talent shortage, and an overwhelming number of alerts to investigate, what can a SOC do to help mitigate these attacks?

Join Cisco as we discuss techniques organizations can leverage threat intelligence, orchestrate workflows, and improve incident response.

Adam Tomeo, Product Marketing Manager, Cisco
Keith Manville, Technical Solutions Architect, Cisco

2:25 PM
2:35 PM
Alert prioritization: Managing too much of a good thing

Behavioral analytics play a well-respected role in threat detection: Using the latest approaches, they can be extremely effective at identifying abnormalities in network traffic that fall outside defined "normal" patterns, and have a higher likelihood of indicating suspicious activity. But there is such a thing as being too good: Behavioral analytics are inherently noisy -- meaning, they can be almost too powerful and surface an overwhelming number of alerts for SOC analysts to manage.

If the overall goal is to improve detection rates for questionable activities and cut down on false positives, there has to be a way to further prioritize anomalies to make the workload manageable, and to ensure that resources are being focused on the most important alerts. IronNet's VP of Cyber Operations, Anthony Grenga, will discuss best practices using feature enrichment, and alert aggregation and correlation in order to help model adversary attack techniques and highlight anomalous activity by threat categories to prioritize alerts.

Anthony Grenga, VP Cyber Operations, IronNet

3:10 PM

Crowdsourcing threats: Global Intelligence for security operations

Given the complexity and vast attack surfaces of modern cloud architectures, SOC teams and tools will continue to struggle to keep pace with threats in their environments. In this session, we will share unique analytics capabilities that leverage the collective wisdom of peer organizations to turbocharge threat scoring and prioritization, allowing your SOC team to address the most critical threats. In addition, we will present innovations that accelerate threat investigations using the power of the crowd.

Bashyam Anant, Sr. Director Product Management, Sumo Logic
Dana Torgersen, Director, Security, Sumo Logic

3:45 PM
Getting to Better Implementation in the SOC

Defenders today are faced with a complex set of challenges resulting from the confluence of several key factors. The economics of attack tooling and the anonymity of cryptocurrency has driven the commoditization of threat techniques and greater specialization among bad actors, resulting in an explosion of what look like sophisticated attacks. This is compounded by the fact that defender tooling either does not provide adequate coverage as the attack surface grows, or requires a combination of tools that are operationally challenging to integrate.

In this session we’ll present a technical perspective on how evaluating defensive tools and their efficacy, can help teams to ensure implementation requirements are met. The discussion will hone in on key technology elements used in the modern SOC and how they can help to build an understanding of what an attacker would see in the environment, important data to collect and analyze and why, analytics processing methodologies, the most common security tasks that can be automated without having to build out entire operational processes, how to scope potentially compromised systems with modern forensic techniques and tooling, and hunting tools -- and provide concrete recommendations on how to best leverage these in the context of your security architecture.

Matt Kraning, CTO, Cortex at Palo Alto Networks

4:20 PM