Blue Team Summit Solutions Track 2022

  • Tuesday, 04 Oct 2022 1:00PM EDT (04 Oct 2022 17:00 UTC)
  • Speakers: David Hazar, Joe Dillig, Manit Sahib, Tim Wade, George Sandford, David Swift

Part of the Blue Team Summit & Training 2022

Want to attend the Summit in person? Register Here

Solutions Track Highlight (detailed agenda further down the page)

Finding flaws is much easier than fixing flaws. That's a fact. If this were not the case, we might just have this security thing all wrapped up. There are hundreds of tools that are reasonably successful at telling us what we are doing wrong (think compliance and vulnerability scanners). However, the solutions to these problems are not always as straightforward as they might seem. Sure, our tools and penetration testers will give us a proposed or recommended solution and I am sure those solutions work for someone, somewhere, but often they don't work for us. If only it was as simple as "patch this software", "update that library", or "fix that code". As defenders we live in a world of ambiguity and complexity. While attackers only need to find one or in some cases a few flaws to have impact, we need to fix or be prepared to respond to all flaws. And in order to do this, we need data. However, many of our stakeholders either don't care about the data or don't understand the data, which can prevent us from getting the help we need. What resonates with our stakeholders? How do we get our data to tell a story or craft a business case that does resonate so that they listen?

Blue Team Solutions Track


NEW-duoLogo-web.pngGigamon-Logo.pngcortex_RGB_logo_Vertical_Lockup_Positive.pngpicnic_primary_id-01.pngrapid7.pngsecuronix.pngthreatconnect-signature.pngTidal-TID[37889].pngTorq Logo ColorVectra.png

Agenda | Tuesday, October 4, 2022

Event features speakers from around the world and is part of the Blue Team Summit & Training taking place live from Scottsdale, AZ!



1:00 - 1:15 PM EDT
10:00 - 10:15 AM PDT

Welcome & Opening Remarks

David Hazar, Certified Instructor, SANS Institute

1:15 - 1:45 PM EDT
10:15 - 10:45 AM PDT

Preemptive Visualization and Neutralization of Social Engineering Pathways

More than 90% of all cyberattacks start with social engineering campaigns which are specifically crafted from users’ OSINT. Security teams have historically not had adequate visibility of the OSINT footprint of their organization and its people, nor have they had any effective technological means to address paths of compromise that this data may reveal to an attacker. This has left a critical blind spot when it comes to defending against social engineering attacks, while Advanced Persistent Threat (APT) actors continue to abuse the human element using social engineering techniques to infiltrate critical national infrastructure. During this session, we will explore how APT actors are successfully using social engineering how they are developing their TTPs over time.

Manit Sahib, Director of Global Intelligence, Picnic Corporation

1:50 - 2:20 PM EDT
10:50 AM - 11:20 AM PDT

The Blue Team Wins

Practical Measures to Improve Defensive Operations

Operating a Blue Team isn’t an easy task. It is often mired in too many false positives, too few conclusive investigations and too little gratitude when things are going right. Solving this problem doesn’t require reinventing the wheel but it may require a little self-reflection on what’s working, what isn’t and – critically -- why that may be for each case. Join Tim Wade, Deputy CTO at Vectra AI, as he unpacks the why behind very practical ways security leaders and practitioners can both level-up their game and improve their threat coverage with both less effort and better results.

Tim Wade, Deputy Chief Technology Officer, Vectra AI

2:25 - 2:55 PM EDT
11:25 - 11:55 AM PDT

Evolving Response in Asymmetric Conflict

Strength through building better teams and mindsets

Given the reality that blue teams continue to wage an asymmetric battle against modern threat actors, it is clear that we must evolve our strategy to confront our enemy better. By taking an evolved, collaborative approach to blue team development and support, we can better accomplish our shared goals without the unintended collateral damage that manifests in burnout, turnover, and worse. This evolution represents a significant change in the TTPs Blue Teams leverage and describes an improved mindset for practitioners and leaders alike.

George Sandford, Senior Manager of CS Security Team, Gigamon

3:00 - 3:30 PM EDT
12:00 - 12:30 PM PDT

A Data-Driven Approach to Security

Protecting a business starts with asking the right questions and collecting the right data. Most organizations get it wrong right from the beginning. In this session we’ll cover how to use data to drive security, how to protect the business, not just the devices, and a method to drive continuous improvement.

David Swift, Principal Architect - Security Analytics, Securonix

3:30 - 4:15 PM EDT
12:30 - 1:15 PM PDT


4:15 - 4:45 PM EDT
1:15 - 1:45 PM PDT

Detect & Defend

To operate securely on a remote workforce model, security teams need a way to find unknown exposures on any networks employees are on, identify critical issues on employee devices, and ensure these vulnerabilities are not publicly accessible.

Join us to see how combining attack surface discovery capabilities with extended detection and response (XDR) will: 

  • Ensure that insecure remote network configurations are not exposing risky services on corporate devices.
  • Provide visibility to dynamically change policies to alter access controls based on remote employee location.
  • Identify endpoints connecting through known vulnerable routers and assess the need to deploy enterprise-grade endpoint security.

See first hand how you can detect and defend against threats to your remote employee network with Cortex by Palo Alto Networks.

Charity Spiri, Senior Product Marketing Manager - Cortex XDR, Palo Alto Cortex
Kyle Chugg, Engineer Specialist II, Palo Alto Cortex

4:50 - 5:20 PM EDT
1:50 - 2:20 PM PDT

Operationalizing Cyber Threat Intel for Modern Security Operations 

Data and algorithms are the fuels for insights and driving decisions in the modern digital business, and cyber threat intelligence (CTI) is the fuel for modern security operations. Operationalizing threat intelligence requires the right mix of people, process and technology to create and refine this fuel, yet organizations still struggle with establishing and growing a CTI capability. In this session we’ll cover how to define your requirements for CTI, the required expertise, core CTI processes, and how the ThreatConnect Platform is the enabler to operationalize your CTI function.

Layne Peterson, Security Systems Engineer, ThreatConnect

5:25 - 5:55 PM EDT
2:25 - 2:55 PM PDT

How No-Code Can Help Automate and Streamline Your Security Investigations

Security response teams are facing increased alerts but have limited time and resources when handling incidents. Automating security responses can dramatically improve the time that investigations take, giving more time back to your already limited resources. In this session, we will discuss how no-code automation has revolutionized how security teams investigate and react to incidents utilizing Torq's no-code automation platform. Learn how you can automate your incident enrichment, threat research, and response with ease.

Joe Dillig, Sr. Solutions Architect, Torq

6:00 - 6:30 PM EDT
3:00 - 3:30 PM PDT

Good to the Last Drop: Squeezing More Juice Out of Your Oranges

“We estimate that 90% of users misconfigure our solution.” – major security provider
“When I took over the security program, I found we had 3 different EDR solutions, and were in the process of buying another.” – Fortune 100 CISO
Both end-users and the vendors that secure them are frustrated about the gap in tool utilization – what is advertised vs what is possible vs what is implemented. Distrust abounds; the issue often comes down to a lack of understanding around what is possible within solutions and what are appropriate expectations of those capabilities. In this talk, we will explore how to effectively explore vendor claims as they relate to MITRE ATT&CK®, identify shortcomings, and prioritize your activities to continually evolve and improve.

Frank Duff, Chief Innovation Officer, Tidal

6:35 - 6:50 PM EDT
3:35 - 3:50 PM PDT


David Hazar, Certified Instructor, SANS Institute