The Best Online Cybersecurity Training in the World - SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

Using a Collection Management Framework for ICS Security Operations and Incident Response

  • Wednesday, November 14th, 2018 at 3:30 PM EST (20:30:00 UTC)
  • Tim Conway, Ben Miller and Mark Stacey
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • Dragos, Inc.

You can now attend the webcast using your mobile device!


A collection management framework (CMF) is an essential way to extend the value of an asset inventory to make it more useful for use-cases in security operations and incident response. A CMF helps analysts understand not only what they have, but what data is available from their assets, how long they store it, and what they can do with that data. Pre-made investigation playbooks pared with an understanding of the threat and what your collection is a core way to have a repeatable and scalable approach to monitoring your industrial networks for threats and responding to them efficiently.

This webcast will present a new paper outlining how to build a CMF and then transition to showing examples of how to use it. Examples will educate attendees on incident response, threat hunting, and security operations use-cases in the industrial control system (ICS). At the end of the presentation a use-case will be demonstrated in the Dragos Platform to show attendees how you can leverage threat intelligence and an understanding of your own environment to quickly investigate malicious activity.

Speaker Bios

Tim Conway

Technical Director - ICS and SCADA programs at SANS. Responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Ben Miller

Ben Miller is Director, Threat Operations Center at the industrial cyber security company Dragos, Inc. where he leads a team of analysts in performing active defense inside of ICS/SCADA networks. In this capacity, he is responsible for performing a threat hunting, incident response, and malware analysis mission for the industrial community. Previous to his role at Dragos, Inc. Ben was the Associate Director, Electricity Information Sharing & Analysis Center (Electricity ISAC) and led cyber analysis for the sector. He and his team focused on leading edge cyber activities as they relate to the North American bulk electric system. Ben was recognized as instrumental in building new capabilities surrounding information sharing and analytics in his five years at the E-ISAC. Prior to joining the E-ISAC, Ben built and led a team of 9 focused on Network Security Monitoring, forensics, and incident response at a Fortune 150 energy firm. His team received numerous accolades from industry and law enforcement. During this time, he also served in a CIP implementation project and various enterprise-wide mitigation programs. Ben has over 18 years' experience and currently holds the CISSP and GIAC GREM certifications.

Ben has served in various roles including both planner and player roles in GridEx I, II, and III. He served as a member of the NERC Cyber Attack Task Force, an acknowledged contributor to NIST SP 800-150, a panel member of the NBISE Advanced Defender panel, and adviser on CI Advanced Defender Training program. Ben is an accomplished speaker in various venues including SANS, ICSWJG, ShmooCon and others. Ben also helps run Charmsec; an informal 'citysec-style meet up' located in Baltimore.

Mark Stacey

Mark Stacey is a Principal Threat Analyst with Dragos Inc where he delivers incident response, threat hunting, and adversary research for Industrial Control Systems worldwide. Prior to joining Dragos, Mark was a member of RSA’s Incident Response team and worked with the Department of Energy (DOE) performing digital forensics and intelligence analysis. He frequently provides community education and participates in outreach programs with federal agencies.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.