Cyber Solutions Fest 2023: SOC & SOAR

The SOC & SOAR Track at Cyber Solutions Fest will explore implementations via the lens of people, process, and technology. Technology that enables people to implement process effectively will feature heavily as vendors highlight actual customer deployments and their implementations of artificial intelligence and machine learning. There will also be highlights on managed service offerings and cloud deployments, as our IT deployment and the security applied to them becomes more distributed within our supply chain and vendor partnerships.

There will be examples of lessons learned from customer deployments, as well as insights from their tool developers and designers about how they see the tools being deployed. The people building the next generation of tools will identify where they project the market to go.

People working in cybersecurity frequently site an excess of data, and shortcomings in technology of helping to elevate the right data to visibility. People frequently cite a shortage of skilled cybersecurity staff as a common issue. May be due to organization funding issues, hiring practices, or unavailability of staff. We’ll hear how companies are addressing these challenges to hire, train and retain staff.

Defenders should be in a position to focus their analytical capability on attacker activity, provide guidance for IT teams deploying new systems on secure system architecture and deployment, and leverage trustworthy teams and service providers to make attackers’ efforts futile. We’re not there yet, but attending this event will give you ideas about how your peers are solving cybersecurity issues.

Join in on the action! Connect with fellow attendees and our event chairs in the SANS Solutions Forum Interactive Slack Workspace. Sign in once and you'll be all set for the rest our of 2023 Solutions Forums. We'll see you there!

To view the full agenda for the SOC & SOAR Track, please scroll down! Take note of your most anticipated presentations and favorite speakers below. Pro tip: You can visit our landing page to register for more than one track to truly take your cybersecurity skills to the next level!


Platinum Sponsors


Gold Sponsors


Silver Sponsor


Event Platinum Sponsors

Anomali_Logos_Anomali Full Color Primary - NEW.pngCorelight_Transparent.pngEclypsium_Logo_Full_Color.pngendace_vert_logotagline-black-padding[34].pngPalo_Alto_Networks.pngsophos logosysdig_logo-black_with_tagline.png

Agenda | October 25, 2023 | 10:30AM - 3:45PM EDT

Timeline (EDT)Session Details
Welcome & Opening Remarks

Chris Crowley, Event Chair, SANS Institute

Session One | Empowering Cyber Defense With Accurate Forensic Evidence

Collecting the right data to enable effective cyber defense is critical. If the right data isn’t collected in the first place then it’s impossible for defenders to come to reliable conclusions. And if the right data has been collected but it can’t be accessed quickly enough because of inefficient processes, the result is unacceptably slow threat response. Likewise, the effectiveness of security tools is dependent on the quality of the data available for for analysis. If there are gaps in that data, security tools will be blind to potential threats. In this session, we’ll look at the importance of capturing, analyzing and recording packet data as a core telemetry source, in particular:

  • how that can be done effectively in today’s hybrid cloud environment
  • why some of the tougher security questions can only be answered using full packet data
  • how security solutions can be enhanced by integrating full packet capture into them
  • how access to recorded packet capture can accelerate incident response by enabling streamlined and automated investigation workflows

Michael Morris, Director of Technology Alliances, Endace

11:20AMSession Two |The Insider’s Guide to Automating Your SOC

Security automation, orchestration and response (SOAR) can greatly enhance the productivity and effectiveness of a SOC. However, without the expertise of best practices, SecOps teams could find themselves adrift and unable to realize the full benefits of automation.

In this session, we will share lessons learnt from deploying SOAR in hundreds of enterprises of all sizes, worldwide. You’ll better understand:

  • What to consider before you take the plunge (Are you a good candidate for automation?)
  • What a successful SOC automation journey looks like.

  • How to best optimize the existing security tools in your SOC with automation
  • Top 5 practical use cases to kickstart your automation project

Michal Goldshtein, Director, Security Architecture and Research, Palo Alto Networks

Session Three| Tales from the Trenches: How SOAR and AI Solve the People Problem

The biggest issue facing enterprise security operations is the deficit of available, affordable, and experienced cyber security professionals. SOAR & SIEM are touted as the answer. In this session, Rakesh Nair, Devo VP of Engineering, walks through real-life (but anonymized) experiences from our featured customers, showing how AI-driven SOAR solves the experience and availability issues, maximizing analyst efficiency, reducing the burden of threat investigations and validation, through task and decision automation. Leveraging insights from customer deployments, this talk will include:

  • Advanced Threat Detection: Learn how security teams can facilitate the creation of sophisticated models that identify subtle patterns and anomalies within massive datasets, enabling early detection of potential threats.
  • Real-time Incident Response: Observe how AI-driven analytics expedite incident response by correlating disparate data sources, automating investigations, and delivering actionable real-time insights.

  • Predictive Insights: Learn how analysts are empowered to forecast potential vulnerabilities and security gaps, enabling proactive mitigation strategies to reduce risk.

  • Operational Efficiency: Discover how security teams can leverage AI and ML to streamline workflows to focus on strategic initiatives rather than routine tasks.

  • Adaptation and Evolution: Find out how AI and ML continually learn from new data, ensuring that defenses evolve alongside emerging threats.

Rakesh Nair, VP Security Products, Devo Technology

Session Four | Respond to Threats in Minutes, Not Days

As cloud adoption rates continue to skyrocket, most security incidents involve the cloud. Yet organizations remain disproportionately rooted in legacy on-premises thinking and tools when it comes to detecting and responding to cloud-based threats. What organizations need for modern, fast and effective response is a seamless, cloud-based, end-to-end threat detection, investigation and response workflow. Join us to explore how to detect threats with confidence by storing and analyzing all your security telemetry at scale; how to get faster insights with context and depth of investigation to stay ahead of the latest breaches; and how to orchestrate tools, build automation, and collaborate with ease to respond in minutes..

Keith Manville, Security Operations Engineer, Google Cloud

Session Five | Back from the Brink: Keeping your SIEM in the Game

In this session, we’ll review insights from the recent “Third Annual Report on the State of SIEM Detection Risk.” Based on a data-driven analysis of more than 4,000 rules across diverse SIEM platforms in production environments — including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic — the report provides some interesting benchmark data about typical data ingestion metrics, MITRE ATT&CK coverage, and rule health in enterprise SOCs.

Jay Lillie, VP of Customer Success, CardinalOps

Afternoon Kickoff
Session Six| Why Packet Capture Matters in the Cloud. And How to Do It.

As organizations move workloads to the Cloud, network and security teams are finding they don't have the same level of visibility that they are accustomed to having in on-premise environments. That lack of visibility compromises their ability to protect their cloud infrastructure from cyber attack and ensure that it operates efficiently. In this session, we'll talk briefly about why packet capture in the cloud is just as important as it is in on-premise environments. We'll demonstrate how scalable packet capture can be deployed in multi-cloud environments (using AWS and Azure). And finally we'll outline how it's possible to provide full visibility into activity across your Hybrid Cloud network from a single pane-of-glass.

Michael Morris Director Technology Alliances, EndaceCary Wright, VP Product Management, Endace
Session Seven | You Might Have a Breach - Now What’s Next?

Solarstorm/Sunburst, Hafnium, Kaseya, MS Exchange vulnerabilities, Log4J…when news of a zero-day vulnerability or exploit hits the news, your team and your executives need assurance that the company is protected from any potential breach.

In this Tech Talk, we will show you how to leverage automation to mount a rapid breach response against any 0-days including:

  • Indicator collection, extraction, tagging
  • Executing threat hunting

  • Remediating and eradicating any threats See XSOAR in action as a virtual member of your rapid response team!

Michal Goldshtein, Director, Security Architecture and Research, Palo Alto NetworksBen Melamed, Security Architect, Palo Alto Networks
SOC Panel: People, Process, Technology

On this panel, Christopher Crowley will ask questions of our panelists on how to make sure SOAR is realizing the promise of automation. There’s a necessary convergence of vendor technology, organizational capability, staff readiness, a workstyle toward constant improvement, and a candid awareness that technology operations require constant attention and tuning.

Your peers are challenged to do everything they can to keep up with changing defensive topography, adaptive threats, legacy environments, and staff / budget shortages. This panel provides insight on what Endace and Palo Alto Networks have seen their customers do to make the most of technology and resources.


Chris Crowley , Event Chair, SANS Institute


Michael Morris, Director of Technology Alliances, Endace

Michal Goldshtein, Director, Security Architecture and Research, Palo Alto Networks

Closing Remarks

Chris Crowley, Event Chair, SANS Institute