Cyber Solutions Fest: Level SOC & SOAR

  • Webcast Scheduled to Air Thursday, 21 Oct 2021 8:30AM EST (21 Oct 2021 12:30 UTC)
  • Speakers: Christopher Crowley, Jane Goh, Michael Morris, Ryan Clough, Andrew Yeates, Devin Johnstone, Neelima Rustagi, Christopher Morales, Krupa Srivatsan, Christopher Fielder, Andrew Morris

You are entering Level SOC & SOAR at the SANS Cyber Solutions Fest 2021.

This full-day session will feature Christopher Crowley and invited guest speakers as they uncover how SOAR systems can help organizations define, prioritize, and standardize responses to cyber attacks. Discover how security teams can gain insight on an attacker's tactics, techniques, and procedures (TTPs) and known indicators of compromise (IOC).




Agenda | 8:30 AM - 5:00 PM ET


Session Details

8:30 AM

Kickoff & Welcome

Chris Crowley, SANS Instructor

8:45 AM

Implementing SOAR with Network Packet Capture for Faster, More Accurate Incident Response

SOAR’s goal is to transform SOC operations by orchestrating security incident response workflows. A key element of effective SOAR is making sure SOC analysts have relevant evidence at their fingertips as soon as they are ready to investigate an incident. This evidence needs to come from a range of sources to enable a complete 360 degree view of the incident. However, many SOAR deployments are missing a critical source of evidence that provides an irrefutable record of threats that occur on your network: the actual network traffic. Just like a black box flight recorder, Network Packet Capture shines a light on the precise footsteps of a security incident and allows faster, more accurate conclusions to be drawn.

This presentation looks at the benefits of incorporating recorded network traffic into your SOAR workflows. It covers the pros and cons of different methods of recording traffic including:

  • Summarised network traffic, eg NetFlow or IPFIX
  • Ad hoc “on-demand” packet capture
  • Triggered packet capture
  • Continuous “always-on: packet capture

And outlines how packet capture can be integrated into SOAR workflows and playbooks to improve the speed and accuracy of Incident Response.

Michael Morris, Director of Bus. Dev. and Technology Alliances, Endace

9:25 AM

How a Security Company Automates its SOC

Our SOC is tasked with protecting roughly 8,000 employees globally, a continuously expanding environment of endpoints, multiple data centers, and the security services our 85,000 customers consume. To protect all the data that flows across these infrastructures, we perform three primary services: threat monitoring, incident response and threat hunting. We provide these services with a lean SOC team that operates in a single shift, working mostly remotely, during standard business hours. Many are surprised to learn that we don’t have eyes on glass every second of every day but we’ve worked hard to refine a model that uses strong prevention, automation, and policy to ensure we can effectively mitigate risks without drowning in alerts around the clock.

Join us for a behind-the-scenes peek at how a SOC team protects one of the largest cybersecurity companies in the world. . You also get an opportunity to poll these SOC experts in a live Q&A.

Devin Johnstone, Sr Staff Security Engineer, Palo Alto Networks
Neelima Rustagi
, Sr Director, Product Management, Palo Alto Networks

10:05 AM


10:20 AM

Capturing the ROI of Security Automation

No matter the size or industry, company leaders recognize that minimizing external threats are of paramount importance. As a result, companies value their SOCs and consider them critical to their cybersecurity strategy, however, it is not always easy to quantify the ROI of these investments. In this session you will not only learn how to capture the ROI, but to improve it as well.

This session outlines:

  • The 1-10-60 rule and why it matters and how to measure against it
  • Myriad issues impacting overall ROI
  • Actionable tactics you can take to improve ROI
  • That ROI isn’t only about money, other factors impact the bottom line
Speaker TBA

10:50 AM

Sumo Logic Session Info Coming Soon

11:20 AM

Better SOC/SOAR Efficiency with Better Threat Intelligence: 3 Ways to Get There to Reversing Labs session

We live and work in an age where every minute counts, and threat actors employ more and more advanced techniques to evade detection from AVs, sandboxes, and process failures. Learn in this session from an industry leading expert in SOAR how applying threat intelligence correctly can greatly improve the SOCs efficiency, and catch the bad guys earlier on. The key sessions topics will be:

  • Increasing the overall detection of malicious files through a zero-trust approach
  • Automation of L1 triage to reduce false positive alerts
  • Automation of malware analysis with explainable and actionable threat intelligence

Andrew Yeates, Solutions Architect, ReversingLabs

11:50 AM


12:00 PM

Diversify and Conquer: Building and Managing Successful CyberTeams

Successful organizations know it's important to build diverse teams, but how can you ensure you're hiring from the most diverse pool? And once you've developed a diverse team how can you support inclusion and respect to keep that team effective and engaged? In this panel we bring together a group of experts in the cybersecurity field who represent a wide variety of backgrounds and approaches. Together we'll talk through dimensions of diversity including educational, experiential, racial, and neuro. And we'll share examples of how you and your organization can thrive with a powerfully diverse workforce.

Diana Kelley
, CTO & Co-Founder, Security Curve

Nicola Whiting
, Chief Strategy Officer, Titania Ltd
Alyssa Miller
, Business Information Security Officer (BISO), S&P Global
Natasha Barnes
, Associate Director in IT Internal Audit and Advisory, Protiviti
Seema Kathuria
, Senior Product Marketing Manager, Duo Security

1:00 PM

Afternoon Kickoff

Chris Crowley, SANS Instructor

1:10 PM

Cool Ways to Automate Your Threat Intel Management

Join us for a live demo of top ways you can leverage automation to get more out of your threat feed subscriptions. Why do it manually when you can “outsource” scoring your feeds, mapping external threats to what’s happening in your environment, and distributing critical indicators to your enforcement points? See how you can truly unlock the power of your threat intel and gain time back in the process.

Ryan Clough, Sr Product Manager, Palo Alto Networks

1:30 PM

Deep Dive Into Integrating Always-on Packet Capture with SOAR

Continuous network packet capture holds vital clues to help resolve critical security incidents. This tech talk reviews how to integrate packet capture with SOAR platforms for faster and more accurate incident response. It will include demos of integrations with Palo Alto Networks Cortex XSOAR and Splunk SOAR.

Hackers often cover their tracks by erasing logs or deleting other clues that show their activity. You will learn how you can bring clarity to every incident, alert or issue when continuous network packet capture is integrated with your SOAR workflows.

Michael Morris, Director of Business Development and Technology Alliances, Palo Alto Networks

1:50 PM

Cyber Resilience for Digital Operations

Security operations needs context awareness to ensure the success of business initiatives in a world of advanced, targeted attacks. Netenrich empowers security, IT and cloud operations to thrive during adversity with adaptive incident resolution using real time, data driven risk and trust-based decision making. The Netenrich Resolution Intelligence platform streamlines the process of managing, analyzing, and fixing the root cause of incidents to prevent future disruption.

Christopher Morales, CISO, Netenrich

2:20 PM

Track “Things”, Gain Better Visibility and Investigate Incidents Faster using IPAM Asset Data

Responding to security events requires sophisticated investigation skills and gathering of data from multiple sources to accurately understand severity of an attack, and identify affected devices. This data gathering can often be a manual, laborious process and involve co-ordination with multiple groups within the company. And even then, visibility gaps exist. Without a centralized database of things that connect to the network, tracking becomes difficult. Without understating the role of assets involved in a breach, prioritization can be misplaced.

Join this session to gain insights into:

  • The role IP address management (IPAM) data plays in threat investigation
  • How to use this data for tracking, prioritization and faster response
  • Ecosystem integrations that enrich your SIEM/SOAR with this critical data.

Krupa Srivatsan, Director of Product Marketing, Infoblox

2:50 PM

End Cyber Risk with Security Operations
Cyber risk is a business risk. Unfortunately, the cybersecurity industry has shown an effectiveness problem in reducing cyber risk for organizations. Every year we’ve witnessed new technologies, vendors, and solutions emerge—yet despite this constant innovation, high-profile breaches continue to make the headlines. 

 Join us as we discuss:

  • How you can build on the cybersecurity investments and resources you already have
  • The Security Operations framework, what it is, and how you can implement it to enhance your overall security posture
  • How to build and sustain resilience into your security posture moving forward, ultimately helping your organization end cyber risk

Christopher Fielder, Director, Product Marketing, Arctic Wolf

3:20 PM


3:35 PM

Tracking Internet “Noise” to Reduce Alerts and Predict Attacks

Every machine connected to the internet gets slammed with unsolicited communications from tens of thousands of IP addresses every day. This massive volume of “internet noise” triggers security tools to generate thousands of events that SOC teams must analyze, even though much of the traffic is harmless opportunistic scanning or common business services. But today, a new generation of threat intelligence is emerging that gives analysts the context they need to confidently ignore irrelevant or harmless activity, creating more time to uncover and investigate true threats.

Join this webinar to hear GreyNoise founder and CEO Andrew Morris discuss how GreyNoise data can be used to reduce alert fatigue, identify compromised devices, and predict malicious activity. Learn about:

  • The challenges of internet noise
  • GreyNoise’s internet-wide sensor network
  • How GreyNoise customers are reducing their alert loads by 25% or more
  • And check out a live demo of the FREE GreyNoise service

Andrew Morris, Founder and CEO, GreyNoise Intelligence

4:05 PM

SOC & SOAR Efficiency Panel

Security Orchestration, Automation and Response (SOAR) tooling is intended to increase efficiency and consistency. These tools also promise to diminish the cost of operating a Security Operations Center (SOC) for most organizations. If used properly, these tools can do all of these things.

Investing in a SOAR platform is strategic and oftentimes a financially beneficial decision. SOAR systems can help define, prioritize, and standardize responses to cyber incidents. This process occurs when an organization’s security team uses the platform to gain insight on an attacker’s tactics, techniques, and procedures (TTPs) and known indicators of compromise (IOC). But more importantly, to know what the SOC needs to do and perform it with great speed, precision, and consistency.

Chris Crowley, SANS Instructor

Jane Goh
, Sr Product Marketing, Palo Alto Networks
Other Panelists TBA

4:55 PM


Chris Crowley, SANS Instructor

Level SOC & SOAR with Chris Crowley

Hear what Chris Crowley has to say about Level SOC & SOAR and what you can expect from attending.

Cybersecurity Solutions for Today's Challenges

The 2nd annual SANS Cyber Solutions Fest aims to connect cybersecurity professionals of all levels with the latest solutions, tools, and techniques to combat today's cybersecurity threats.

  • Featuring 4 unique levels: Threat Hunting & Intel, SOC & SOAR, MITRE ATT&ACK®, and Cloud Security
  • Network in real-time with over 30 sponsors and learn from top industry experts
  • Join interactive panel discussions, discover job opportunities, compete in games for multiple prizes, and more