Cyber Solutions Fest 2021: Level SOC & SOAR Efficiency

  • Thursday, 21 Oct 2021 8:30AM EDT (21 Oct 2021 12:30 UTC)
  • Speakers: Christopher Crowley, Jane Goh, Lior Kolnik, Cary Wright, Michael Morris, Ryan Clough, Daniel Diserens, Girish Bhat, Andrew Yeates, Christopher Morales, Krupa Srivatsan, Christopher Fielder, Andrew Morris, Devin Johnstone, Neelima Rustagi, Diana Kelley, Nicola Whiting, Alyssa Miller, Natasha Barnes, Seema Kathuria

You are entering Level SOC & SOAR at the SANS Cyber Solutions Fest 2021.

This full-day session will feature Christopher Crowley and invited guest speakers as they uncover how SOAR systems can help organizations define, prioritize, and standardize responses to cyber attacks. Discover how security teams can gain insight on an attacker's tactics, techniques, and procedures (TTPs) and known indicators of compromise (IOC).

Download a copy of the presentations here!



endace_vert_logotagline-black-padding[34].pngPalo_Alto_Networks.pngArcticWolf-logo.pngBlack_GN_horizontal.pngInfoblox_Logo_-_Color_NEW.pngN-logo.pngreversing-labs.pngSecZetta_Logo.pngNEW_LOGO.jpgSumo_Logic_&_AWS_-_black.pngTorq Logo Color

Agenda | 8:30 AM - 5:30 PM EDT


Session Details

8:30 AM

Kickoff & Welcome

Chris Crowley, SANS Instructor

8:45 AM

Implementing SOAR with Network Packet Capture for Faster, More Accurate Incident Response

SOAR’s goal is to transform SOC operations by orchestrating security incident response workflows. A key element of effective SOAR is making sure SOC analysts have relevant evidence at their fingertips as soon as they are ready to investigate an incident. This evidence needs to come from a range of sources to enable a complete 360 degree view of the incident. However, many SOAR deployments are missing a critical source of evidence that provides an irrefutable record of threats that occur on your network: the actual network traffic. Just like a black box flight recorder, Network Packet Capture shines a light on the precise footsteps of a security incident and allows faster, more accurate conclusions to be drawn.

This presentation looks at the benefits of incorporating recorded network traffic into your SOAR workflows. It covers the pros and cons of different methods of recording traffic including:

  • Summarized network traffic, eg NetFlow or IPFIX
  • Ad hoc “on-demand” packet capture
  • Triggered packet capture
  • Continuous “always-on: packet capture

And outlines how packet capture can be integrated into SOAR workflows and playbooks to improve the speed and accuracy of Incident Response.

Michael Morris, Director of Bus. Dev. and Technology Alliances, Endace

9:25 AM

How a Security Company Automates its SOC

Our SOC is tasked with protecting roughly 10,000+ employees globally, a continuously expanding environment of endpoints, multiple data centers, and the security services our 85,000 customers consume. To protect all the data that flows across these infrastructures, we perform three primary services: threat monitoring, incident response and threat hunting. We provide these services with a lean SOC team that operates remotely during business hours only. Many are surprised to learn that we don’t have eyes on glass every second of every day but we’ve worked hard to refine a model that uses strong prevention, automation, and policy to ensure we can effectively mitigate risks without drowning in alerts around the clock.

Join us for a behind-the-scenes peek at how a SOC team protects one of the largest cybersecurity companies in the world. . You also get an opportunity to poll these SOC experts in a live Q&A.

Chris Crowley, SANS Instructor

Devin Johnstone, Sr. Staff Security Engineer, Palo Alto Networks
Neelima Rustagi
, Sr. Director, Product Management, Palo Alto Networks

10:05 AM


10:20 AM

Top Use Cases for Integrating Threat Intelligence with SOAR

SOAR and Threat Intelligence are two foundational technologies for every modern security operations team, but are all too often used in silos limiting their effectiveness. Fusing these two solutions can deliver intelligence-driven security operations, enabling security operations teams to validate, investigate and remediate threats faster and with greater precision.

Join our session as we discuss the benefits and use cases of integrated SOAR and Threat Intelligence, including how you can:

  • Automate alert enrichment with deep intelligence context for accurate triage decisions.
  • Proactively detect and respond to new malicious indicators of compromise (IOCs) ingested from threat intelligence.
  • Orchestrate scalable and repeatable threat hunts within your organization.
  • Leverage closed-loop threat intelligence and share threat indicators inside and outside your organization.
Daniel Diserens, Senior Security Solutions Architect, Siemplify

10:50 AM

SOC Modernization: Lessons for Post-Pandemic Recovery

Building Cyber Resilience to address modern day threats requires rethinking your current SecOps. If you are not adequately equipped, the pre-pandemic way of operating a SOC, handling threats with inflexible tools and technologies will require a redo now.

In this session, you will hear Sumo Logic’s experience with managing a cloud-native SOC and key considerations to modernizing your SecOps including:

  • SOC operating model
  • Handling modern threatscape
  • Adoption of modern tools and technology

Girish Bhat, VP, Sumo Logic
Roland Palmer, Senior Manager - SOC, Sumo Logic

11:20 AM

Better SOC/SOAR Efficiency with Better Threat Intelligence: 3 Ways to Get There

We live and work in an age where every minute counts, and threat actors employ more and more advanced techniques to evade detection from AVs, sandboxes, and process failures. Learn in this session from an industry leading expert in SOAR how applying threat intelligence correctly can greatly improve the SOCs efficiency, and catch the bad guys earlier on. The key sessions topics will be:

  • Increasing the overall detection of malicious files through a zero-trust approach
  • Automation of L1 triage to reduce false positive alerts
  • Automation of malware analysis with explainable and actionable threat intelligence

Andrew Yeates, Solutions Architect, ReversingLabs

11:50 AM


12:00 PM

U.S. Cybersecurity Regulation: Fact or Fiction?

As a result of the recent Executive Order, many U.S. federal agencies are trying to quickly determine next steps in their Zero Trust journey. And they are not alone. Organizations around the globe are examining their Zero Trust strategies and wondering if this EO is a precursor for broader legislation and future regulations that could begin to add new layers of accountability to cybersecurity incidents.

During this keynote session, industry experts Art Coviello, former CEO of RSA Security and Mike Brown, Rear Admiral, United States Navy (retired), an authority on our nation’s cybersecurity strategy through this his leadership positions at the Departments of Defense and Homeland Security, will provide insight based on their experience on what to expect from the government, when to expect it, and how these changes will impact cybersecurity professionals.

Nicole Rowe
, CMO, SecZetta


Art Coviello
, former CEO of RSA Security
Mike Brown
, Rear Admiral, United States Navy (Retired)

Live Chat & Questions:
Frank Briguglio
, Public Sector Strategist, SailPoint

1:00 PM

Afternoon Kickoff

Chris Crowley, SANS Instructor

1:10 PM

Cool Ways to Automate Your Threat Intel Management

Join us for a live demo of top ways you can leverage automation to get more out of your threat feed subscriptions. Why do it manually when you can “outsource” scoring your feeds, mapping external threats to what’s happening in your environment, and distributing critical indicators to your enforcement points? See how you can truly unlock the power of your threat intel and gain time back in the process.

Shravanthi Reddy, Sr Product Manager, Palo Alto Networks

1:30 PM

Deep Dive Into Integrating Always-on Packet Capture with SOAR

Continuous network packet capture holds vital clues to help resolve critical security incidents. This tech talk reviews how to integrate packet capture with SOAR platforms for faster and more accurate incident response. It will include demos of integrations with Palo Alto Networks Cortex XSOAR and Splunk SOAR.

Hackers often cover their tracks by erasing logs or deleting other clues that show their activity. You will learn how you can bring clarity to every incident, alert or issue when continuous network packet capture is integrated with your SOAR workflows.

Michael Morris, Dir. of Bus. Development & Technology Alliances, Endace

1:50 PM

Cyber Resilience for Digital Operations

Security operations needs context awareness to ensure the success of business initiatives in a world of advanced, targeted attacks. Netenrich empowers security, IT and cloud operations to thrive during adversity with adaptive incident resolution using real time, data driven risk and trust-based decision making. The Netenrich Resolution Intelligence platform streamlines the process of managing, analyzing, and fixing the root cause of incidents to prevent future disruption.

Christopher Morales, CISO, Netenrich

2:20 PM

Track “Things”, Gain Better Visibility and Investigate Incidents Faster using IPAM Asset Data

Responding to security events requires sophisticated investigation skills and gathering of data from multiple sources to accurately understand severity of an attack, and identify affected devices. This data gathering can often be a manual, laborious process and involve co-ordination with multiple groups within the company. And even then, visibility gaps exist. Without a centralized database of things that connect to the network, tracking becomes difficult. Without understanding the role of assets involved in a breach, prioritization can be misplaced.

Join this session to gain insights into:

  • The role IP address management (IPAM) data plays in threat investigation
  • How to use this data for tracking, prioritization and faster response
  • Ecosystem integrations that enrich your SIEM/SOAR with this critical data.

Krupa Srivatsan, Director, Infoblox

2:50 PM

End Cyber Risk with Security Operations
Cyber risk is a business risk. Unfortunately, the cybersecurity industry has shown an effectiveness problem in reducing cyber risk for organizations. Every year we’ve witnessed new technologies, vendors, and solutions emerge—yet despite this constant innovation, high-profile breaches continue to make the headlines. 

Join us as we discuss:
  • How you can build on the cybersecurity investments and resources you already have
  • The Security Operations framework, what it is, and how you can implement it to enhance your overall security posture
  • How to build and sustain resilience into your security posture moving forward, ultimately helping your organization end cyber risk

Christopher Fielder, Director, Arctic Wolf

3:20 PM


3:35 PM

Making Your SIEM and SOAR More Effective by Reducing the Noise

Everyone in the SOC is too busy, and everything feels on fire all the time. With an insane amount of “bad” on the internet driving alert volumes in the SOC sky-high, it's hard to see which “bad” to focus on--because there’s simply too much noise. Automation is the obvious answer, but finding time to set up the right automation is difficult. Join GreyNoise founder and CEO Andrew Morris on this webinar to learn just how bad “internet noise” is today, and what you can do to reduce the racket and reclaim the value of your SIEM and SOAR.

Andrew will cover:

  • LIVE demonstration of internet noise
  • Quantifying the cost of internet noise to your SOC
  • How to shift your philosophy from “more alerts” to “better alerts”
  • Real world results GreyNoise customers are getting by reducing the noise in their SIEM/SOAR solutions

Andrew Morris, Founder and CEO, GreyNoise Intelligence

4:05 PM

SOAR Into SOC Efficiency: Panel

Security Orchestration, Automation and Response (SOAR) tooling is intended to increase efficiency and consistency. These tools also promise to diminish the cost of operating a Security Operations Center (SOC) for most organizations. If used properly, these tools can do all of these things.

Investing in a SOAR platform is strategic and oftentimes a financially beneficial decision. SOAR systems can help define, prioritize, and standardize responses to cyber incidents. This process occurs when an organization’s security team uses the platform to gain insight on an attacker’s tactics, techniques, and procedures (TTPs) and known indicators of compromise (IOC). But more importantly, to know what the SOC needs to do and perform it with great speed, precision, and consistency.

Chris Crowley, SANS Instructor

Cary Wright, VP Product Management, Endace
Michael Morris, Dir. of Bus. Development & Technology Alliances, Endace
Lior Kolnik, Sr. Manager of Security, Palo Alto Networks

4:55 PM


Chris Crowley, SANS Instructor

Level SOC & SOAR with Chris Crowley

Hear what Chris Crowley has to say about Level SOC & SOAR and what you can expect from attending.

Cybersecurity Solutions for Today's Challenges

The 2nd annual SANS Cyber Solutions Fest aims to connect cybersecurity professionals of all levels with the latest solutions, tools, and techniques to combat today's cybersecurity threats.

  • Featuring 4 unique levels: Threat Hunting & Intel, SOC & SOAR, MITRE ATT&ACK®, and Cloud Security
  • Network in real-time with over 30 sponsors and learn from top industry experts
  • Join interactive panel discussions, discover job opportunities, compete in games for multiple prizes, and more