Get an iPad mini, ASUS ZenScreen LED Monitor, or $350 Off with OnDemand Training thru 5/19


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Cyber Threat Intelligence Summit Solutions Track

  • Friday, January 22nd | 9:00 AM - 5:30 PM ESTFriday, January 22, 2021 at 9:00 AM EST (2021-01-22 14:00:00 UTC)
  • Robert M. Lee, Ben Greenbaum, Chris Jacobs, James Perry, Daniel Bates, Fayyaz Rajpari, Dragos Gavrilut, Tanner Payne, Brandon Hoffman, Jerry Caponera, Peter Rydzynski, Sumukh Tendulkar, Michael-Angelo Zummo, Taylor Wilkes-Pierce

You can now attend the webcast using your mobile device!




You will earn 4 CPE credits for attending this virtual event

Event Overview

The collection, classification, and exploitation of knowledge about adversaries - collectively known as cyber threat intelligence (CTI) - gives security practitioners information superiority that is used to reduce an adversary's likelihood of success. Responders and defenders leverage accurate, timely, and detailed threat intelligence to monitor new and evolving attacks and subsequently adapt their security posture.

Cyber threat intelligence represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders. During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat.

Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries' methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.

This forum will explore various CTI topics through invited speakers while showcasing current capabilities available today. Presentations will focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today.


9:00 - 9:15 AM EST - Event Welcome


9:15 - 10:00 AM EST - Keynote


10:05 - 10:15 AM EST - FOR578 - Cyber Threat Intelligence Update and Move to 6 Days

Rob M. Lee, @RobertMLee, Chairperson, SANS Institute, @SANSInstitute

This presentation will go over what's new in the 2021 update for FOR578 - Cyber Threat Intelligence. It will also focus on recent events and the application of cyber threat intelligence to them. Additionally, the course has moved from a 5 day course to a 6 day course to include a final capstone for students to work on which will be detailed in this webcast.


10:15 - 10:50 AM EST - Get Your Bits Together (or Don't): Monolithic vs Federated Data Structures for Threat Intelligence

Ben Greenbaum, @secintsight Technical Leader, Cisco, @Cisco

When meeting an organization's need to leverage multi-source bulk threat intelligence and local security context, the traditional approach has been to start by collecting it all into one place. This is the foundation for entire security product categories such as SIEMs, TIMPs, and even to some extent SOAR and XDR. The other option of course is to leave it where it was generated, and use it from there via APIs or other transports. Are there significant advantages to one over the other? Join Ben Greenbaum from Cisco's SecureX team as he explores this topic and what it means for the effectiveness of tools that generate and/or rely on Threat Intelligence at scale.


10:50 - 11:25 AM EST - A Product Approach to your Threat Intelligence Practice: Increase Investment and Outcomes

Chris Jacob, Vice President of Threat Intelligence Engineering, ThreatQuotient, @ThreatQuotient

As a threat intelligence practitioner, you likely have a good idea of the value you and your CTI team bring to your organization. But does the rest of the security organization? Do the executives? Does the C-Suite? 

CTI teams that take a product approach in which organization stakeholders are customers for contextualized intelligence can see increased investment in their operation and stronger holistic security outcomes. How are you delivering value to your customers? Do you have a way to receive customer feedback and improve your product?  

In this presentation we will learn how to:

  • Highlight the value CTI already brings to the organization.
  • Increase value of existing technology and human resources through robust integrations
  • Effectively receive and implement feedback that strengthens a CTI processWhite

11:25 AM - 12:00 PM EST - From the Front Lines Incident Response at Scale

James Perry, Senior Director and Global Head of Incident Response, CrowdStrike, @CrowdStrike

Stories of CrowdStrike incident response engagements and how we have changed the model for how companies respond to a breach. Learn the methods CrowdStrike uses to disrupt and ultimately remove bad actors from networks.


12:00 - 12:15 PM EST - Break


12:15 - 12:50 PM EST - Correlating Threat Intelligence with CTIM

Daniel Bates, Technical Solutions Architect, Cisco Umbrella, @CiscoUmbrella

Today's complex threat landscape requires a comprehensive, structured approach to modeling and responding to threat intelligence. Join us as we explore the Cisco Threat Intelligence Model (CTIM) and discover how it enables automated collection, evaluation, and analysis of cyber threat intelligence, leading into orchestrated response actions across a wide range of deployed services and applications.


12:50 - 1:25 PM EST - Turning Data into Actionable Threat Intelligence

Dragos Gavrilut, Director, Cyber Threat Intelligence Lab, Bitdefender, @Bitdefender

Fayyaz Rajpari, Sr. Director, Product Management, Recorded Future, @RecordedFuture

As security operations teams struggle with increasingly sophisticated adversaries exploiting more and more vulnerabilities in today's organizations, Threat Intelligence is often touted as the key to proactivity. How can they extract the most value from Threat Intelligence and use it in a way that enables security teams and security leaders to look beyond the latest alert, or vulnerability announcement?

In this session, we explain what actionable Threat Intelligence means for security teams and how we can obtain it. We highlight Bitdefenders proprietary threat data collection and enriching processes as well as discuss how RecordedFuture further leverages the threat data, converting it into actionable threat intelligence for their customers.


1:25 - 2:00 PM EST - Post Mortem: The First 72 Hours of SUNBURST Threat Intelligence Research

Tanner Payne, Senior Sales Engineer, ExtraHop, @ExtraHop

On December 13, 2020 when the SolarWinds Orion SUNBURST backdoor vulnerability was disclosed, the entire security community sprung into action. The attack had potential to do immense damage, and everyone worked tirelessly to respond fast. FireEye and ExtraHop were among the first to release SUNBURST associated domains and IP addresses to be used for threat intel, forensic investigation, and response.

This session will cover:

  • Background on the SUNBURST attack and how it was so stealthy and hard to detect
  • How ExtraHop uncovered new threat intelligence for use in investigating and responding to SUNBURST
  • Why internal network traffic is such a strong data source for detecting and responding to supply chain attacks like SUNBURST.White

2:00 - 2:10 PM EST - Break


2:10 - 2:45 PM EST - Are you ready for Intelligent SOC?

Brandon Hoffman, CISO, Head of Security Strategy, NetEnrich, @Netenrich

The Security Operations Center (SOC) is under attack like never before, from both inside and out. Endless threats and alerts, analyst fatigue, too few resources, and a chronic lack of executive support top todays list of challenges. Intelligent SOC from Netenrich right-sizes investments to transform the inefficiencies, skills gaps, and budget constraints that undermine the traditional SOC. Invoked by experts, Intelligent SOC solves todays problems (and tomorrows issues) better and faster by going beyond the SIEMand even beyond AIto combine threat intelligence (TI), attack surface management (ASM), and pay-as-you-grow SOC-as-a-Service. Join us to hear how this expansive approach transforms your security investments and operations into better ROI and safer outcomesin hours or days versus weeks, months, or years.White

2:45 - 3:20 PM EST - Key Functionalities of a Modern Cyber Threat Intelligence Program

Jerry Caponera, Vice President of Cyber Risk Strategy, ThreatConnect, @ThreatConnect

Cyber threat intelligence (CTI) represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. But not all cyber threat intelligence platforms and programs are created equal.

Today, world-class CTI platforms and programs need to incorporate risk into all levels of the discussion in order to serve as decision and operational support platforms for cybersecurity professionals at all levels. Risk imbued programs provide a clear understanding of where to focus resources and efforts, break down process silos, unite teams, and integrate security technologies through automation and orchestration. 

This presentation will outline the game-changing benefits of integrating Risk, Threat, and Response into your CTI program. We will explore each element in detail.

  • Risk - Why it is necessary and possible to scope the risk scenarios that matter most to your business from a financial perspective
  • Solve the challenge of prioritization and demonstrate security ROI to the business
  • Threat- Manage the threat landscape with a priority view into the risk scenarios that matter most to your business
  • Leverage quantification to provide a real world understanding of threat
  • Continually improve security with feedback loops to both security and operations
  • Response - Unify and streamline processes
  • Focus response efforts on risks that matter most to the business
  • Leverage automated playbooks to enable smarter, faster SOC mitigations and incident response, Orchestrate response across the entire security technology stackVP Cyber Risk StrategyWhite

3:20 - 3:30 PM EST - Break


3:30 - 4:05 PM EST - SUNBURST: DGA or DNS Tunneling?

Peter Rydzynski, Threat Analysis Lead, IronNet, @IronNet

While much of the reporting about the SUNBURST malware describes its use of DGA for command and control, we must consider whether true DGA behavior was at play. Could it really be DNS Tunneling? There is a subtle difference -- but this difference could have a significant impact on how we identify behaviors and start to discern the adversarys possible next steps. Where do we go from here?


4:05 PM - 4:40 PM EST - Agile Threat Intelligence for the Modern Threatscape

Sumukh Tendulkar, Product Marketing Sixgill, @CyberSixgill

Michael-Angelo Zummo, Cyber Threat Intelligence Analyst Sixgill, @CyberSixgill

Todays security organizations cannot effectively manage the huge amount of data points they need to digest. Whether you are a financial institution trying to cope with the volumes of leaked credit cards or an enterprise hoping to prevent a data breach - the current approach is becoming obsolete. We will introduce the CI/CP (Continuous Investigation/Continuous Protection) approach to preemptively block threats, reduce time-to-intel, and maximize your security systems effectiveness. Sumukh and Michael-Angelo will illustrate how organizations can transform their cybersecurity programs to overcome today's challenges with a live use case of tracking a threat actor through cutting-edge technology.


4:40 - 5:15 PM EST - Going from Open Source Intelligence to Threat Intelligence with DomainTools Iris

Taylor Wilkes-Pierce, @tw_pierce, Sr. Sales Engineer, DomainTools, @DomainTools

DNS OSINT can give us a wealth of information about adversary activity. Collecting this data at scale and leveraging it properly is a challenge. In this session we will cover some key considerations when assessing malicious infrastructure: infrastructure providers, infrastructure tenancy, domain registration patterns and more. Well use the DomainTools Iris dataset to explore turning OSINT into actionable threat intelligence, along with integrating this data with your SOC tools to build a repeatable process that can scale with your needs.White

5:15 PM- 5:30 PM EST - Wrap-Up


Cyber Threat Intelligence Summit & Training 

Summit: January 21-22 | Training: January 25-30

The Cyber Threat Intelligence Summit brings together leading experts and analysts for in-depth threat intelligence talks, world-class SANS training, DFIR NetWars, and exclusive virtual networking opportunities! This event will provide you with specific analytical techniques and capabilities, through case studies and firsthand experience, that can be utilized to properly create and maintain threat intelligence in your organization.

Explore a diverse range of topics, including:

  • Incident response workflows, from detection to recovery
  • Security in the supply chain: upstream, midstream, and downstream
  • Ever-flattening architecture and the security effects
  • Security key performance indicators (KPIs) and dashboards
  • Security Operation Centers (SOCs) for the new integrated enterprise

View Summit Agenda & RegisterWhite

Speaker Bios

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

Ben Greenbaum

Ben has been in the information security industry for over 20 years, during which time he has contributed to or led the design, development, and delivery of numerous award-winning threat intelligence products and services. He took a break from the software industry to build threat intelligence tools, teams, and practices at leading financial services institutions, and then rejoined his primary passion, being part of a team dedicated to delivering quality security solutions, at Cisco. Here at Cisco he works primarily with the Cisco SecureX and Cisco Secure Malware Analysis platforms. 

Chris Jacobs

As VP of Threat Intelligence Engineering, Chris Jacob leads a global team of engineers in working with security teams to assess their current approach to intelligence, understand their needs, and provide them with a product driven solution. Chris has over 15 years of experience in Information Security, beginning with serving as Battalion Information Systems Coordinator during his time in the Marine Corps, and including leadership positions at Sourcefire, Fidelis Cybersecurity and Webroot.

James Perry

James Perry is the Senior Director and Head of Incident Response at CrowdStrike Services. He is responsible for overseeing the delivery of Incident Response (IR) and Compromise Assessment engagements globally.

James has over 15 years of experience in Cyber Security. He currently advises senior executives on cyber incident response strategies and leads teams of technical staff who perform intrusion investigations, malware hunting and advisory services.

James holds a M.S. in Information Systems and Technology from The Johns Hopkins University and a B.S. in System Engineering from The University of Virginia.

Daniel Bates

Daniel Bates is a solutions architect at Cisco Systems, specializing in endpoint security, threat detection and analysis, and security education. Daniel previously worked for the Department of Defense securing tactical, strategic, and applied research information systems everywhere from the Southwest United States to Southwest Asia.

Fayyaz Rajpari

Fayyaz is passionate about cyber security and holds relationships across many security organizations and the fortune 100. He’s a product leader for all aspects of Security and Threat Intelligence at Recorded Future.  Prior to this, Fayyaz was an Executive Director for Optiv’s Security Consulting business. He's held a variety of roles from technical subject matter expert to product strategy for Endpoint Security, Threat analytics, Security Orchestration, Automation, and Response platform at Mandiant/FireEye.  As a key enabler of cyber security around the globe, Fayyaz takes pride on staying on top of the latest threat trends and loves to talk security whenever he can. 

Prior to FireEye / Mandiant, he's worked for Symantec and other large organizations with deep experience in many security domains, including network and endpoint security, incident response, encryption, identity & access management, and vulnerability management. He holds a Bachelor’s degree in Information Security with numerous security certifications including CISSP, CCSK, GCFW.

Dragos Gavrilut

Dragoș Gavriluț is a threat research director at Bitdefender, managing a team of 180+ people that develop machine learning algorithms design for threat detection, event corelation and post-breach threat hunting rules, anomaly detection and user analytics, all of them in the context of NTA/EPP/EDR/XDR space. His team is also spacialized in risk analytics from the security point of view. He is also an associate professor at the Alexandru Ioan Cuza University of Iași (Romania), where he received his Ph.D. in 2012, with the thesis entitled 'Meta-heurisics for Anti-Malware Systems'. He received his B.Sc. and M.Sc. in computer science from the same university, in 2004 and 2006, respectively.

Tanner Payne

Tanner Payne is a Senior Sales Engineer at ExtraHop, with over 15 years of experience in multiple areas of security including endpoint forensics, network detection and response, managed security services, and security product management. Tanner was most recently a Product Manager at FireEye and spent several years at Mandiant prior to their acquisition by FireEye. Over the past few years, Tanner has delivered conference talks, SOC training courses, and private customer enablement sessions focused on the strategic selection of high-value data sources that enable proactive threat hunting at enterprise scale.

Brandon Hoffman

Brandon is an admired CTO and security executive well-known for driving sales growth and IT transformation. He is responsible for Netenrich’s technical sales and security strategy for both the company and its customers. Most recently, he oversaw Intel 471’s dark web threat intelligence business. As former CTO at Lumeta Corporation and RedSeal Networks, Brandon led technical and field development in network security, vulnerability and risk. He’s also held key practitioner roles focused in security architecture, penetration testing, networking and data center operations. Brandon holds a MS degree from Northwestern University and a BS degree from University of Illinois at Chicago.

Jerry Caponera

Jerry Caponera, VP Cyber Risk Strategy at ThreatConnect, leads the effort to quantify cyber risk in financial terms. He's been working on cyber risk quantification efforts for a number of years and has a broad background in cyber, having worked for incident response, malware analysis, and services companies. He has spoken at a number of conferences worldwide including ISS World MEA, InfoSecurity Russia, and TM World Forum. He holds an MBA from the University of Massachusetts, an MS in Computer Science from the University of Pennsylvania, and a BS in Electrical Engineering from the University of Buffalo.

Peter Rydzynski

As the Threat Analysis Lead at IronNet Cybersecurity, Peter Rydzynski is responsible for an elite team of threat intelligence analysts, hunters and security engineers. The team is focused on not only understanding and processing external threat intelligence but also on producing threat intelligence for the community.

With a strong interest in networking, Peter developed his cybersecurity background while working as a SOC analyst for Syracuse University as well as the sole Network Security Architect for D4, LLC. After that he joined the hunt team at IronNet where he was exposed to behavioral analytics and threat hunting. Peter holds a BS degree in Information Security and Forensics from Rochester Institute of Technology.

Sumukh Tendulkar

Sumukh Tendulkar is the Senior Director of Product Marketing, responsible for new product launches, messaging and analyst relationships. Sumukh has led customer-centric product marketing teams at various cybersecurity companies including IBM Security, Neokami, and RSA Security. Sumukh holds an MBA in Strategic Marketing from the Massachusetts Institute of Technology.

Michael-Angelo Zummo

Michael-Angelo Zummo is a Cyber Threat Intelligence Specialist at Sixgill. He is a US Marine Corps veteran that started his career as a cryptologic linguist and intelligence analyst. He served at the NSA (National Security Agency) in South Korea where he supported national security against foreign threats. Zummo earned his Masters in Cybercrime Investigations and Cybersecurity from Boston University, where he transitioned from national security to digital forensics, dark web intelligence, and law enforcement.

Taylor Wilkes-Pierce

Senior sales engineer at DomainTools with more than 10 years of experience in technology sales with stops at Verizon, Amazon and Virtuozzo along the way to DomainTools. Although Taylor loves all things InfoSec, he has a fond spot for container virtualization, software defined storage and basketball.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.