Agenda | Friday, January 28, 2022 | 10:00 AM - 5:30 PM EST
Welcome & Opening Remarks
Ismael Valenzuela, SANS Senior Instructor
Threat Hunting by Clustering Big Data
There is a limit to the amount of information that humans can process. Even the most sophisticated organizations may struggle with the sheer amount of data generated from modern security systems – Hence the need for tools and techniques to transform the vast amount of data into manageable information for human consumption. As an example, we’d like to walk through on using "big data" analysis tools (apache spark) and techniques, while threat hunting, to group large amounts of suspicious events for human analysis. This technique may be useful to organizations of all sizes to handle large amounts of different data efficiently, or it could inspire some ideas to improve existing tools.
Tiago Pereira, Technical Leader, Security Research, Cisco Talos
Five Lessons for Integrating OT Threat Intelligence
Using and integrating threat intelligence is difficult. Integrating threat intelligence from a non-standard domain like OT/ICS is even harder. Sergio Caltagirone will discuss 5 lessons from his 20 years’ experience consuming and producing threat intelligence as well as advising 100s of intel customers to make their cybersecurity mission better and faster than before. This is not the “best practices” you’ve seen before but 5 pragmatic lessons forged in real cybersecurity challenges around the world.
Sergio Caltagirone, VP of Threat Intelligence, Dragos, Inc.
How to Shift from Static to Enriched Dynamic Threat Intelligence to STOP Ransomware
Ransomware attacks are escalating, occurring every eleven seconds with ransoms averaging almost $2M and remediation costs exceeding $4M. To combat these attacks, security professionals rely on threat intelligence feeds from a variety of sources. This information is often combined with a threat intelligence platform (TIP) or similar solution to correlate and analyze the latest information, evaluate security defenses and strategies, and prioritize actions to mitigate risks. Unfortunately, most intelligence feeds provide static Indicators of Compromise (IOCs) that are no longer adequate against today’s sophisticated attacks. A new technology has emerged called Moving Target Defense (MTD) that provides enriched dynamic threat intelligence to improve your ability to prevent ransomware attacks before they cause severe damage. By attending this solutions track, you will learn:
• How static analysis and typical hash, domain, and URL intelligence is now far less relevant
Lunch (12:20 - 12:55 PM EST)
Tales from the Trenches
To be resilient against today’s cybersecurity threats, you need to be able to stay ahead of the attackers. Utilizing strategic threat intelligence to understand the adversaries allows organizations to make informed changes to people, processes, technology, and governance that strengthen their security posture and mitigate the damage from potential attackers.
Jen Miller-Osborn, Deputy Director of Threat Intelligence, Unit 42, Palo Alto Networks
Five Ways to Expel Ransomware Before they Spring the Trap
Ransomware has evolved and time may not be on your side. Once inside, adversaries are acting faster, moving laterally to accumulate enough data to ensure that you will pay—but intruders following the ransomware playbook have needs that cause them to risk detection. Every time they take a step, you have an opportunity to regain the advantage—if you know what to look for. Intrusions are a terrifying thing to consider, but they don’t spell doom: Visibility and response inside the perimeter are your best hope to prevent crippling damage from the ransomware menace. In this demo-filled session, we’ll show you how to spot indicators that leave modern ransomware exposed, giving you the opportunity to shut down the extortionists before they do real damage:
Don Shin, Sr. Manager, ExtraHop
Hi-Fi CTI : Latest Methods for Using High Fidelity CTI to Head-off Ransomware Attacks
The plague of ransomware continued to grow in 2021 with attacks on oil pipelines, payroll systems, managed service provider software, and reports indicating there were over 700 million attempted ransomware attacks. The resulting costs to businesses and the time lost by security and IT teams was higher than ever before. Ransomware is too sophisticated and too diverse to succumb to any “silver bullet” security solution or tactic. To stand up to ransomware groups, therefore, it is essential that organizations develop an in-depth understanding of a ransomware group’s tooling, capabilities, and behaviors leading up to, during and after a ransomware infection. Cyber Threat Intelligence tradecraft is uniquely positioned to aid organizations to accomplish that.
Join this session to learn how you can leverage Threat Intelligence in your TIP or SOAR platform to reduce the time to detection of malware infections and potentially head off ransomware attacks. We'll be covering topics such as:
Ali N. Khan, Solution Demand Manager Threat Intelligence, ReversingLabs
Log4j: Separating the Exploits from the Noise
Attackers have already found thousands of potential ways to obfuscate their log4j attacks, which are sweeping the Internet at breakneck speed. SOCs protecting still-vulnerable assets have a duty to chase down every alert for it that pops up - which are coming in at a rate of tens or hundreds of thousands of times a day for larger enterprises. This talk will discuss how a data-driven strategy can automate that insurmountable task into a process that quickly reveals systems that actually responded to the attack - letting teams focus on the alerts that matter the most.
Alex Kirk, Global Principal Engineer, Corelight
Operationalizing Threat Intelligence to Automate Threat Response
Deltas between the threat intelligence and SecOps functions as part of the broader cybersecurity team are real.
More than half of security practitioners state that cross-team collaboration is a strain for them to be effective in their jobs, while 76% report they don’t have the access to the data they need - this creates silos.
The movement toward an intelligence-driven security organization will take a seismic shift in thinking to where intelligence is considered THE fundamental component of their cyber programs; where focused collaboration produces the most critical insights; and hyper-automation is applied to streamline threat response at-scale.
Despite enormous strides last year in this area of cybersecurity, organizations still struggle to:
This presentation will articulate a clear strategy that organizations can implement that’s designed up-level the use of intelligence to power threat response and bridge the gaps between threat intelligence and SecOps. Experts will articulate core use cases to through maturity-based model and will provide a technical demo for attendees.
Top Use Cases for Integrating Threat Intelligence with SOAR
Join Siemplify's Senior Solutions Architect, Harrison Parker to learn strategies to help overcome challenges facing security professionals and why integrating threat intelligence and SOAR is critical for an effective SecOps strategy. In this session, you will learn the basics and benefits of SOAR + TIP, the top 4 use cases, and we will finish with a demo.
Harrison Parker, Senior Solutions Architect, Siemplify
Key Functionalities of a Modern Cyber Threat Intelligence Program
Everyone knows security is overloaded work wise – not everyone understands what that means. Cyber Threat Intelligence (CTI) is typically very technical so how can you convince the teams setting business objectives and allocating resources (for budget) of what the cybersecurity priorities should be? A modern CTI program needs to show value to the business because it will help solve some of the major problems we’re seeing in TI programs today (such as lack of resources or lack of data). Part of this includes bridging the gap between threat and risk to ensure your operational strategy aligns with the overall business objectives. This session is going to help you identify how to move your CTI program into one that shows the business value of what you’re doing already today!
Jerry Caponera, VP Cyber Risk Strategy, ThreatConnect, Inc.
Wrap-Up and Closing Remarks
Ismael Valenzuela, SANS Senior Instructor