Get the Skills you need from Home with SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

Have You Taken The \"Endpoint Blue Pill\"? Debunking The Endpoint Protection Myth.

  • Friday, October 25th, 2019 at 10:30 AM EST (14:30:00 UTC)
  • Justin Henderson and Ismael Valenzuela
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • Cisco Systems Inc.

You can now attend the webcast using your mobile device!


"My endpoint is protected, I have a current AV & I'm fully patched"

"I know bypassing AV is possible, but it's hard!"

"I'm using application whitelisting, I'm good!"

"oh, that's APT-like stuff only, we don't have any of that here..."

If you've heard yourself saying (or thinking) any of the above, you may still live in tranquil happiness. But let me tell you: those are just the effects of taking the 'endpoint blue pill'. One that makes you believe in a world where endpoint protection works, where spending most of your time in hardening, patching and auditing cycles, gives you a sense of satisfaction and a job well done, and where there's no single evidence of any of the advanced attackers that the media reports on in your network.

Do you want to learn the truth?

Join Ismael Valenzuela and Justin Henderson, GSEs, instructors and co-authors of one of the most popular SANS Blue Team classes, SEC530: Defensible Security Architecture & Engineering, as they debunk this and many other myths around endpoint security through live demos, and learn how to architect and engineer layered defenses, not only for endpoint prevention, but also for visibility, detection and response, that work across hybrid environments.

"Remember: all I'm offering is the truth. Nothing more."

Speaker Bios

Justin Henderson

Justin Henderson is a certified SANS instructor who authored the SEC555 SIEM with Tactical Analytics course and co-authored SEC455 SIEM Design and Implementation and SEC530 Defensible Security Architecture and Engineering. He is a member of the SANS Cyber Guardian Blue Team who is passionate about making defense fun and engaging. Justin specializes in threat hunting via SIEM, network security monitoring and ad hoc scripting.

Ismael Valenzuela

SANS Certified Instructor Ismael Valenzuela (@aboutsecurity) is coauthor of the CyberDefense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering, and holds many professional certifications, including the highly regarded GIAC Security Expert (GSE #132).

Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous projects across the globe over the past 19 years. Prior to his current role as Senior Principal Engineer at McAfee, where he leads research on threat hunting using machine-learning and expert-system driven investigations, Ismael led the delivery of SOC, IR & Forensics services for the Foundstone Services team within Intel globally. Previously, Ismael worked as Global IT Security Manager for iSOFT Group Ltd, one of the world's largest providers of healthcare IT solutions, managing their security operations in more than 40 countries.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.