Don't Miss: MacBook Air, Surface Pro 7, or $350 Off with SANS Online Training - Register Now!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Enhance Your Investigations with Network Data

  • Thursday, October 26, 2017 at 1:00 PM EDT (2017-10-26 17:00:00 UTC)
  • Brian Ford, Matt Bromiley


  • Cisco Systems

You can now attend the webcast using your mobile device!



As the use of digital forensics continues to grow, with new artifacts providing insight into attacker activity inside and outside of the enterprise network, incident response teams are working to detect and respond to data breaches faster--turning yesterday's investigations into tomorrow's indicators. But many enterprise teams still examine just half the evidence. By focusing on host-based indicators and signatures, many teams miss the one place where the attacker must go: the network!

Network forensics is its own specialized field that often introduces complex protocols, jargon, and analysis techniques that are potentially confusing to practitioners. But particular artifacts can be leveraged to determine the attack sequence and to offer a more complete picture of the breach.

This webcast will examine the power of network forensics and why it should be incorporated into all incident response investigations. Attendees will learn about two types of network artifacts: NetFlow and packet trace files (PCAPs) and the pros and cons of each. Register now and learn how to bolster your investigation efforts by combining both data sets to help guide your incident response teams and to be the first to get the new paper on this topic.

View the associated webcast here.

Speaker Bios

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response instructor, teaching FOR508 (Advanced Incident Response, Threat Hunting, and Digital Forensics) and FOR572 (Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response). He is a principal consultant at a global incident response and forensic analysis company, combining his experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence; and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Brian Ford

Brian Patrick Ford is a technical marketing engineer in advanced threat technical marketing, part of the Security Business Group (SBG) of Cisco Systems. In this role, he works with product management, engineering, and technical sales staff and executives from both Cisco and customer organizations to create synergistic data analytics solutions to address network and Internet security problems.

Brian Ford was previously senior solutions architect for Lancope, the makers of StealthWatch, an industry-leading context-aware security analytics solution. He rejoined Cisco with the acquisition of Lancope in January 2016.

Prior to joining Lancope, Brian was senior consulting engineer in the Research and Advanced Development Group of Cisco Systems. Brian actively participated in the development of Cisco security solutions and products. His research areas included security management (PDM and ASDM), access control (NAC), anomaly detection and mitigation (Cyber Threat Defense), security information sharing (threat intel and feeds), and security analytics.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.