Journey to the Center of the SOC Solutions Forum 2022

This forum considers security operations deployments, understanding our own assets and defensive posture, and the recent shift in IT attack surface due to extensive remote work. It also peers into the activities of attackers to discuss why we still seem to be victimized by ransomware, and how to effectively hunt threat actors in your internal and cloud assets.

You’ll learn best practices from within Palo Alto’s experience deploying its own products to defend itself. How they manage the attack surface of an extensive portfolio of offerings and sensitive customer data. Attackers want every edge they can get, so they are motivated to get into the network. You’ll learn what PAN does to threat hunt in their own systems and where they’ve identified the most value of their effort.

Join the SANS Solutions Forum Interactive Slack Workspace for this event (and all SANS Forums)! Connect once and you're set for all events in 2022!




Agenda | January 21, 2022 | 10:30 AM - 3:00 PM EST

Timeline (EST)

Session Details

10:30 AM

Welcome & Opening Remarks

Chris Crowley, SANS Senior Instructor

10:50 AM

Getting to Better Implementation in the SOC

Defenders today are faced with a complex set of challenges resulting from the confluence of several key factors. The economics of attack tooling and the anonymity of cryptocurrency has driven the commoditization of threat techniques and greater specialization among bad actors, resulting in an explosion of what look like sophisticated attacks. This is compounded by the fact that defender tooling either does not provide adequate coverage as the attack surface grows, or requires a combination of tools that are operationally challenging to integrate. In this session we’ll present a technical perspective on how evaluating defensive tools and their efficacy, can help teams to ensure implementation requirements are met. The discussion will hone in on key technology elements used in the modern SOC and how they can help to build an understanding of what an attacker would see in the environment, important data to collect and analyze and why, analytics processing methodologies, the most common security tasks that can be automated without having to build out entire operational processes, how to scope potentially compromised systems with modern forensic techniques and tooling, and hunting tools -- and provide concrete recommendations on how to best leverage these in the context of your security architecture.

Bruce Hembree, Field CTO - Cortex, Palo Alto Networks

11:25 AM

SOC Tour - See What It Takes To Protect Palo Alto Networks

As workforces become even more dispersed and widespread, cyber attackers are quickly taking advantage of these growing attack surfaces. Unfortunately, attackers are redoubling their efforts to compromise even the most secure organizations.

Join us for a virtual session showcasing a day in the life of our SOC team and see how they’re protecting the world’s largest cybersecurity company every day. We’ll share a unique view of how we built and operate the Palo Alto Networks SOC including a deep dive into our security stack and processes. You’ll learn:

  • How we designed our SOC to be resilient in the face of changing workforce models and new technologies
  • Background on Palo Alto Networks internal scope and what, exactly, we’re protecting
  • How we use prevention-focused technology, automation and machine learning to optimize operations and increase staff productivity.

Devin Johnstone, Sr Staff Security Engineer (SOC Ops Specialist), Palo Alto Networks

12:10 PM

Best Practices for Stopping Ransomware

Ransomware attacks continue to evolve to bypass security and maximize impact. Adversaries are borrowing cyberwarfare techniques such as lateral movement and privilege escalation to infect as many endpoints as possible. Join Kasey Cross, Sr. Product Marketing Manager at Palo Alto Networks, as she delves into the top ransomware attacks of 2021. 

Attend this session to learn about:

  • Ransomware attacks in the wild, including Sodinokibi ransomware (AKA REvil)
  • Best practices for ransomware prevention, containment, and incident response
  • Technologies and services that can protect your organization
  • How to prepare your team for the wickedest ransomware attacks of the future

Kasey Cross, Manager, Palo Alto Networks

12:50 PM


1:00 PM

How Do I Protect My Attack Surface?

In this session, we'll cover how the internet has shrunk with the evolution of cheap computing power and easy access to bandwidth which has led to a more sophisticated attacker. We'll expand on the emerging Attack Surface Management category as a means to protect your organization and go over some of the best practices organizations can adopt to secure their attack surface. The presenters will also highlight stories from the field on how organizations are integrating ASM into their existing SOC workflows seamlessly.

Madhuresh Anur, Senior Product Manager, Palo Alto Networks

1:35 PM

ASM for Remote Workers

Many organizations have no possible way of knowing the security status of their remote employee network. They’re unable to detect unknown exposures. They’re not warned of critical issues, and they’re unaware of vulnerabilities caused by employee laptops openly exposed to the public.

Organizations need to securely manage:

  • Employees working from insecure networks (homes, cafes, airports, co-working locations) without using VPN
  • ISPs leaving Telnet enabled by default on leased routers in order to troubleshoot
  • Misconfigurations on remote employee networks that expose critical information

Enter the Cortex® Xpanse™ ASM for Remote Workers module. It combines endpoint details collected by Cortex XDR™ with public asset information discovered by Xpanse. It then identifies security issues and alerts SecOps specialists. In this session, we’ll cover use cases on:

  • Securing the attack surface of your remote employees
  • Improving incident visibility and context by combining outside-in and inside-out data
  • Discovering endpoints in your networks that don’t have XDR installed
  • Identifying employees working in multiple locations or aren’t using VPNs

Abhishek "Abhi" Anbazhagan, Product Marketing Manager, Palo Alto Networks

Andrew Scott, Senior Product Manager, Cortex Xpanse, Palo Alto Networks

2:10 PM

5 Threat Hunting Secrets to Win the Battle Against Attackers

How many battles can you handle at once, when all your data is at risk? Adversaries today are targeting your users, cloud assets, and internal network simultaneously. They will try their best to pivot from the cloud instances into the network or vice versa to gain better persistence and reach your most valuable assets. But how can you automate your threat hunting efforts to discover them before any damage is done? Join me to learn:

  • The latest threats against cloud instances
  • How to automate threat hunting efforts against cloud attacks
  • How to use multiple security tools to unearth threats like the Managed Threat Hunting team

Plus, you’ll hear a from-the-trenches threat hunting story that’s never been revealed before and find out tips, tricks and ideas you can implement today!

Alissa Torres, Senior Threat Hunter, Palo Alto Networks

2:45 PM


Chris Crowley, SANS Senior Instructor