SANS 2022 Bonus Sessions | Attendance Options: In-Person & Virtual
Automating Internal and External Security Intelligence
The amount of context that cybersecurity analysts and engineers require for assessing security alerts is overwhelming. But here’s the good news: Intelligence can help. Investing in a strategy to collect and curate intelligence should be a necessity for every cybersecurity team. And automation is the tactic that teams employ to scale their efforts and reduce team burnout. This is done by translating team tradecraft into logic that a machine can perform on the team’s behalf. Join this session to learn how to define security intelligence use cases, curate asset information to create asset intelligence, automate the collection of external data sources to create threat intelligence, and the five essential steps for automating security use cases.
Evolve Your SOC with Richer Data, Guided Analytics, and Scalable Expertise
Are you straining to scale your security analysts and defenses to stop attackers? If so, you’re not alone. Combating today’s threats requires new approaches to how your SOC manages its data, analytics and expertise. Join this session as we explore innovative ways your security team can thrive in the era of massive data growth, talent shortage, and constantly evolving threats. We'll take a deep dive into analytics that leverage automation and ML to uplift your team’s performance, community expertise and curated content for faster threat resolution, and innovative adversary simulation tools to test attacks and practice defenses.
Real Serverless Use Cases in AWS
In this talk, SANS Certified Instructor David Hazar will walk you through some of the Serverless functions he has developed and implemented to support a variety of real-world use cases and demonstrate how these Serverless functions are used to support specific product functionality at Next Level3. See how to configure API Gateway to proxy requests to Lambda, how to perform delayed actions after X minutes with SQS and Lambda, and how to use Amazon Eventbridge rules and Lambda to lock and unlock AWS users and their associated access keys based on certain events. We will also briefly look at how to customize a SignIn flow with Azure AD B2C and Azure Functions.
How to Build Continuous Education Programs for Your Cybersecurity Team
Investment in education and training help cybersecurity teams respond faster, improve defensive posture, and increase retention of valuable employees. But building an effective education program can be time-consuming, and divert focus from priority one - keeping the organization safe. This session will explore what the right-size training and education opportunities for your team are, and how to use real-world attacks and threats as opportunities to help junior team members enrich skills. Marco will focus on how to keep teams current on new threats, attack vectors, and technology trends, the need for establishing effective mentorship programs to help junior team members quickly acquire new skills, and how to balance training and learning opportunities against mission-critical work that demands focus.
What Does XDR Mean for Your Organization?
As one of the hottest new buzzwords in the infosec space, XDR means many things to many people. This talk will discuss all of the possible components of an XDR solution through the lens of SOC operations, laying out the pros and cons of various approaches such as SaaS vs on-premise, specialized vs general tooling, etc. for organizations of different size, funding, and maturity levels. Best practice suggestions will be provided throughout, from general principles to specific integration code.
Leveraging MITRE and ML to Focus Your SOC Operations
When incidents are identified, it is critical to provide SOC analysts with clear understanding of the activity. MITRE frameworks should be the common language to enable security practitioners from different industries and with diverse data sources to understand the story behind the incident. In this session, we'll explore how ML is being used to detect suspicious events, the challenges in scoring alerts, events and stories, and how the built-in integration of the MITRE ATT&CK framework enables better event scoring and prioritization.