Last Day to Get a MacBook Air, Surface Pro 7, or $350 Off with OnDemand - Register Now!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SANS Security Operations Center Briefing: Knowledge Retention, Staff Training, Automation & Operationalization 2018

  • Friday, November 16, 2018 at 8:30 AM EST (2018-11-16 13:30:00 UTC)
  • Chris Crowley, Karen Buffo, Tim Helming


  • DFLabs
  • DomainTools
  • Protectwise
  • Symantec

You can now attend the webcast using your mobile device!



In the NY area? Join us at the Live Event. Register here:

SOCs are intended to efficiently protect the information assets of the organization. To do this a combination of automated tools and human analysts are pressed into service. Unfortunately, the SOC is often under staffed and under trained. People are giving repetitive tasks and machines are entrusted with analytical tasks, the converse of where each excels. There is rarely a consistent practice of analysis among analysts, and the SOC output of analysis is met with skepticism, distrust, or outright malice from the organization the SOC is intended to benefit.

SOC performance varies widely. The successful SOC exhibits characteristics of operating with high efficiency in normal conditions and transforming and adapting to bring abnormal circumstances under control quickly with minimal impact. This is accomplished through anticipating many abnormal scenarios and bringing them into the operational space, then having resources available and ready to deal with the unexpected.

Join SANS for the 2nd annual SOC briefing focused on Security Operations Centers.

Participating vendor partners will be encouraged to demonstrate tool capabilities to support knowledge retention and development; techniques for training staff; as well as automation and operationalization capabilities. They will also be encouraged to illustrate case studies of customers where this was applied to that specific organizations. The intent is the ability for the organization to drive maturity and adaptation to the threat landscape while constantly refining its understanding of the mission and its capabilities to protect information systems.

Earn 4 CPE Credit hours for attending this webcast.


8:00am - 8:30am: Registration and Coffee Networking

8:30am - 9:15am: Keynote: Common Sense SOC Tactics & Strategies

Advice on Overcoming Challenges and Implementing Improvements

In this talk, Mr. Crowley will provide as much actionable guidance as possible on Security Operations and addressing issues of mis-alignment with organization needs and staffing issues and concerns.

He'll discuss example metrics to help fix alignment to the organization. Technology selection and taxonomy will be reviewed with some examples provided. He'll overview how to use retroactive analysis to discover problems as well as drive maturity for developing use cases. Self-training plans for individuals and teams to drive maturity will be identified. Plus, candid descriptions of what incident response should be for the organization and how to make clear what capability you should be using.

Chris Crowley, SOC Briefing Chair & SANS Principal Instructor and Course Author

9:15am - 10:00am: Achieving Excellence Through Next Generation Security Operations

With Adversaries revealing new levels of ambition, including million dollar virtual bank heists, attempts to disrupt the US electoral process and some of the biggest DDoS attack on record powered by a botnet of internet of things (IoT) devices, it's clear that security operations must evolve. Organizations need to move toward a comprehensive cyber defense strategy to respond to incidents quickly and effectively. This session will focus on how better utilization of next generation threat intelligence, integrated technologies, 24x7 advanced monitoring, analytics, machine learning and a highly trained and experienced team of security experts can help organizations get ahead of emerging threats.

Karen Buffo, Symantec Senior Director, Strategic Planning

10:00am - 10:30am: Networking Break

10:30am - 11:15am: From the Trenches: Lessons Learned from Building and Staffing SOCs

Seasoned veterans from the sports organization Major League Baseball and MSSP Expel will share their experiences with developing and leading Security Operations Centers (SOCs) and provide best practices for running a successful SOC to protect any kind of information system. This panel session moderated by SANS Principal Instructor and Course Author Chris Crowley will focus on elements including tapping and training the right team members for your SOC; finding the right balance between automated and human-powered detection and investigation; the most effective tools for helping analysts anticipate events and quickly handle the unanticipated in the current landscape; and use cases such as rapidly standing up up temporary SOCs for event-driven infrastructures.

11:15am - 12:00pm: DomainTools Session

Tim Helming, DomainTools Director Product Management

12:00pm - 12:15pm: Closing Remarks

Chris Crowley

Speaker Bios

Chris Crowley

Christopher Crowley, a SANS Senior Instructor, has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities."

"Chris really knew his stuff and presented ideas that made me change my mind on some policies and configs we employ ." - William Jeskey, Tarrant County College
"Chris was one of the best instructors I have ever had in any training environment in almost 24 years of service." - Anonymous

Karen Buffo

Karen Buffo is the Senior Director of Business Enablement for the Cyber Security Services Business Unit at Symantec. Ms. Buffo is responsible for driving product strategy, product marketing, field enablement, voice of customer, analyst relations and communications globally. Her role spans Symantec's Cyber Security Services business including Symantec's Advanced Security Monitoring, Threat Intelligence, Incident Response and Consulting.

Most recently, Ms. Buffo served as Director of the Enterprise Security Group where she led strategic communications, programs and field enablement for Symantec's Endpoint Security, Messaging and Web Security, Data Loss Prevention, Compliance and Security Management, Endpoint Management, Encryption, and Identity and Authentication businesses.

Tim Helming

Tim has nearly 20 years of experience in cybersecurity and leads the Dragos product team comprised of product managers, user experience (UX) designers, and technical writers focused on delivering world-class products to the ICS community.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.