3 Days Left to Get MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SANS Security Operations Center Briefing: Knowledge Retention, Staff Training, Automation & Operationalization 2018

  • Friday, November 16, 2018 at 8:30 AM EST (2018-11-16 13:30:00 UTC)
  • Chris Crowley, Karen Buffo, Tim Helming


  • DFLabs
  • DomainTools
  • Protectwise
  • Symantec

You can now attend the webcast using your mobile device!



In the NY area? Join us at the Live Event. Register here: https://www.sans.org/vendor/event/55790

SOCs are intended to efficiently protect the information assets of the organization. To do this a combination of automated tools and human analysts are pressed into service. Unfortunately, the SOC is often under staffed and under trained. People are giving repetitive tasks and machines are entrusted with analytical tasks, the converse of where each excels. There is rarely a consistent practice of analysis among analysts, and the SOC output of analysis is met with skepticism, distrust, or outright malice from the organization the SOC is intended to benefit.

SOC performance varies widely. The successful SOC exhibits characteristics of operating with high efficiency in normal conditions and transforming and adapting to bring abnormal circumstances under control quickly with minimal impact. This is accomplished through anticipating many abnormal scenarios and bringing them into the operational space, then having resources available and ready to deal with the unexpected.

Join SANS for the 2nd annual SOC briefing focused on Security Operations Centers.

Participating vendor partners will be encouraged to demonstrate tool capabilities to support knowledge retention and development; techniques for training staff; as well as automation and operationalization capabilities. They will also be encouraged to illustrate case studies of customers where this was applied to that specific organizations. The intent is the ability for the organization to drive maturity and adaptation to the threat landscape while constantly refining its understanding of the mission and its capabilities to protect information systems.

Earn 4 CPE Credit hours for attending this webcast.


8:00am - 8:30am: Registration and Coffee Networking

8:30am - 9:15am: Keynote: Common Sense SOC Tactics & Strategies

Advice on Overcoming Challenges and Implementing Improvements

In this talk, Mr. Crowley will provide as much actionable guidance as possible on Security Operations and addressing issues of mis-alignment with organization needs and staffing issues and concerns.

He'll discuss example metrics to help fix alignment to the organization. Technology selection and taxonomy will be reviewed with some examples provided. He'll overview how to use retroactive analysis to discover problems as well as drive maturity for developing use cases. Self-training plans for individuals and teams to drive maturity will be identified. Plus, candid descriptions of what incident response should be for the organization and how to make clear what capability you should be using.

Chris Crowley, SOC Briefing Chair & SANS Principal Instructor and Course Author

9:15am - 10:00am: Achieving Excellence Through Next Generation Security Operations

With Adversaries revealing new levels of ambition, including million dollar virtual bank heists, attempts to disrupt the US electoral process and some of the biggest DDoS attack on record powered by a botnet of internet of things (IoT) devices, it's clear that security operations must evolve. Organizations need to move toward a comprehensive cyber defense strategy to respond to incidents quickly and effectively. This session will focus on how better utilization of next generation threat intelligence, integrated technologies, 24x7 advanced monitoring, analytics, machine learning and a highly trained and experienced team of security experts can help organizations get ahead of emerging threats.

Karen Buffo, Symantec Senior Director, Strategic Planning

10:00am - 10:30am: Networking Break

10:30am - 11:15am: From the Trenches: Lessons Learned from Building and Staffing SOCs

Seasoned veterans from the sports organization Major League Baseball and MSSP Expel will share their experiences with developing and leading Security Operations Centers (SOCs) and provide best practices for running a successful SOC to protect any kind of information system. This panel session moderated by SANS Principal Instructor and Course Author Chris Crowley will focus on elements including tapping and training the right team members for your SOC; finding the right balance between automated and human-powered detection and investigation; the most effective tools for helping analysts anticipate events and quickly handle the unanticipated in the current landscape; and use cases such as rapidly standing up up temporary SOCs for event-driven infrastructures.

11:15am - 12:00pm: DomainTools Session

Tim Helming, DomainTools Director Product Management

12:00pm - 12:15pm: Closing Remarks

Chris Crowley

Speaker Bios

Chris Crowley

Christopher Crowley is the course author for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management. Chris holds several industry certifications including the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN, and CISSP. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities." Mr. Crowley spends his spare time mountain biking, rock climbing and savoring epicurean treats.

Karen Buffo

Karen Buffo is the Senior Director of Business Enablement for the Cyber Security Services Business Unit at Symantec. Ms. Buffo is responsible for driving product strategy, product marketing, field enablement, voice of customer, analyst relations and communications globally. Her role spans Symantec's Cyber Security Services business including Symantec's Advanced Security Monitoring, Threat Intelligence, Incident Response and Consulting.

Most recently, Ms. Buffo served as Director of the Enterprise Security Group where she led strategic communications, programs and field enablement for Symantec's Endpoint Security, Messaging and Web Security, Data Loss Prevention, Compliance and Security Management, Endpoint Management, Encryption, and Identity and Authentication businesses.

Tim Helming

Tim Helming, DomainTools Security Evangelist, has over 20 years of experience in information security, from DNS and network to cloud to application and ICS attacks and defenses. At DomainTools, he applies this background to helping organizations understand the threat landscape, especially in the area of malicious online infrastructure. He also helps evangelize the company's growing portfolio of investigative and proactive cyber defense offerings. Prior to DomainTools, he has led Product teams at WatchGuard Technologies and Dragos. Tim has spoken at security conferences such as FIRST, InfoSec World, BSides Las Vegas, FireEye/MIRcon, and AusCERT, as well as media events and technology partner conferences worldwide.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.