The Best Online Cybersecurity Training in the World - SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

SANS Security Operations Center Briefing: Knowledge Retention, Staff Training, Automation & Operationalization 2018

  • Friday, November 16th, 2018 at 8:30 AM EST (13:30:00 UTC)
  • Chris Crowley, Karen Buffo and Tim Helming
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • DFLabs
  • DomainTools
  • Protectwise
  • Symantec

You can now attend the webcast using your mobile device!


In the NY area? Join us at the Live Event. Register here:

SOCs are intended to efficiently protect the information assets of the organization. To do this a combination of automated tools and human analysts are pressed into service. Unfortunately, the SOC is often under staffed and under trained. People are giving repetitive tasks and machines are entrusted with analytical tasks, the converse of where each excels. There is rarely a consistent practice of analysis among analysts, and the SOC output of analysis is met with skepticism, distrust, or outright malice from the organization the SOC is intended to benefit.

SOC performance varies widely. The successful SOC exhibits characteristics of operating with high efficiency in normal conditions and transforming and adapting to bring abnormal circumstances under control quickly with minimal impact. This is accomplished through anticipating many abnormal scenarios and bringing them into the operational space, then having resources available and ready to deal with the unexpected.

Join SANS for the 2nd annual SOC briefing focused on Security Operations Centers.

Participating vendor partners will be encouraged to demonstrate tool capabilities to support knowledge retention and development; techniques for training staff; as well as automation and operationalization capabilities. They will also be encouraged to illustrate case studies of customers where this was applied to that specific organizations. The intent is the ability for the organization to drive maturity and adaptation to the threat landscape while constantly refining its understanding of the mission and its capabilities to protect information systems.

Earn 4 CPE Credit hours for attending this webcast.


8:00am - 8:30am: Registration and Coffee Networking

8:30am - 9:15am: Keynote: Common Sense SOC Tactics & Strategies

Advice on Overcoming Challenges and Implementing Improvements

In this talk, Mr. Crowley will provide as much actionable guidance as possible on Security Operations and addressing issues of mis-alignment with organization needs and staffing issues and concerns.

He'll discuss example metrics to help fix alignment to the organization. Technology selection and taxonomy will be reviewed with some examples provided. He'll overview how to use retroactive analysis to discover problems as well as drive maturity for developing use cases. Self-training plans for individuals and teams to drive maturity will be identified. Plus, candid descriptions of what incident response should be for the organization and how to make clear what capability you should be using.

Chris Crowley, SOC Briefing Chair & SANS Principal Instructor and Course Author

9:15am - 10:00am: Achieving Excellence Through Next Generation Security Operations

With Adversaries revealing new levels of ambition, including million dollar virtual bank heists, attempts to disrupt the US electoral process and some of the biggest DDoS attack on record powered by a botnet of internet of things (IoT) devices, it's clear that security operations must evolve. Organizations need to move toward a comprehensive cyber defense strategy to respond to incidents quickly and effectively. This session will focus on how better utilization of next generation threat intelligence, integrated technologies, 24x7 advanced monitoring, analytics, machine learning and a highly trained and experienced team of security experts can help organizations get ahead of emerging threats.

Karen Buffo, Symantec Senior Director, Strategic Planning

10:00am - 10:30am: Networking Break

10:30am - 11:15am: From the Trenches: Lessons Learned from Building and Staffing SOCs

Seasoned veterans from the sports organization Major League Baseball and MSSP Expel will share their experiences with developing and leading Security Operations Centers (SOCs) and provide best practices for running a successful SOC to protect any kind of information system. This panel session moderated by SANS Principal Instructor and Course Author Chris Crowley will focus on elements including tapping and training the right team members for your SOC; finding the right balance between automated and human-powered detection and investigation; the most effective tools for helping analysts anticipate events and quickly handle the unanticipated in the current landscape; and use cases such as rapidly standing up up temporary SOCs for event-driven infrastructures.

11:15am - 12:00pm: DomainTools Session

Tim Helming, DomainTools Director Product Management

12:00pm - 12:15pm: Closing Remarks

Chris Crowley

Speaker Bios

Chris Crowley

Mr. Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area. His work experience includes penetration testing, computer network defense, incident response, and forensic analysis.

Mr. Crowley is the course author for SANS Management 535 - Incident Response Team Management and holds the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GREM, GMOB, and CISSP certifications. His teaching experience includes SEC401, SEC503, SEC504, SEC560, SEC575, SEC580, FOR585, and MGT535; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities."

"Chris really knew his stuff and presented ideas that made me change my mind on some policies and configs we employ ." - William Jeskey, Tarrant County College
"Chris was one of the best instructors I have ever had in any training environment in almost 24 years of service." - Anonymous

Karen Buffo

Karen Buffo is the Senior Director of Business Enablement for the Cyber Security Services Business Unit at Symantec. Ms. Buffo is responsible for driving product strategy, product marketing, field enablement, voice of customer, analyst relations and communications globally. Her role spans Symantec's Cyber Security Services business including Symantec's Advanced Security Monitoring, Threat Intelligence, Incident Response and Consulting.

Most recently, Ms. Buffo served as Director of the Enterprise Security Group where she led strategic communications, programs and field enablement for Symantec's Endpoint Security, Messaging and Web Security, Data Loss Prevention, Compliance and Security Management, Endpoint Management, Encryption, and Identity and Authentication businesses.

Tim Helming

Tim Helming, DomainTools director of product management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of investigative and proactive defense offerings. At WatchGuard, he helped define and launch some of the best-selling SMB security appliances in the market. At Symform, he led definition and messaging efforts for that company's unique peer-to-peer cloud storage solution. Tim has spoken at security conferences, media events, and technology partner conferences worldwide.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.