SANS Security Operations Center Briefing: Knowledge Retention, Staff Training, Automation & Operationalization 2018

  • Friday, 16 Nov 2018 8:30AM EST (16 Nov 2018 13:30 UTC)
  • Speakers: Chris Crowley, Tim Helming, Karen Buffo
In the NY area? Join us at the Live Event. Register here:

SOCs are intended to efficiently protect the information assets of the organization. To do this a combination of automated tools and human analysts are pressed into service. Unfortunately, the SOC is often under staffed and under trained. People are giving repetitive tasks and machines are entrusted with analytical tasks, the converse of where each excels. There is rarely a consistent practice of analysis among analysts, and the SOC output of analysis is met with skepticism, distrust, or outright malice from the organization the SOC is intended to benefit.

SOC performance varies widely. The successful SOC exhibits characteristics of operating with high efficiency in normal conditions and transforming and adapting to bring abnormal circumstances under control quickly with minimal impact. This is accomplished through anticipating many abnormal scenarios and bringing them into the operational space, then having resources available and ready to deal with the unexpected.

Join SANS for the 2nd annual SOC briefing focused on Security Operations Centers.

Participating vendor partners will be encouraged to demonstrate tool capabilities to support knowledge retention and development; techniques for training staff; as well as automation and operationalization capabilities. They will also be encouraged to illustrate case studies of customers where this was applied to that specific organizations. The intent is the ability for the organization to drive maturity and adaptation to the threat landscape while constantly refining its understanding of the mission and its capabilities to protect information systems.

Earn 4 CPE Credit hours for attending this webcast.


8:00am - 8:30am: Registration and Coffee Networking

8:30am - 9:15am: Keynote: Common Sense SOC Tactics & Strategies

Advice on Overcoming Challenges and Implementing Improvements

In this talk, Mr. Crowley will provide as much actionable guidance as possible on Security Operations and addressing issues of mis-alignment with organization needs and staffing issues and concerns.

He'll discuss example metrics to help fix alignment to the organization. Technology selection and taxonomy will be reviewed with some examples provided. He'll overview how to use retroactive analysis to discover problems as well as drive maturity for developing use cases. Self-training plans for individuals and teams to drive maturity will be identified. Plus, candid descriptions of what incident response should be for the organization and how to make clear what capability you should be using.

Chris Crowley, SOC Briefing Chair & SANS Principal Instructor and Course Author

9:15am - 10:00am: Achieving Excellence Through Next Generation Security Operations

With Adversaries revealing new levels of ambition, including million dollar virtual bank heists, attempts to disrupt the US electoral process and some of the biggest DDoS attack on record powered by a botnet of internet of things (IoT) devices, it's clear that security operations must evolve. Organizations need to move toward a comprehensive cyber defense strategy to respond to incidents quickly and effectively. This session will focus on how better utilization of next generation threat intelligence, integrated technologies, '24x7 advanced monitoring, analytics, machine learning and a highly trained and experienced team of security experts can help organizations get ahead of emerging threats.

Karen Buffo, Symantec Senior Director, Strategic Planning

10:00am - 10:30am: Networking Break

10:30am - 11:15am: From the Trenches: Lessons Learned from Building and Staffing SOCs

Seasoned veterans from the sports organization Major League Baseball and MSSP Expel will share their experiences with developing and leading Security Operations Centers (SOCs) and provide best practices for running a successful SOC to protect any kind of information system. This panel session moderated by SANS Principal Instructor and Course Author Chris Crowley will focus on elements including tapping and training the right team members for your SOC; finding the right balance between automated and human-powered detection and investigation; the most effective tools for helping analysts anticipate events and quickly handle the unanticipated in the current landscape; and use cases such as rapidly standing up up temporary SOCs for event-driven infrastructures.

11:15am - 12:00pm: DomainTools Session

Tim Helming, DomainTools Director Product Management

12:00pm - 12:15pm: Closing Remarks

Chris Crowley