3 Days Left to Get MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SANS Security Operations Center (SOC) Briefing

  • Friday, November 17, 2017 at 8:00 AM EST (2017-11-17 13:00:00 UTC)
  • Please Check Back


  • RecordedFuture
  • DomainTools
  • Authentic8
  • Digital Guardian

You can now attend the webcast using your mobile device!



In the Boston area? Join us at the Live Event. Register here: https://www.sans.org/vendor/event/50980           


Join the SANS Institute for the SOC Briefing for the Cybersecurity Community in the Boston, MA area.

SOCs are intended to efficiently protect the information assets of the organization. Understanding likely methods of attack and weaknesses in deployed systems are necessary to accomplish efficiency of resource use and minimize damage when negative events occur. The combination of a scenario of attack coupled with data which might be present in the systems indicating this attack is commonly referred to as a "use case" when discussing detective data correlation tools.

 At the SANS SOC Brief, vendors will present sessions demonstrating their tools capabilities to support threat hunting, or incorporate the results of threat hunting. Vendors are encouraged to illustrate case studies of customers where use cases tailored to that specific organizations, either through threat intelligence, pen testing or red teaming. The SANS audience prefers presentations from customers who are currently using the product, rather than from sales engineers of the company.



8:00am - 8:30am - Registration & Coffee Networking

8:30am - 9:15am - Welcome & Keynote: SOC Use Case Development: Chris Crowley, SOC Briefing Chair & SANS Principal Instructor

  • This talk will discuss the task most critical to improving SOC capability: development of appropriate scenarios of inspection. This is typically referred to as a use case. To be successful It must blend: technical knowledge of deployed systems, knowledge of threat capability and common behavior, understanding of the organization's information assets, and data collection.
  • As a background for this use case discussion, the functional areas required for a SOC will be identified. Since people are necessary to be effective at analysis which produces use cases, a discussion of analysis and developing strategies for ongoing development will also be presented.

9:15am 10:00am - Keeping Up with Ransomware Variants and Campaign Trends: Diana Granger, Technical Threat Analyst, Recorded Future

  • In many SOC teams, analysts will spend the vast majority of their time monitoring and triaging events on their organization's network, leaving a small percentage of their leftover. Ideally, analysts can spend this "extra" time thinking about how they can hunt for meaningful long-term malware campaigns internally. However, understanding how to hunt for these campaigns internally requires an understanding of what's happening externally. This talk will explore the ways we hunt for and track new ransomware variants and analyze ransomware campaigns over time. Armed with these methods, analysts can transform their external research into intelligence they can use internally to protect their organization.

10:00am 10:30am - Networking Break

10:30am - 11:00am - Mapping Adversary Infrastructure With This One Weird Trick: Tim Helming, Director, Product Management DomainTools

  • One of the most accessible forms of threat hunting, especially for newer teams or team members, is hunting for network-based indicators (domains and IP addresses especially) which may be connected to malicious activity. In many cases, these indicators are absent from blacklists, yet they can pose a real threat, especially if they are part of a targeted campaign. This session will show how an analyst or hunter can begin with a single indicator and expand from there to profile an adversary, including mapping their infrastructure, cataloguing TTPs, and preparing monitors to stay ahead of future moves by the threat actor.

11:15am - 12:00pm - From Threat Assessments to Intelligence Collection: New Web Tools and Techniques to Counter Your Adversaries: Nick Espinoza, Sr Federal Engineer, Authentic8

  • Security teams need to create context from raw intelligence, validate source information, monitor threats against the brand and the business.
  • The role of the SOC team is changing as rapidly as the threat landscape. The $dayjob filled with vendors feeding you streams of data and blinking lights has turned into an intelligence hub where teams need to understand human and technical threats before they become attacks. 
  • Drawing on examples from work with intelligence, defense and treasury organizations, this discussion will focus on the changing role of the analyst and the pressure placed on their normal workflows due to threat actors skills evolving. Analysts need to process signals as well as engage in human intelligence functions.

12:00pm - 12:15pm - Closing Remarks



Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.