SANS Security Operations Center (SOC) Briefing

  • Friday, 17 Nov 2017 8:00AM EST (17 Nov 2017 13:00 UTC)
  • Speaker: NULL
In the Boston area? Join us at the Live Event. Register here: ' -


Join the SANS Institute for the SOC Briefing for the Cybersecurity Community in the Boston, MA area.

SOCs are intended to efficiently protect the information assets of the organization. Understanding likely methods of attack and weaknesses in deployed systems are necessary to accomplish efficiency of resource use and minimize damage when negative events occur. The combination of a scenario of attack coupled with data which might be present in the systems indicating this attack is commonly referred to as a "use case" when discussing detective data correlation tools.

'At the SANS SOC Brief, vendors will present sessions demonstrating their tools ' capabilities to support threat hunting, or incorporate the results of threat hunting. Vendors are encouraged to illustrate case studies of customers where use cases tailored to that specific organizations, either through threat intelligence, pen testing or red teaming. The SANS audience prefers presentations from customers who are currently using the product, rather than from sales engineers of the company.



8:00am - 8:30am - Registration & Coffee Networking

8:30am - 9:15am - Welcome & Keynote: SOC Use Case Development: Chris Crowley, SOC Briefing Chair & SANS Principal Instructor

  • This talk will discuss the task most critical to improving SOC capability: development of appropriate scenarios of inspection. This is typically referred to as a use case. To be successful It must blend: technical knowledge of deployed systems, knowledge of threat capability and common behavior, understanding of the organization's information assets, and data collection.
  • As a background for this use case discussion, the functional areas required for a SOC will be identified. Since people are necessary to be effective at analysis which produces use cases, a discussion of analysis and developing strategies for ongoing development will also be presented.

9:15am ' 10:00am - Keeping Up with Ransomware Variants and Campaign Trends: Diana Granger, Technical Threat Analyst, Recorded Future

  • In many SOC teams, analysts will spend the vast majority of their time monitoring and triaging events on their organization's network, leaving a small percentage of their leftover. Ideally, analysts can spend this "extra" time thinking about how they can hunt for meaningful long-term malware campaigns internally. However, understanding how to hunt for these campaigns internally requires an understanding of what's happening externally. This talk will explore the ways we hunt for and track new ransomware variants and analyze ransomware campaigns over time. Armed with these methods, analysts can transform their external research into intelligence they can use internally to protect their organization.

10:00am ' 10:30am - Networking Break

10:30am - 11:00am - Mapping Adversary Infrastructure With This One Weird Trick: Tim Helming, Director, Product Management DomainTools

  • One of the most accessible forms of threat hunting, especially for newer teams or team members, is hunting for network-based indicators (domains and IP addresses especially) which may be connected to malicious activity. In many cases, these indicators are absent from blacklists, yet they can pose a real threat, especially if they are part of a targeted campaign. This session will show how an analyst or hunter can begin with a single indicator and expand from there to profile an adversary, including mapping their infrastructure, cataloguing TTPs, and preparing monitors to stay ahead of future moves by the threat actor.

11:15am - 12:00pm - From Threat Assessments to Intelligence Collection: New Web Tools and Techniques to Counter Your Adversaries: Nick Espinoza, Sr Federal Engineer, Authentic8

  • Security teams need to create context from raw intelligence, validate source information, monitor threats against the brand and the business.
  • The role of the SOC team is changing as rapidly as the threat landscape. The $dayjob filled with vendors feeding you streams of data and blinking lights has turned into an intelligence hub where teams need to understand human and technical threats before they become attacks. '
  • Drawing on examples from work with intelligence, defense and treasury organizations, this discussion will focus on the changing role of the analyst and the pressure placed on their normal workflows due to threat actors skills evolving. 'Analysts need to process signals as well as engage in human intelligence functions.

12:00pm '- 12:15pm - Closing Remarks