Prove Skill Mastery with GIAC Certs - Free Cert Attempt Included with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

SOAR Solutions Forum

  • Friday, June 18th | 10:00 AM - 3:30 PM EDTFriday, June 18, 2021 at 10:00 AM EDT (2021-06-18 14:00:00 UTC)
  • Chris Crowley, Leon Ward, Dan Fernandez, Jay Spann, Dan Pistelli, Chris Adams, Harrison Parker, Rishi Bhargava, Neal Dennis, Lorenzo Anderson


  • Cyware
  • DomainTools
  • Montance
  • Palo Alto Networks
  • ThreatQuotient
  • Swimlane
  • LogicHub
  • ThreatConnect
  • Siemplify

You can now attend the webcast using your mobile device!



You will earn 6 CPE credits for attending this virtual event.

Forum Format: Virtual

Event Overview

Security Orchestration, Automation and Response (SOAR) tooling is intended to increase efficiency and consistency. These tools also promise to diminish the cost of operating a Security Operations Center (SOC) for most organizations. If used properly, these tools can do all of these things. The challenge is that the tools are frequently bought to avoid the one thing that most organizations do not seem to be able to do on their own: figuring out the sequence of actions that need to be automated and bringing together the mass of data from disparate tools.

Investing in a SOAR platform is strategic and oftentimes a financially beneficial decision. SOAR systems can help define, prioritize, and standardize responses to cyber incidents. This process occurs when an organizations security team uses the platform to gain insight on an attackers tactics, techniques, and procedures (TTPs) and known indicators of compromise (IOC).

Join this SANS lead forum as we explore various SOAR topics through invited speakers while showcasing current capabilities available today. Presentations will focus on technical case-studies and thought leadership using specific examples relevant to the industry.



10:00 - 10:15 AM EDT - Event Welcome

Chris Crowley, Chair, SANS Institute


10:15 - 10:50 AM EDT - Disrupting Historical Processes with Data

Leon Ward, VP Product Management, ThreatQuotient

History repeats itself holds true to todays approach to automation. Born off of years of IT operations and process definition, it simply does not care what data is being processed. When looking at automating detection and response functions, just following process is not enough, and just performing a process absolutely is not efficient.

In this presentation, we will dive deeper into the concept of data-driven automation. A concept that states that all automation rules should begin with data and end with process. By starting with the data you can ensure high fidelity inputs before initiating a playbook runs and therefore lower execution cost, time, and overhead.


10:50 - 11:25 AM EDT - Data Quality Makes Your Security Operations SOAR

Dan Fernandez, Senior Product Manager, DomainTools

As highlighted in the SANS 2021 Cyber Threat Intelligence (CTI) Survey CTI tools and processes are becoming more automated in an effort to give analysts the necessary time to fend off the increasing number of threats. The survey highlights that less than 49% of organizations are satisfied with their Automation and integration of CTI information with detection and response systems and over 37% are not satisfied with their current Machine Learning capabilities. Security Orchestration, Automation, and Response (SOAR) tools have started to enable organizations to proactively mitigate information security risks but they depend on quality data for accurate detection and response. Like many tools, the effectiveness of SOAR is directly proportional to the quality of the data it ingests.

Join Dan Fernandez of DomainTools, as he discusses the extent to which data quality can enhance or affect the value SOAR can bring into your organizations security operations.

In this webinar, youll learn:

  • How SOAR intends to deliver value to organizations
  • The data challenges for implementing it effectively
  • How to measure and improve data quality in your organization
  • The benefits of SOAR when powered by quality data


11:25 AM - 12:00 PM EDT - SOAR Beyond What You Believe SecOps Can Do

Jay Spann, SOAR Evangelist, Swimlane

Ready or not? SecOps without security automation might be like staring down the barrel of a gun. And while Security Orchestration, Automation and Response (SOAR) platforms may vary, many dont realize just how much using these tools can accomplish beyond the automation of phishing, SIEM triage and threat intelligence use cases. From beef and beer, to gas and cruise lines, current events tell us the majority of organizations should start there. But SOAR is much bigger and can address use cases like employee on and off-boarding, static malware analysis, vulnerability management, domain squatting, physical security, and much more. Swimlane SOAR product specialist and evangelist, Jay Spann, shows examples of using SOAR for some fascinating and creative use cases. Jay will discuss some tools and resources that can be added to SOAR to increase security automation in the enterprise and explain how they are adopted to enrich SecOps workflows.


12:00 - 12:10 PM EDT - Break


12:10 - 12:45 PM EDT - MITRE ATT&CK: How to Apply a SOAR-Enabled Best Practices Approach to Your Detection and Response Program

Dan Pistelli, Director of Technical Services, LogicHub

The MITRE ATT&CK framework applies years of real-world expertise of how adversary groups operate to identify common tactics and techniques to provide a holistic view of the attack lifecycle and attacker intent. Using common language, it defines a best practices approach to detecting and responding to threats, with an adaptable framework that evolves with changes in adversary behavior.

In this presentation well talk about how SOC experts can approach developing MITRE ATT&CK-specific content within a SOAR platform, including automated playbooks that detect and respond to 100s of tactics and techniques, KPI-driven dashboards providing complete visibility into whats happening at all times, and how attacks that combine multiple tactics and techniques can be intelligently associated for deeper visibility.


12:45 - 1:20 PM EDT - Overcoming Key SOC Challenges With Intelligence-Led SOAR

Chris Adams, Director of Security Architecture, ThreatConnect

ThreatConnect has worked with Security Operations Centers (SOCs) to identify the key challenges facing analysts and has developed unique solutions to these challenges in our Security Orchestration, Automation, and Response (SOAR) platform. We have worked with SOCs to identify the key use cases that empower analysts to perform their jobs, saving them valuable time to focus on the organizations critical needs.

This presentation will focus on two of the leading use cases for SOC analysts:

1. Event Prioritization and Alert Triage

  • ThreatConnect provides knowledge of current and emerging threats, which enables analysts to examine strategic and operational intelligence from sources outside its organization and match it with existing log sources. When this information is tied in and correlated with Events, analysts get a better understanding of what they should pay attention to first. 

2. Tactical Threat Hunting

  • ThreatConnect offers a unique value proposition of defining a standard to create a controlled and repeatable process in a single platform. The combination of Playbook orchestration and Workflow provides not only the ability to fully automate the response but also to define and execute the steps to take fully automated or analyst-driven activities. This functionality not only integrates with existing infrastructure but also leverages the contextual knowledge of Threats and related Indicators provided by ThreatConnects Collective Analytics Layer (CAL) to make decision-making easier for analysts during the investigation.


1:20 - 1:30 PM EDT - Break


1:30 - 2:05 PM EDT - Making SOC and SOAR Economics Work in Your Favor

Harrison Parker, Architect, Siemplify

No matter the size or industry, company leaders recognize that minimizing external threats are of paramount importance. As a result, companies value their SOCs and consider them critical to their cybersecurity strategy, however, it is not always easy to quantify the ROI of these investments. In this session you will not only learn how to capture the ROI, but to improve it as well.

  1. Understand the 1-10-60 rule and why it matters and how to measure against it
  2. You will learn what is impacting overall ROI
  3. Actionable tactics you can take to improve ROI
  4. ROI isnt only about money, but other factors impact the bottom line


2:05 - 2:40 PM EDT - SOAR Beyond the SOC

Rishi Bhargava, VP of Product Strategy, Palo Alto Networks

SOAR has traditionally been the purview of larger enterprises with SOC teams. However, with the recent world disruptions, cybersecurity teams are leveraging automation to ease transition, streamline processes, and ensure their companies and employees are secured. Security automation has risen to the forefront as the glue that can orchestrate silos of people, tools and processes and we believe that more security teams can, and should, take advantage of the benefits of automation. In this session, we will cover the drivers for security automation, and show how SOAR can be just as easily applied to many areas outside of the SOC to help security teams of various sizes better cope with the new normal of work. We will explore different areas of security, with real-world automation use cases, as well as share experiences of how our own Palo Alto Networks security teams and our customers have leveraged automation to great effect for their teams.


2:40 - 3:15 PM EDT - Collective Defense: Why Collaboration is the Key to a Healthy Security Posture

Neal Dennis, Threat Intel Specialist, Cyware

Lorenzo Anderson, Senior Solutions Engineer, Cyware

Today, enterprise security teams function in silos and are faced with repetitive or redundant processes. However, to build a true collective defense, unifying people, processes, and technology is the only way to bring consistency and accessibility to the table while reducing the effort levels involved. During this presentation, Neal Dennis will walk through how an organization can map business processes to an automated solution for sharing threat intelligence, orchestrating processes, and bridging relevant silos internally and externally.


3:15 - 3:30 PM EDT - Wrap-Up

Chris Crowley, Chair, SANS Institute


Speaker Bios

Chris Crowley

Christopher Crowley is the course author for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management. Chris holds several industry certifications including the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN, and CISSP. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities." Mr. Crowley spends his spare time mountain biking, rock climbing and savoring epicurean treats.

Leon Ward

As VP of Product Management, Leon Ward leverages his 15+ years of experience in information and network security to lead product aspects of ThreatQuotient’s innovative threat intelligence platform, ThreatQ. In this role, Leon drives the ThreatQ product roadmap aimed at improving the efficiency of analysts, security teams and threat operations. Prior to ThreatQuotient, Leon was Cisco’s Group Product Manager of Security Innovation, contributing to a number of exciting product launches that were aimed to change the infosecurity world. Leon was previously a Director of Product Management at Sourcefire, where he managed the detection capabilities in the company’s line of network products (SNORT).

Dan Fernandez

Senior Product Manager at DomainTools. In his role, he leads the efforts to augment internally developed and third-party threat intelligent data sources, deliver agile data processing, and the data strategy that powers DomainTool\'s vision to map the internet\'s infrastructure. His background is in technical product management focused on data and analytics products for the last 8 years. His experience includes leading product management for data platforms ranging from high-frequency trading and risk applications to financial crime management applications. Dan is particularly interested in data security, data privacy, and large-scale data processing. He is currently a graduate student in Cybersecurity at Georgia Institute of Technology focusing on the intersection of data analytics and information security.

Jay Spann

Jay Spann is the SOAR Evangelist for Swimlane, a leading provider of Security Orchestration, Automation and Response (SOAR) based in Louisville, Colorado. Over the last 26 years, Jay has delivered more than 35,000 hours of training as an instructor, speaker and consultant in the fields of Information Technology and IT Security. Mr. Spann obtained his master’s degree in Computer Science and holds numerous industry certifications such as Certified Information Systems Security Professional (CISSP), CyberSec First Responder (CFR), Certified Technical Trainer (CTT+), CompTIA A+, Network+ and Security+ and several additional certifications from Microsoft, Check Point, Nokia and others. Over his career, Jay has developed and instituted technology initiatives for Raytheon, the Department of Health and Human Services, Sprint, the Internal Revenue Service, McGraw-Hill, the Department of Defense and many other Fortune 500 companies and US Government Agencies.

Dan Pistelli

Dan is an offensive security professional turned blue, now specializing in detection methods for techniques used previously for offensive engagements. He has a passion for identifying detection mechanisms that would have prevented success of engagements of the past, as well as continuing to learn new offensive security tricks of the trade.

Prior to LogicHub, Dan was a member of the Red Team at a large financial institution, before stepping away to set up and lead a Penetration Testing team. While there, Dan successfully completed the Offensive Security Certified Professional (OSCP) certificate, a well respected and heavily hands on offensive security certification, among several other offensive security related certifications. Dan studied information security at Pennsylvania State University, receiving a B.S. in Security and Risk Analysis.

Chris Adams

As Director of Security Engineering for ThreatConnect, Chris Adams leads a team of analysts and engineers to deliver the industry’s most versatile intelligence-driven security operations platform in the market. For the last 8 years, Chris has worked directly with security teams across industries to establish best practices for cyber threat intelligence programs, and defining workflows and processes to make threat intelligence actionable with orchestration and automation.

Prior to joining ThreatConnect, Chris worked with MITRE Corporation where he designed Identity and Access management solutions for large government entities, performed security vulnerability assessments on products, and led implementation of cross-security domain systems that bridged the gap between networks operating at different security classifications.

Harrison Parker

A native of Atlanta, Georgia, Harrison acts as an SOC and SOAR evangelist discussing industry best practices across the globe as a Solutions Architect with Siemplify. His previous roles include several years at threat intelligence organization, Anomali. Harrison holds a bachelor’s degree in Computer Science degree from Harvard University.

Rishi Bhargava

Rishi Bhargava is the VP of Product Strategy at Palo Alto Networks. He joined the Palo Alto Networks family with the Demisto acquisition, where he was a co-founder and Vice President of the cybersecurity startup with the mission to make security operations \"faster, leaner and smarter.\" Prior to founding Demisto, he was vice president and general manager of the software defined datacenter group at Intel Security. Rishi Bhargava is Vice President and General Manager of Software Defined Datacenter Group, Intel Security Solutions Division at Intel Security, Inc. A visionary and technology enthusiast, he is responsible for delivering Intel integrated Security Solutions for datacenters.

Prior to his current role, Rishi was Vice President of Product Managementfor Datacenter and Server security products at McAfee, Part of Intel Security. During his tenure at McAfee, he led product management teams and launched multiple products to establish McAfee leadership in Risk & Compliance, Virtualization and Cloud security. Rishi joined McAfee by way of Solidcore (Enterprise Security Startup) acquisition by McAfee in 2009. At Solidcore, he was responsible for Product Management and Strategy. As one of the early employees and member of the core leadership team, he was instrumental in defining the company’s product strategy and growing the business; Solidcore’s technology is now the leading Application Whitelisting product in the Industry. Rishi holds over a dozen patents in the area of Computer Security. Rishi holds a B. S. in Computer Science from Indian Institute of Technology, New Delhi and a Masters in Computer Science from University of Southern California, Los Angeles. Rishi’s interests revolve around exploring new technologies and industry trends.

Neal Dennis

Neal Dennis has worked in cyber intelligence for more than 19 years in various roles. Neal currently works at Cyware focused on starting up the Customer Success process and driving client engagements. Prior, as TruSTAR\'s Intelligence Architect, Neal worked in the trenches with customer success and clients, helping them map out new intelligence workflows for more effective investigations and create unique and insightful intelligence products. Additionally, Neal worked to educate internal company teams about various client needs and workflows in order to drive product development. Prior to TruSTAR, Neal worked as the Technology Lead and Sr. Intelligence Analyst for the Retail Hospitality ISAC, helping the organization stand up its threat intelligence exchange among a diverse member pool.

Neal made his first trip into the commercial world at Arbor Networks as the Senior Threat Intelligence Lead where he designed and built out Arbor\'s first true intel analysis team. Before working at Arbor, he spent 14 years supporting various military cyber initiatives, including USCYBERCOM, STRATCOM, NSA, 24th Air Force, Air Force Office of Special Investigations, and JFCC-NW. Neal has worked in most levels of cyber operations, from network defense and sitting on the wire, to strategic intelligence support and policy development. Neal started his career as a SIGINT specialist while serving in the United States Marine Corps.

Lorenzo Anderson

Lorenzo is a cybersecurity engineer and architect with 14 years of experience. He has specialized in security automation for the last five years working with start-ups and large enterprises alike and is an early adopter of SOAR. In his free time, he enjoys traveling, anything outdoors, and cars. He currently lives in Maryland.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.