SOAR Solutions Forum 2022

The SOAR Solutions Forum will explore best practices of selection, implementation, operations, and staff use of SOAR tools. Investing in a SOAR platform is strategic and financially beneficial decision. SOAR systems can help define, prioritize, and standardize responses to cyber incidents. SOAR promises to reduce Security Operations Center (SOC) operating cost. If implemented properly, and with a commitment to ongoing operational adjustment, the SOAR can become an enabler, tracker, metrics collector, and procedure knowledge base.

The pace of IT change has become difficult to keep up with for SOCs. The SOC team should use the SOAR platform to gain insight on what the SOC does and perform it with greater speed, precision, and consistency. The challenge is SOAR tools are frequently bought to avoid the one thing that most organizations don't seem to be able to do on their own: figuring out the sequence of actions that need to be automated and bringing together the mass of data from disparate tools. The SOAR tool doesn’t replace SIEMs or analysts. It’s a tool to provide support to the analyst and enable the full power of a SIEM.

>>> Stay up to date on upcoming Summits & Forums and get connected with thousands of industry professionals by joining the 2022 Solutions Forums Workspace & Mailing List!

>>> Download a copy of the presentations here!

SOAR_Solutions_Forum_-_Reg_Page.png

Sponsors

Anomali_Logo_FullColor_RGB_2021_(002).pngCorelight_Transparent.pngBlack_GN_horizontal.pngPalo_Alto_Networks.pngrapid7.pngNEW_LOGO.jpgSplunk_-_New_Logo.pngSwimlane_Logo.jpgNEW_LOGO.pngTorq_Logo_Color.pngvmray_logo.gif
Panel.png

Attendee Information

At this year's SOAR Solutions Forum, we will explore best practices of selection, implementation, operations, and staff use of SOAR tools. Presentations dive into technical content through case studies, demos, and thought leadership using specific examples relevant to the industry.

Continuing Professional Education (CPE) Credits are earned by participation in the event!

  • 6 CPEs are earned for attending the Forum

SANS Summits and Solutions Focused Forums and Tracks are one- to two-day events that bring together practitioners and leading experts to share and discuss case studies, lessons learned, new tools, and innovative strategies to improve cybersecurity and overcome challenges in a particular focus area or industry.

Stay up to date on upcoming Summits & Forums and get connected with thousands of industry professionals by joining the 2022 Solutions Forums Workspace & Mailing List!

Agenda | Thursday, March 10, 2022 | 10:30 AM - 4:45 PM EST

Schedule

Description

10:30 AM

Welcome & Opening Remarks

Chris Crowley, SANS Senior Instructor & Subject Matter Expert

10:45 AM

IDEs, Intelligence and Insights: How to Squeeze Every Ounce of Potential Out of Your SOAR

A SOAR platform is only as good as the value it provides your team. This session will offer a cheat sheet for unlocking value and maximizing the output of your deployment in three critical areas: 1) Python programming so you can customize integrations and playbook actions in your IDE, 2) threat intelligence gathering so you can make quick and informed decisions and 3) metrics and BI so you can be sure you are using your SOAR to track KPIs that will move the needle, from the SOC to the C-Suite.

Arnaud Loos, Partner Enablement, Siemplify, now part of Google Cloud

11:20 AM

SOARing to New Heights: Building a Next-Generation Security Automation Program

In today's digital-first world, security teams face an unending set of challenges - from a growing set of attack vectors to autonomous attacks to constantly increasing complexity in the environments they must defend. Meeting these challenges requires automation. Yet, many teams use SOAR platforms for only a small set of security processes, leaving dozens or hundreds of critical workflows as manual processes. As a result, security teams are overworked, struggling to deliver protection at the speed of business.

It's time to rethink the promise of SOAR - and reposition Security Automation as the central nervous system of not just the SOC - but the entire security organization. Join us to learn practical advice for how security teams can improve defensive posture, reduce MTTR, and deliver better protection than ever before - all through the use of automation.

Marco Garcia, Field CTO, Torq

11:55 AM

Threat Intelligence for Security Operations- Combining SOAR + TIP

As cyber-attacks evolve, SOC teams struggle to manage huge volumes of data generated by new attacks and vulnerabilities. Security teams are stuck with inefficiencies in managing massive amounts of alarms from irrelevant threat intel feeds leading to alert fatigue.

Threat Intelligence and the data feeds are of little use if analysts must manually sort them out. Taking action to operationalize the threat data is a critical component for security teams. A Threat Intelligence Platform (TIP) is the solution that enables security teams to collect, aggregate, analyze and disseminate the threat data along with taking automated action. Eliminating the manual task of managing millions of indicators across multiple feeds helps reduce MTTR (Mean Time to Respond). Join this session to learn how organizations can stay ahead of their adversaries by combining TIP with SOAR capabilities.

Shravanthi Reddy, XSOAR Threat Intelligence - Manager, Palo Alto Networks

12:30 PM

Break

12:45 PM

SOAR Solutions - Best Practices & Benefits of Automation

Attackers have already found thousands of potential ways to obfuscate their log4j attacks, which are sweeping the Internet at breakneck speed. SOCs protecting still-vulnerable assets have a duty to chase down every alert for it that pops up - which are coming in at a rate of tens or hundreds of thousands of times a day for larger enterprises. This talk will discuss how a data-driven strategy can automate that insurmountable task into a process that quickly reveals systems that actually responded to the attack - letting teams focus on the alerts that matter the most.

Alex Kirk, Global Principal Engineer, Corelight

1:20 PM

SOARing with Risk-based Vulnerability Management

Risk-based vulnerability management (RBVM) is an ideal use case to operationalize and automate within SOAR as it needs to connect threat intelligence, data collection, enrichment, cross-team workflows, and incident management, all labor intensive processes. The integration of cyber risk quantification in the RBVM process via SOAR makes financial impact based decisions about which vulnerabilities to target against the most business critical assets, taking automated RBVM to the next level.

Toby Bussa, Vice President, ThreatConnect
Mike Summers
, Senior Sales Engineer, ThreatConnect

1:55 PM

SOAR Lessons Learned - How to Plan for Automation

Automation certainly isn’t a modern concept but implementing new use cases or improving on existing ones can be a challenge. During this session we’ll take a look the automation landscape over the past 5 years, what’s ahead, and more importantly successes and failures from deploying automation use cases while working with users. Finally, we’ll talk about quick easy wins, interesting challenges and things that have been accidentally broken, and how to not only successfully plan for automation but how to adopt a methodology for developing and improving use cases.

Nick Roy, Engineer, GreyNoise

2:30 PM

Break

2:45 PM

How to Build a System of Record with Low-Code Security Automation

Security teams everywhere are asked to do the impossible. Processing the flood of alerts required to protect an organization can easily overwhelm even the most highly-engaged security talent. Traditional SOAR offerings may help alleviate the pain, but they are not enough in today's ever-evolving threat landscape. By leveraging low-code security automation for processes like incident response or threat hunting - considered by many to be introductory use cases - the promise of extensible automation delivers a system of record to security teams, reduces the threat containment window when incidents eventually do occur, and can even extend automation beyond the SOC. In this session, you'll learn about what makes low-code security automation different than traditional SOAR and how you can unlock its potential at your organization.

Bryon Page, Director Solution Architecture, Swimlane

3:20 PM

Automating Across a Zero Trust Architecture (ZTA)

Zero Trust Architecture (ZTA) is becoming increasingly important in a cloud-first world where the perimeter no longer exists. As a result, identities, devices, virtual networks, applications, and data must be monitored and protected with an updated set of detections and controls that account for new access patterns and new types of attacks. This presentation will show how Splunk SOAR can automate the daunting task of restricting, revoking, and restoring access across the pillars of ZTA. Organizations with Splunk SOAR, fueled by Splunk's Risk-Based Alerting, will be able to shut down attackers quickly.

Kelby Shelton, Senior Solutions Engineer, Splunk
Phil Royer
, Research Engineer, Splunk

3:55 PM

High Quality Threat Intel: The Secret to Unlocking the Value of Your SOAR Deployment

Threats are increasing. Qualified and well-rested SOC experts are increasingly difficult to find. Security Orchestration Automation and Response (SOAR) is absolutely essential, but it relies on quality data as input. Your playbooks and automations will only be as accurate as the data that is going in. Interestingly, even the biggest SOAR vendors are driving 3rd party integrations to advanced detection and analysis platforms such as VMRay to improve their overall customer (read: analyst) experience. Why? Because VMRay can help you maximize your SOAR performance by providing the high quality data you need to curate the best threat intelligence available. In this session, you will see for yourself why and how VMRay improves the value you get out of your SOAR deployment.

Andrey Voitenko, Senior Product Manager, VMRay

4:30 PM

Wrap-Up

Chris Crowley, SANS Senior Instructor & Subject Matter Expert