Got GIAC? Free GIAC Cert Attempt Included with OnDemand 5 or 6 Day Training thru July 7


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SOCs Grow Up to Protect, Defend, Respond: Results of the 2017 SANS Survey on Security Operations Centers, Part 1

  • Wednesday, May 17, 2017 at 1:00 PM EDT (2017-05-17 17:00:00 UTC)
  • Alex Valdivia, Christopher Crowley, John Markott, James Carder


  • Carbon Black
  • Endgame
  • LogRhythm
  • NETSCOUT Systems, Inc.
  • ThreatConnect
  • Tripwire, Inc.

You can now attend the webcast using your mobile device!



Join survey author Christopher Crowley as he co-chairs the SANS SOC Summit June 5-6, 2017.

It takes a village to protect today's networks from cyber threats. And, today's security operations centers (SOCs) represent villages unto themselves, with many different roles and technologies supporting multiple, complex tasks and often spanning geographies.

Whether in-house or in the cloud, SOCs are maintaining prevention and detection systems and monitoring hosts, the network and the Web for vulnerabilities. Increasingly, SOC functions are converging with intelligence, threat hunting and other emerging processes to aid in prevention and response.

How are organizations accomplishing these tasks? What types of resources are they utilizing to staff and run their SOCs? And what type of organizations are turning toward cloud-based managed services for part or all of their SOC needs? In this first part of a two-part webcast, join SANS principal instructor, Chris Crowley, who will share the results of SANS' first survey on security operations centers. Attend this webcast and learn about trends in SOCs, including:

  • Basic SOC architectures
  • Preparedness, staffing and capabilities
  • Level of automation and integration between prevention, detection and response
  • The SOC's relationship with IT Ops
  • What types of organizations are using cloud-based SOC services
  • What types of organizations are devoting mostly in-house resources to maintain their own SOCs
  • What functions are most commonly turned over to the cloud versus what are most commonly kept in-house

Click Here to be among the first to view the associated results whitepaper written by Chris Crowley. Click here to register for the second part of this webcast: Future SOCs, held on Thursday, May 18, 2017

Speaker Bios

Christopher Crowley

Christopher Crowley, a senior SANS instructor and course author for SANS courses in Managing Security Operations and MGT535 Incident Response Team Management, holds multiple certifications. He received the SANS 2009 Local Mentor of the Year award for excellence in providing mentor classes to his local community. Chris is a consultant based in Washington, D.C., who has more than 15 years of experience in managing and securing networks. His areas of expertise include network and mobile penetration testing, mobile device deployments, security operations, incident response and forensic analysis.

Alex Valdivia

Alex Valdivia is a member of the ThreatConnect Research Team, where he analyzes malware, malicious infrastructure and threat actors, and captures best practices in order to share intelligence and process with various ThreatConnect Communities. He has spoken at B-Sides Las Vegas, DEF CON Skytalks and has been a guest lecturer for threat intelligence courses at Johns Hopkins University, Metropolitan State University and the University of South Florida. Before ThreatConnect, Alex studied electrical engineering at George Mason University and worked the graveyard shift in a SOC, where he developed a fondness for thwarting inept online criminals.

James Carder

James Carder, CISO & VP of LogRhythm Labs, brings more than 19 years of experience working in corporate IT security and consulting for the Fortune 500 and U.S. government. At LogRhythm, he develops and maintains the company's security governance model and risk strategies; protects the confidentiality, integrity and availability of information assets; oversees both threat and vulnerability management, as well as the Security Operations Center (SOC). He also directs the mission and strategic vision for the LogRhythm Labs machine data intelligence, threat and compliance research teams.

John Markott

John Markott is a director of product management at Carbon Black. His mission: To help MSSP and IR providers to ride the wave and reap the rewards of Next-Generation Endpoint Security. With nearly two decades of experience in InfoSec, John is helping to bridge the gap between product design and implementation within security operations centers and next-generation security services.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.