One More Week for MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Threat Hunting in Action: SANS 2018 Survey Results, Part II

  • Thursday, September 20, 2018 at 1:00 PM EDT (2018-09-20 17:00:00 UTC)
  • Rob Lee, Robert M. Lee, Sid Pearl, Benjamin Powell, Justin Swisher


  • Anomali
  • DomainTools
  • IBM
  • Malwarebytes
  • Qualys
  • RiskIQ

You can now attend the webcast using your mobile device!



Cyber threat hunting, once the job of only highly trained specialists, is maturing and growing more operationalized. While cyber threat hunting will always require the knowledge, critical thinking and skills of seasoned professionals, hunting capabilities are becoming more automated and integrated into overall SOC functions.

In this webcast, SANS Threat Hunting and Incident Response Curriculum Chair Rob Lee will discuss how threat hunting has matured during the past three years, including:

  • Whether or not organizations are integrating their threat hunting activities with cyber threat intelligence (CTI)
  • Benefits and drawbacks of integrating with CTI
  • Improvements made on gathering endpoint threat intelligence collection (which was a weak point among respondents to our 2017 survey)
  • Best and worst technologies, standards and processes for hunting
  • Specific examples of hunts filled in by respondents

Register for Part I of this webcast, "Threat Hunting Is a Process, Not a Thing," here.

Results will initially be discussed at the SANS Threat Hunting and Incident Response Summit on September 6-7. Full whitepaper developed by Rob Lee will be available on the day of the live webcast.

Speaker Bios

Rob Lee

Rob Lee is the curriculum lead and author for digital forensic and incident response training at the SANS Institute. With more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response, he provides consulting services in the Washington, D.C. area. Before starting his own business, Rob worked with government agencies in the law enforcement, defense and intelligence communities as a lead for vulnerability discovery and exploit development teams, a cyber forensics branch, and a computer forensic and security software development team. He also worked for a leading incident response service provider and co-authored Know Your Enemy: Learning About Security Threats, 2nd Edition.

Robert M. Lee

Robert M. Lee, a SANS certified instructor and author of ICS515 ICS Active Defense and Incident Response and FOR578 Cyber Threat Intelligence courses, is the founder and CEO of Dragos, a critical infrastructure cyber security company, where he focuses on control system traffic analysis, incident response and threat intelligence research. He has performed defense, intelligence and attack missions in various government organizations, including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Author of SCADA and Me and a nonresident National Cyber Security Fellow at New America, focusing on critical infrastructure cyber security policy issues, Robert was named EnergySec’s 2015 Energy Sector Security Professional of the Year.

Sid Pearl

Sid Pearl is an IBM i2 Safer Planet subject matter expert, as well CISO for the International Association of Certified Information Sharing and Analysis Organizations (ISAOs), protecting U.S. national security and critical infrastructure interests. Previously, he served as a global cyber security and cyber intelligence executive at Unisys, where he led business and practice development for Unisys' eight security operations centers (SOCs), as well as the unified risk and intelligence/analytics practice. Sid served 20 years with the U.S. Navy in Special Operations, including combat communications and intelligence operations for joint special forces.

Benjamin Powell

Benjamin Powell is the technical marketing manager at RiskIQ. He has worked in IT for 30 years, focused on IT security for the past 13 years. Prior to RiskIQ, he was a founding employee at AccelOps, a SIEM company at which he ran Professional Services and Product Marketing. Benjamin has worked with and managed IT and cyber security teams in numerous industries (state government, international airport, port district, education, biotech, file encryption software and financial services).

Justin Swisher

Justin Swisher is a security strategy manager at Anomali. Building on more than 12 years of IT security experience with an emphasis in network security architecture and monitoring, Justin has worked to develop new techniques to improve detection and threat hunting. After spending four years with the U.S. Air Force as an intelligence analyst, Justin brought those analytical skills to leading cyber security vendors in an effort to improve network security detection and response.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.