XDR & EDR Solutions Forum 2022

Every day, cyber adversaries grow and hone their tradecraft, discovering new ways to infiltrate and maintain persistence in victim organizations. In addition, defenders must be wary of the wide range of adversary goals, ranging from cyber espionage to “smash and grab” ransomware. Long gone are the days when simple anti-virus signatures or minor defenses were enough to stave off intentional adversaries. Security teams need more to combat modern threats.

In the 2022 SANS XDR & EDR forum, we’re going to explore methods and techniques for defenders to stand up against advanced threats. We cannot expect to stand up against modern threats without advanced capabilities. During this forum, we will look at how defenders can benefit from:
  • Multiple correlated and integrated sources of telemetry
  • Simultaneous widespread and granular visibility into their organizations
  • The ability to deploy cross-telemetry detections to look for adversary behaviors

Join the SANS Solutions Forum Interactive Slack Workspace for this event (and all SANS Forums)! Connect once and you're set for all events in 2022!

>>>>Download a copy of the presentations here!



Automox LogoLogoLockup_Horz_RGB_Blue_190103.pngCybereason logoHunters_Full_Logo.pngrapid7.pnglogo_01.pngcortex_RGB_logo_Vertical_Lockup_Positive.pngsophos logoVMRay Logo - Dark Blue

Agenda | March 25, 2022 | 10:30 AM - 3:30 PM EDT



10:30 AM

Welcome & Opening Remarks

Matthew Bromiley, SANS Instructor & Subject Matter Expert

10:45 AM

Cross Data Source Detections – Real World Scenario from the Log4Shell Attack

After the Log4Shell vulnerability was announced, Hunters researched the vulnerability and relevant exploitations in order to surface servers at potential risk and hunt for exploitation attempts, as well as to develop detection methods that can detect the exploitation of Log4Shell. Given that Log4j is used in a wide range of consumer and enterprise websites, services, and applications, we first assessed our own systems and then took measures to identify potential vulnerabilities or attacks for our customers, creating a visibility dashboard and Analytics within the Hunters platform. We will show how Hunters built new detections for Log4Shell, adding an extra layer of protection for the security teams who work with us. 

Actionable Takeaways: Deeper understanding of how attacks can be missed in SIEM and other environments How cross data source detection works to improve detection efficiency How this approach worked with Log4Shell detection How Hunters built new detections for Log4Shell, adding an extra layer of protection.

Alon SlotkyTechnical Product Manager, Hunters
Shahar Vaknin, Axon Team Leader, Hunters

11:20 AM

XDR: the Blueprint for Solving the Ransomware Challenge

During a ransomware attack, it is critical to detect and respond early and quickly. By decreasing your mean time to detection in identifying the attacker’s behavior, your security team can quickly investigate and respond timely to prevent a ransomware incident. To protect against a ransomware incident, it is important to interrupt the kill chain as early as possible. One way to make it radically simple and fast is to harness the power of XDR (extended Detection and Response). 

Join Cisco as we discuss and demonstrate the three key pillars of XDR and the critical role they play in helping you achieve better security outcomes.

Adam Tomeo, Product Marketing Manger, Cisco Secure
Eric Howard
, Technical Leader, Cisco Secure

11:55 AM


12:10 PM

Beat the Clock: How to Accelerate Threat Hunting With XDR

To carry out the most efficient threat hunts, defenders need multiple sources of telemetry and a simply way of acquiring and analyzing data from all of them. Join this session to hear the differences between XDR and SIEM-based threat hunts and learn how XDR can reduce the amount of time to detect and respond to potential threats. We’ll cover best practices and cautions from real world experiences, as well as preventative measures and investigations that you can start today.

Andrew Mundell, Enterprise Security Engineer, Sophos

12:45 AM

Solving for X with XDR: Widening the Aperture for Rapid Detection, Investigation and Response

There has been a lot of buzz around Extended Detection and Response (XDR) as an evolution of Endpoint Detection and Response (EDR), however definitions vary depending on who you talk to. Given the dramatic changes to network architectures as organizations move workloads to the cloud, leverage disparate SaaS tools, while also still relying on traditional on-premise networks has increased data volumes and the complexity of detecting threats across these environments. 

In this session we will discuss the evolution of security from the endpoint and beyond, from legacy anti-virus, to EDR and now XDR. We will show how detection use cases and workflows that used to require complex and manually configured SIEM and SOAR solutions can be automated and streamlined with XDR, for rapid detection, investigation and response.

Ken Westin, Director of Security Strategy, Cybereason

1:20 PM


1:35 PM

EDR & XDR – How to Reduce Alerts & Speed Up Investigation

Security teams are overwhelmed. And EDRs are too noisy. With a finite number of hours in the day and a limited amount of resources, it's a daily challenge to validate the vast number of alerts coming into the organization. One source of these alerts are EDR systems. And since EDR is turning into XDR, the number of alerts is only increasing. 

 Advancements in EDR technology have improved detection rates over the past several years. This is a good thing! But increased detection rates and alerts do not come without their trade-offs. Any level of manual investigation for every alert coming in from an EDR/XDR system puts a strain on the security organization.  

In this webcast learn how to introduce an automated process to:
 • Reduce the number of alerts coming in from your EDR/XDR system
• Without having to sacrifice your detection rate, while improving
• Speed of investigation

Andrey Voitenko, CISSP Senior Product Manager, VMRay

2:10 PM
Top 3 Endpoint Attacks Ripped from the Headlines

Adversaries keep devising new ways to compromise endpoints. To thwart them, you need the best-in-class endpoint security that's always learning to outpace threats. Attend this session to understand the latest endpoint threats seen and analyzed by the Palo Alto Networks research team.

During this session, we will discuss:

• Recent attacks like Log4Shell and HermeticWiper
• Step-by-step attack demonstrations
• Recent innovations that block today's most dangerous threats

Aviad Meyer, Security Research Manager, Palo Alto Networks

2:45 PM
Automate Vulnerability Remediation and Reduce EDR Alerts

EDR solutions are tremendously powerful tools and represent the next generation in endpoint security. Come learn how cloud-native IT operations for modern organizations helps realize outcomes over alerts and avoid the dreaded alert fatigue common with highly sensitive EDR tools today. See how our tool combined with an EDR solution can keep all your endpoints configured and secured, anywhere in the world. With Automox + EDR, SecOps teams can have a recognizable impact on company success – and sleep better at night knowing their environment is secure.

Jay Goodman, Director, Product Marketing Group, Automox

3:20 PM

Wrap-Up and Closing Remarks

Matt Bromiley, SANS Instructor & Subject Matter Expert