Cyber Defense

Here are 8 Talks You Don't Want to Miss at SANS' SIEM Summit & Training

As a blue teamer, you love your SIEM.

Your SIEM plays an integral part in improving your security posture and achieving your compliance goals. We know it's important, because classes at SANS that cover SIEM material, like SEC503, SEC511, SEC530 and SEC555, get some of the highest attendees of all our blue team courses.

If you've never attended our SIEM Summit, you've been missing out on a terrific event to network with other information security professionals, gain information on new vendor products, participate in onsite/online challenges and contests, and listen to world-class guest speakers.

This fall's SIEM Summit and Training is the event for discussions about what's working now in SOCs, a place to get advice and strategize how to utilize your SIEM more effectively, and find resources recommended by today's top CISOs, lead analysts, engineers, architects and managers.

Learn More


Below are just some of the talks we are looking forward to at this year's event.
We'll kick off both Summit days with in-depth talks from two of the most well-respected cybersecurity leaders in the industry, Justin Henderson and John Hubbard.

Here are a couple of our day one talks:

Get the Basics Right!

Balaji Nakkella, Senior Consultant, Deloitte Canada

Rakesh Kumar Narsingoju, Solution Delivery Advisor, Deloitte US-India

Most organizations deploy SIEM to serve two main purposes: achieve compliance and improve their security posture. Although there are multiple compliance-related frameworks specific to each industry, assessing existing security posture is a challenge. Hence, organizations leverage SIEM solutions for this purpose, but they fail to tap its true potential due to high volumes of data, lack of proper detection rules, and high false-positive rates. In most cases, SIEM solutions are deployed by third parties, and we need to ask those parties the right questions in order to have a high degree of confidence on detection capabilities and further improve security posture. This talk focuses on identifying the blind spots where the necessary data are not available; baselining rules and mapping them to threat categories; identifying areas where a SIEM solution is not enough for investigation; and examining automation strategies to reduce the mean time to detect and respond to incidents. We will provide a checklist that helps an organization go through all the phases from risk assessment to post-SIEM deployment maintenance. This checklist is neither industry- nor vendor-specific but serves as a holistic reference guide for any organization.

We Need to Talk about the Elephant in the SOC

Jim Apger, Security Specialist, Splunk

Why have we accepted alert fatigue as a normal occurrence in the Security Operations Center (SOC)? And why are we compounding the problem by whitelisting and suppressing the noise to the point where we have essentially created a situational security numbness within the enterprise? Our data are trying to tell us a story. The MITRE ATT&CK framework helps us figure out where we are in terms of our ability to tease the story from the data while simultaneously providing guidance for building out our own threat models. In this talk, we will go into detail to describe a trend we are seeing that introduces a layer of abstraction between detection analytics and the alerting process; both align nicely with ATT&CK and also account for user/system-specific context when scoring anomalous or interesting behavior. Attendees will learn how an organization of any size can transform its SOC quickly by reducing the alert overload, improving its false positive rates, adding data/analytics without scaling up the number of analysts, and aligning against a framework of its choice.

The Right Data at the Right Time

Jeff Bollinger, CSIRT Investigations and Analysis Manager, Cisco

Matthew Valites, US West Outreach Lead, Cisco Talos

Analysts and incident responders have so many tools and data sources to choose from that it can be daunting to understand what is necessary versus what is simply nice to have. When putting together a monitoring playbook, it's essential to understand what data are available to you and how they can be used for security monitoring and incident response. Enterprise analysts may have different data preferences than analysts at smaller organizations. How can detection and incident response (IR) teams effectively protect their organizations with the right data sources? How can you deliver context with raw machine data? This presentation will draw from years of experience in designing and operating world-class network security operations to help you understand the "ideal" set of data sources for security monitoring and IR for any environment; consider data sources depending on your size or threat profile; operationalize event data (extract, transform, load); and understand the evolution of your security event data. We'll look at real-world incidents involving data perceived to be undervalued, and at clever ways to use other data sources.

Don't Be a SIEMingly SOAR Loser...

Rob Gresham, Security Solutions Architect, Splunk

This title is so perfect for this discussion. Security operations, automation, and response constitute an awesome path for security teams, whether it's automation attached to the SIEM or a stand-alone orchestration tool. We love innovation, yet it seemingly creates such a SOAR on our seating devices. Where is the value in our SOAR products, and how long will it take until we are rewarded? Is it measured by your detection or response time? Containment, reimage, or resolution times? Is it a ticketing tool, case management, or neither? What is the difference between ticketing and case management tools? There are generally two approaches to the SOAR implementation models. One is as infinite as the ocean and the other is how you "really" work. We will explore these areas, offer suggestions, and provide some definitive truths (IMHO). We'll use the TTP0 fractal to define our flows and I2A2 to collect that SOEL, and if you don't SOAR after implementing those. We will demonstrate how your existing use cases or tribal knowledge can be exploited to deliver powerful automation and response, and how the human-machine team can be taken up a notch and work immediate automation into your processes that will lead to true orchestration. SOARing isn't an easy task (even though some make it look so easy, right?) and yet all of us want to fly or be flown.


And the above is just day one! Her are a few more talks we have planned for day two:

Techniques to Reduce Alert Fatigue in Security Analysts

Ram Shankar Siva Kumar, Data Cowboy, Azure Security Data Science, Microsoft

Sharon Xia, Principal Program Manager, Cloud+AI Security, Microsoft

Alert fatigue is real. Security analysts face a huge burden of triage because they not only have to sift through a sea of alerts, but also correlate them from different products manually or use a traditional correlation engine. This talk describes the flagship machine learning system embedded within Azure Sentinel, Microsoft's Cloud SIEM, to tackle alert fatigue. It will describe how to obtain a 90 percent reduction in alert fatigue for internal and external customers. Attendees will learn about three techniques to reduce alert fatigue (probabilistic kill chain, iterative attack simulation, and graphical inference); a framework to combine alerts from multiple cloud services; and a design pattern to scale detection systems. We'll then walk through the series of steps in the ML system within Azure Sentinel that go from low-fidelity alerts to security alerts, and we'll demo this system in action combining O365 logs with Azure Active Directory alerts. The talk will wrap up with a look at a framework to combine the system, sharing how to normalize events across different products and presenting an engineering pattern design for others to build on.

Effective Log Monitoring & Events Management for Small and Medium-sized Businesses

Russell Mosley, CISO, Dynaxys

Ryan St. Germain, Senior Security Engineer, Dynaxys

Russell and Ryan will walk through their log and events management strategy and implementation at a small technology company to meet security needs and compliance with government contractor regulations. Specifically, they will be covering log collection, analysis, and a review process sufficient to pass audit requirements. Learn what, why, and how to implement and achieve your goals through examples of 50-plus daily log review tickets. The presenters will go into detail, explaining their process so that you can replicate it with open-source or commercial tools. This talk will show you how to use this information to fine-tune your tools.

That SIEM Won't Will Hunt

John Stoner, Principal Security Strategist, Splunk

Hunting is not the first thought that comes to mind when someone says SIEM, is it? But do you know that SIEM can be another tool that threat hunters on the security operations team can leverage effectively as part of their hunt? This talk uses the fictional advanced persistent threat group Taedonggang to demonstrate how SIEM can be used to aid our hunt activities. We will talk about MITRE ATT&CK and the intersection of threat hunting and security operations, and how threat hunt findings should be operationalized into SIEM for the security operations team. Operationalizing refers to more than just a blacklist of IP addresses and file hashes! John Stoner will show how we can tie our findings to adversary tactics and techniques that can then have automated responses built to address these techniques as they are identified in the future. Attendees will come away with an understanding how SIEM can be used during threat hunting; knowledge of how MITRE ATT&CK can serve as a common taxonomy in SIEM for both security operations and threat hunters; ideas for how to create SIEM alerts and views based on threat hunts; and a data set and instructional application that they can take home and play with!

Hunting with Sysmon to Unveil the Evil

Felipe Esposito, Senior Instructor at Blue Team Operations, BlueOps Consulting and Training

Rodrigo Montoro, Head of Research and Development, Apura Cyber Intelligence

System Monitor (Sysmon) is a Windows system service and device driver that, once installed, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. These logs provide investigators with a wealth of information that can be analyzed in many different ways. By splitting analysis in each field of a Sysmon event alert, you can create a deeper analysis of the event itself and create a hunting view that could point you towards certain processes or behaviors in order to better analyze or find uncommon processes in your endpoints. By correlating these alerts with your network and business requirements, you can make detection more accurate and generate less noise, thereby helping your staff prioritize which events to handle first. This presentation will discuss methods to analyze and score each field from those events, ideas for implementation, projects, and results based on deployment. We'll also show how you can improve your hunting capabilities by using Sysmon as a more powerful detection vector to identify specific user behaviors and activity patterns.

Attend this fall's SIEM Summit & Training!

These are only a few of the presentations on the Summit agenda. In addition to expert talks and demos, the Summit will host an evening reception, onsite luncheons, and several networking sessions. This is your chance to learn, share, and connect with the best in SIEM, SOC and Cybersecurity. We hope to see you there!

Post a Comment


* Indicates a required field.