Do you have the skills needed to defeat cyber attackers? Register now for training in San Francisco.

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

SANS Automation & Integration Security Briefing: SOARing to New Heights - Using Orchestration & Automation Tools in the Way They're Intended

  • Friday, February 8th, 2019 at 10:30 AM EST (15:30:00 UTC)
  • Chris Crowley
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

Sponsors

  • Swimlane
  • DomainTools
  • Amazon Web Services, Inc.
  • Siemplify
  • Anitian
  • RedCanary
  • DF LABS SPA

You can now attend the webcast using your mobile device!

Overview

In the Denver area? Join us at the Live Event.

Register here:

https://www.sans.org/vendor/event/58050 

Security Orchestration, Automation and Response tooling is intended to increase efficiency and consistency. These tools also promise to diminish the cost of operating a Security Operations Center (SOC) for most organizations. If used properly, these tools can do all of these things. The challenge is that the tools are frequently bought to avoid the one thing that most organizations don't seem to be able to do on their own: figure out the sequence of actions that need to be automated, and bring together the mass of data from disparate tools.

This Inaugural SANS Automation & Integration Vendor Briefing will provide practical and actionable examples of the sequence of steps that an organization needs to take to utilize these tools. It will also provide customer examples of what has and has not worked for organizations.

Earn 4 CPE Credit hours for attending this event.

Agenda:

8:00am - 8:30am: Registration & Coffee Networking

8:30am - 9:15am: Welcome & Keynote

In the introductory keynote, Christopher Crowley will differentiate the concepts between orchestration and automation. He'll suggest some examples of things that are easy to do, and some stretch goals for both orchestration and automation. The talk will be largely tool agnostic, setting the stage for the vendors to address how they approach the nuance of these topics and apply them specifically in their solutions. The material promises to be thought provoking and a call to action, giving you specifics on what you can start to do when you return to work.

Chris Crowley - Briefing Chair & SANS Course Author/Instructor

9:15am - 9:30am: Special Guest Speaker

Title: Community Driven Security

Abstract:

We know that there is a need for Orchestration and Automation in Security, but why? Alex will explore 2 key drivers why SOAR is a must to keep up. SOAR isnt our only saving grace though. Alex will also discuss a community driven approach to solving our security woes.

Alex Wood, CISO Pulte Financial Services

9:30am - 10:15am: The 12-step SOAR model: Breaking your old school SecOps addiction

Automation is sweeping through security operations, but many teams are stuck trying to figure out how to break from their existing security operations models. By assessing years' worth of lessons learned, best practices and real-world use cases, we will provide not only a glimpse of what your security operation program could be but also how to get there.

Cody Cornell, Swimlane Founder & CEO

10:15am - 10:30am: Networking Break

10:30am - 11:15am: The Beginners Guide to Building Your Incident Response Playbook

Cybersecurity as an industry is seeing an ever increasing number in relation to our skills gap according to the recent ISC2 research, Cybersecurity Workforce Study, that states the shortage of cybersecurity professionals around the globe is nearing 3 million.

As these roles go unfilled, our practitioners are finding themselves increasingly unable to meet the needs of their organizations as severe/critical incidents rise to an average of 224 per day according to the 2018 EMA Megatrends Report. Security Orchestration, Automation, and Response (SOAR) has the ability to help organizations with security processes, automation of specific actions, and intelligently inform teams, with the end goal of efficiency.

Join DomainTools Senior Security Advisor, Corin Imai, to learn how to combine comprehensive intelligence gathering, incident management, workflows, and analytics to implement SOAR successfully at your organization. In this session you will learn:

  • Strategies to build out complementary datasets with your SOAR tools
  • Best practices in the deployment and use of SOAR tool

Corin Imai, DomainTools Senior Security Advisor

11:15am - 12:00pm: AWS & Anitian Speaking Session

Title: AWS AUTHORITY TO OPERATE - COMPLIANCE AS CODE

Abstract:

AWS has announced a new program, Authority to Operate, that aims to accelerate clients through compliance. The cloud offers a fundamentally new way to do compliance. Rather than spending months (years) manually building compliant environments, cloud automation can build audit-ready environments in hours.

When compliance is automated, it becomes easy. There is no remembering to deploy things. There is no manual checking. Controls and configurations are integrated into the code, and therefore always deployed, and always configured correctly. Moreover, monitoring and remediation can also be automa    ted, accelerating incident response to levels well beyond the capacity of humans.  

However, codifying an environment is a profound change for many organizations. Existing tools, techniques, and technologies do not directly translate to the cloud. 

In this presentation, we will discuss the goals and vision of the AWS ATO program, as well as demonstrate how compliance can be automated. 

Tim Sandage, Amazon Web Services (AWS) Senior Security Partner Strategist & Andrew Plato, Anitian CEO

12:00pm - 12:15pm: Closing Remarks

Speaker Bio

Chris Crowley

Mr. Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area. His work experience includes penetration testing, computer network defense, incident response, and forensic analysis.

Mr. Crowley is the course author for SANS Management 535 - Incident Response Team Management and holds the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GREM, GMOB, and CISSP certifications. His teaching experience includes SEC401, SEC503, SEC504, SEC560, SEC575, SEC580, FOR585, and MGT535; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities."

"Chris really knew his stuff and presented ideas that made me change my mind on some policies and configs we employ ." - William Jeskey, Tarrant County College
"Chris was one of the best instructors I have ever had in any training environment in almost 24 years of service." - Anonymous

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.