Monday, June 24, 2019

2019 SOC Summit - Action Items

Slide decks for talks available here:

Youtube Video (duration: 8:35) of these items:

=-=-=- Day 1 =-=-=-

Keynote: Lessons Learned Applying ATT&CK-Based SOC Assessments
Action Item: Plan for an ATT&CK based assessment to identify coverage, internal or third party.

Use Case Development Utilizing an ARECI Chart
Action Item: Identify Gaps in coverage using ARECI charts built from use cases.

Use Cases Development as a Driver for SOC Maturation
Action Item: Tune down the noise.

A SOC Technology/Tools Taxonomy – And Some Uses for It 
Action Item: Compare your deployed SOC infrastructure to the proposed taxonomy.

Mental Models for Effective Searching
Action Item: Minimize time spent at the blank search bar by developing effective capability.

Managing Security Operations in the Cloud
Action Item: Familiarize yourself with cloud defenses available and integrate into the DevOps cycle to leverage them.

Virtuous Cycles: Rethinking the SOC for Long-Term Success
Action Item: Autonomy, Mastery, Purpose. Skills, Empowerment, Creativity, Growth. Automation->Efficiency->Metrics

2019 SANS SOC Survey Preview: Live Simulcast
Action Item: Download and read the 2019 SOC Survey when it comes out.

=-=-=- Day 2 =-=-=-

How to Disrupt an Advanced Cyber Adversary
Action Item: Focus on Network Awareness, Cyber Hygiene, and proper Device Configuration.

Breach -> ATT&CK -> Osquery: Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring
Action Item: Whatever you choose to instrument your endpoints with, learn the granular differentiation of the host that will made detection and hunting meaningful.

Shared Security Services: How to Adjust to an Ever-growing Landscape of Security Operations Center Responsibilities
Action Item: Tell a good story about your SOC, and your internal collaborators.

The Call Is Coming from Inside the House: How Does Your SOC Respond When Attackers Are On-Site?
Action Item: Make people disappear. Think about how the physical matters.

How to Literally Think Like an Attacker to Become a Better Defender
Action Item: Think

Arming SecOps with a Special Forces Targeting Process
Action Item: Advance your thinking using intelligence

The Case for Building Your Own SOC Automations
Action Item: Automate good capabilities, that you already have or want. SOAR tools not required.

Rapid Recognition and Response to Rogues
Action Item: Know thy network (as much as you can).

This Will Never Work: Tales from Disappointingly Successful Pen Tests
Action Item: Demonstrate weakness to drive improvement. Take time to laugh.


  1. Awesome post. You Post is very informative. Thanks for Sharing.
    Devops Course in Noida

  2. SOC automation drives playbook execution of incident response workflows by formalizing best practices and then executing them through an automated sequence of tasks.