Slide decks for talks available here:
Youtube Video (duration: 8:35) of these items: https://www.youtube.com/watch?v=W-GGqx-q_Rg
=-=-=- Day 1 =-=-=-
Keynote: Lessons Learned Applying ATT&CK-Based SOC Assessments
Action Item: Plan for an ATT&CK based assessment to identify coverage, internal or third party.
Use Case Development Utilizing an ARECI Chart
Action Item: Identify Gaps in coverage using ARECI charts built from use cases.
Use Cases Development as a Driver for SOC Maturation
Action Item: Tune down the noise.
A SOC Technology/Tools Taxonomy – And Some Uses for It
Action Item: Compare your deployed SOC infrastructure to the proposed taxonomy.
Mental Models for Effective Searching
Action Item: Minimize time spent at the blank search bar by developing effective capability.
Managing Security Operations in the Cloud
Action Item: Familiarize yourself with cloud defenses available and integrate into the DevOps cycle to leverage them.
Virtuous Cycles: Rethinking the SOC for Long-Term Success
Action Item: Autonomy, Mastery, Purpose. Skills, Empowerment, Creativity, Growth. Automation->Efficiency->Metrics
2019 SANS SOC Survey Preview: Live Simulcast
Action Item: Download and read the 2019 SOC Survey when it comes out.
=-=-=- Day 2 =-=-=-
How to Disrupt an Advanced Cyber Adversary
Action Item: Focus on Network Awareness, Cyber Hygiene, and proper Device Configuration.
Breach -> ATT&CK -> Osquery: Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring
Action Item: Whatever you choose to instrument your endpoints with, learn the granular differentiation of the host that will made detection and hunting meaningful.
Shared Security Services: How to Adjust to an Ever-growing Landscape of Security Operations Center Responsibilities
Action Item: Tell a good story about your SOC, and your internal collaborators.
The Call Is Coming from Inside the House: How Does Your SOC Respond When Attackers Are On-Site?
Action Item: Make people disappear. Think about how the physical matters.
How to Literally Think Like an Attacker to Become a Better Defender
Action Item: Think
Arming SecOps with a Special Forces Targeting Process
Action Item: Advance your thinking using intelligence
The Case for Building Your Own SOC Automations
Action Item: Automate good capabilities, that you already have or want. SOAR tools not required.
Rapid Recognition and Response to Rogues
Action Item: Know thy network (as much as you can).
This Will Never Work: Tales from Disappointingly Successful Pen Tests
Action Item: Demonstrate weakness to drive improvement. Take time to laugh.