Spring Cyber Solutions Fest 2025: Detection & Response Track

8:30 AM

Welcome & Opening Remarks

Megan Roddie-Fonseca, Event Chair, Co-Author, SANS Institute

8:45 AM

Session One | Cloudy with a Chance of AI Threats: Securing the Future of AI-Driven Cloud Detection and Response

As enterprises increasingly integrate AI into their cloud ecosystems, security teams must confront a rapidly evolving threat landscape. The rise of large language models, Shadow AI, and AI-driven attacks introduces new challenges that demand a shift in security paradigms. How can organizations secure their critical assets while leveraging AI’s transformative potential?

In this talk, we will explore the intersection of AI and cloud security, shedding light on emerging risks such as AI-enabled data exfiltration and adversarial attacks. We’ll also examine proactive strategies, including Cloud Detection and Response (CDR), to enhance runtime protection. Attendees will gain actionable insights on fortifying their cloud environments, adapting to the new era of AI-driven threats, and staying ahead of adversaries in the modern security landscape.

Jimmy Mesta, CTO and Co-Founder, RAD Security

9:25 AM

Session Two | Optimize Your Security Data Pipeline for Better Threat Detection and Response

Security is often referred to as a big data problem, and the growing volume, variety, and nuance of security telemetry requires more sophistication and control than ever before. This session dives into data pipeline management recommendations for security operations. We’ll show how you can improve the way you route, reduce, redact, enrich, and transform security data to manage scale, reduce costs, satisfy compliance mandates, and, most importantly, drive better threat detection and response.

Kanna Sekar, Senior Cloud Security Engineer, Google Cloud

Keith Manville, Cloud Security Engineer, Google Cloud

10:05 AM

Break

10:15 AM

Session Three | Defining the 'R' in CDR: A Realistic Approach to Responding to Cloud Detections

Cloud environments are complex and dynamic, and traditional security solutions often fall short. This gap has led to the rise of Cloud Detection & Response (CDR) - but what does “response” actually mean in this context? Significant time is spent focusing on cloud detections, but the critical question remains: How do we respond effectively?

This talk will dive into:

- The Rise of CDR: The key components of Cloud Detection and Response.

- Response Fundamentals: Best practices for effective response in the cloud.

- Top 5 Considerations: Critical factors to consider when formulating your response to cloud detections.

Join us for a practical and actionable discussion on mastering the “R” of CDR and strengthening your cloud security posture.

Al Carchrie, Lead Solutions Engineer, Cado Security

Shannon Lucas, Principal Solutions Architect, Cado Security

10:45 AM

Session Four | Real-Time Identity Threat Detection and Response

Identity-based attacks are rising over 3X per year and traditional Identity and Access Management (IAM) products like Okta, Ping and Forgerock have proven they are insufficient to stop modern attacks. As a result, Identity Threat Detection and Response (ITDR) solutions have solidified their role as a critical component in the cybersecurity landscape, focusing on detecting and responding to identity-based threats.

Verosint adds comprehensive user account observability, threat detection, and automated prevention for traditional IAM to protect against account takeover, credential stuffing, insider threats, and much more. Instead of reactively trying to answer “what happened?”, Verosint proactively stops bad actors in their tracks.

Verosint implementation takes about 5 minutes with a simple API key, and one Okta customer saved over 25,000 labor hours and blocked over 49,500 attacks in just the first 90 days. Learn much more and see a live product demo in this 30min session.

Travis Favaron, Head of Product, Verosint

Mark Batchelor, CTO and co-founder, Verosint

11:15 AM

Session Five | 2025 Incident Report and Overview

In the past year, we have seen threat actors making larger and faster moves that damage their targets. The Unit 42 Incident Response and Threat Intelligence teams have put together the Palo Alto Incident Response Report 2025, taking care to include detailed notes concerning the latest and greatest vulnerabilities, threats, and threat actor groups.

Join this talk if you'd like to learn more about the current nature of the ever-evolving beast that we call cyber security. Unit 42 has helped hundreds of organizations assess, respond, and recover from cyberattacks. We helped reduce operational downtime and got them back to business quicker. What attacks did we see the most? What has changed since last year? What do you need to know going forward as we progress through 2025? Let's discuss!

Ryan Chapman, Team Lead, Unit 42 Managed Threat Hunting, Palo Alto Networks

11:45 AM

Break

12:00 PM

Session Six | Work Smarter, Not Harder with AI in Security Operations

Whether you’re the OG or new to the SOC, AI can help you save time, get results faster, and reduce stress. This session explores practical applications of AI in security operations to help teams create queries, assist in investigations, generate detections, summarize large amounts of data, and build playbooks. Learn how best to use AI, which use cases work best, and AI’s impact on detection and response engineering.

Greg Kushmerek, Global Security Architect, Google Cloud

12:20 PM

Session Seven | Unleashing the Digital Security Workforce: AI-Powered Security Operations for the Cloud-Native Era

In this session we will experience how a digital agentic workforce transforms cloud security operations by dramatically reducing time-to-remediation and expanding team capabilities without additional headcount. We'll showcase how security teams can reclaim countless hours through AI-powered assistants that handle everything from securing generative AI deployments and triaging critical vulnerabilities to automating complex compliance workflows—all through natural language conversations. Watch as these intelligent agents generate tailored network policies adhering to least-privilege principles, provide contextual remediation guidance for container misconfigurations, and continuously monitor runtime environments for emerging threats. Join us to discover how RAD Security serves as a force multiplier for security teams, enabling them to secure modern cloud-native environments at scale while focusing human expertise where it matters most.

Jimmy Mesta, CTO and Co-Founder, RAD Security

12:40 PM

Session Eight | The Twilight of Blocklists: How AI and DNS Detect Modern Threats

Static blocklists are no match for today’s attackers, who deploy AI to generate phishing sites, deepfake domains, and malicious campaigns at unprecedented speed. To defend against these evolving threats, detection strategies must evolve too. DNS provides a unique vantage point as the internet’s first line of defense, and when paired with AI, it becomes a powerful, multi-dimensional tool for detecting and neutralizing malicious activity. In this session, we’ll take you behind the scenes of AI-powered DNS detection—exploring how machine learning analyzes content, uncovers domain-level patterns, and interprets network behaviors during high-risk events like the Super Bowl and Tax Season, where attackers strike hardest.

Carl Levine, Senior Manager, Product Management, DNSFilter

1:10 PM

Break

1:25 PM

Session Nine | Nowhere to Hide: A Discussion on the Importance of Network Visibility

In today's hyper-connected digital landscape, the notion of privacy and security within a network has become increasingly elusive. Nowhere to Hide: A Discussion on the Importance of Network Visibility explores the complexities of modern networks, shedding light on the visibility, vulnerabilities, and control mechanisms that define digital interactions. This discussion delves into the importance of network awareness, the potential risks of unmonitored traffic, and the strategies for securing data flows in both personal and enterprise environments. By examining real-world threats, surveillance implications, and the impact of emerging technologies, this session aims to empower individuals and organizations with the knowledge to navigate and safeguard their digital presence effectively.

Heath Mullins, Chief Evangelist, ExtraHop

1:55 PM

Session Ten | Supply Chain Compromise: Ransomware Targets RMM Tooling

External facing services and software are common vectors targeted by ransomware operators. Managed Service Providers (MSPs) are tasked with securing these services and rely on these extensively to perform their operational services responsibilities. What happens when one of those services becomes compromised, such as a Remote Management and Monitoring (RMM) tool? How do you detect suspicious activity stemming from abuse of an RMM? How do you contain the threat without disrupting your business?  

Sophos MDR responded to a downstream MSP compromise where ransomware operators gained access to the RMM cloud management interface. The actors gained access to administrator credentials via targeted phishing and were able to deploy their own malicious RMM instance to act on objectives. In this session, you’ll learn:  

• Identifying and detecting suspicious activity stemming from RMM tools  
• Response actions to contain and remediate a downstream compromise 
• Communication strategies for collaborating with MSPs during a critical incident  
• Best practices for securing RMM login interfaces  

Anthony Bradshaw, Manager, Incident Response, Sophos

2:25 PM

Session Eleven | Detection? Meet Prevention! Enriching Your Defenses with MITRE ATT&CK

Detection is a mainstay practice of security teams – but things get confusing when we start to consider where “prevention” lives in the organization. Are we talking about patching systems? Configuring posture management tools? Enterprise directory management? Firewall rules?

What about an approach that lets you tackle threat defense holistically – implementing detection and prevention recommendations together, improving each with the context from the other?

Join Dr. Anton Chuvakin, Security Advisor at Office of the CISO, Google Cloud, and Jay Lillie, VP of Customer Success at CardinalOps, as they explore the power of the MITRE ATT&CK framework and provide ways to link it to the work you’re already doing in building out detections in your SIEM. It’s a new perspective on threat exposure management delivered with an eye towards simple implementation and practical outcomes.

Jay Lillie, VP of Customer Success, CardinalOps

Dr. Anton Chuvakin, Security Advisor at Office of the CISO, Google Cloud

2:55 PM

Break

3:10 PM

Session Twelve | Elevate Your Security Operation: Leveraging Next Level Managed Detection and Response (MDR) to Drive Prevention and Deliver Business Value

Join Mark Gillett, Vice President of Product Management at eSentire, for a 30-minute webinar as he explores the next evolution in security operations. Today's security leaders are no longer satisfied with reactive Managed Detection and Response (MDR), they're seeking a proactive approach that continuously advances their security posture, reduces risk, and delivers heightened levels of protection to their organization. In this session, Mark will outline the 7 core foundational elements required to achieve optimal threat detection and response capabilities and Next Level MDR:

* Full visibility of the attack surface and commercially available detections

* The ability to detect attacks designed to evade existing security tech in near real time

* The capability to rapidly investigate threats, accurately identify attacks and prevent business disruption

You'll learn how Next Level MDR can: continuously harden your security posture with proactive threat intelligence; advance your security operation to deliver greater value to your organization by identifying and mitigating emerging threats, such as zero-day vulnerability exploits and advanced persistent threats; and continuously reduce your exposure to risk by identifying, prioritizing, and remediating new vulnerabilities before they can be exploited.

Mark Gillett, Vice President, Product Management, eSentire

3:40 PM

Session Thirteen | Addressing The Most Prominent Attacks of The 2025 Malware Landscape

In 2024, known ransomware attacks increased by 13%, the old guard of ransomware groups gave way to a new breed of “dark horse” gangs, and living-off-the-land attacks have become more prominent. 

Cybersecurity evangelist, Mark Stockley, will walk you through the most dangerous threats and EDR Product Manager, Robert Elworthy, will speak to industry best practices and explain the proactive measures IT and security teams can take to protect their businesses.

Key takeaways 

·Learn about “dark horse” ransomware, the fall of LockBit and the rise of RansomHub.

·Understand attackers’ favorite Living Off the Land tools and how they gain entry. 

·Leave with a clear understanding of the most dangerous threats of 2025 and what it takes to protect your business.

Mark Stockley, Cybersecurity Evangelist, ThreatDown

Robert Elworthy, EDR Product Manager, ThreatDown

4:10 PM

Session Fourteen | Panel Discussion

Megan Roddie-Fonseca, Event Chair, Co-Author, SANS Institute

Jimmy Mesta, CTO and Co-Founder, RAD Security

Greg Kushmerek, Global Security Architect, Google Cloud

Sandy Borneman-Wenzel, Principal Architect, Cloud Security, Google Cloud

4:55 PM

Closing Remarks

Megan Roddie-Fonseca, Event Chair, Co-Author, SANS Institute