Spring Cyber Solutions Fest 2025: Zero Trust Track

8:30 AM

Welcome & Opening Remarks

Megan Roddie, Co-Author, SANS Institute & Sr. Security Engineer, Datadog

8:40 AM

Session One | Evolving Detection Strategies: Leveraging Incident Response Lessons to Strengthen Security

As cyberattacks grow in sophistication, security teams must constantly evolve their detection and response capabilities to stay ahead of adversaries. In this webinar, we’ll explore how lessons learned from real-world incident responses can significantly inform and enhance detection strategies, ultimately improving an organization's resilience to modern threats. Drawing on recent case studies, we’ll discuss how a proactive, dynamic approach to detection engineering—combined with insights gained from incident response—can lead to more robust detection mechanisms. This session will focus on the intersection of detection and response, highlighting the importance of adapting detection methods based on the tactics, techniques, and procedures (TTPs) observed during incidents.

Spencer Brown, Senior Sales Engineer, Sophos

9:20 AM

Session Two | Ghosts in the Machine: Detecting Threats in Your Cloud

It's only a week after Halloween. However, cybersecurity has spooky threats every day or all year.

Join us for a spooktacular journey into the haunted world of cloud security! Cybersecurity Influencer and host of Screaming Security podcast Graham Cluley and Sysdig Cybersecurity Strategist Crystal Morin will help you shine a light on the eerie shadows where cyber threats hide, revealing the secrets to detecting and banishing them from your cloud environment.

Prepare yourself for a thrilling session filled with chilling tales and crucial insights as we explore:

**Importance of Threat Hunting: Discover why hunting down these digital ghouls is essential to prevent them from causing nightmares.

**Threat Intelligence: Learn how to use threat intelligence as your ghost-hunting guide, uncovering their tactics before they strike your environment.

**Top Threats: Hear about the most menacing threats of 2024 and how to spot their spooky behavior and things that go bump in the night.

Graham Cluley, Host, Screaming Security and The AI Fix Podcasts Cybersecurity Analyst and Influencer

Crystal Morin, Cybersecurity Strategist, Sysdig

10:00 AM

Break

10:15 AM

Session Three | How LUCR-3 (Scattered Spider) Orchestrates Identity-Based Attacks Across Environments

Advanced threat actors are compromising the identity infrastructure of some of the largest organizations in the world with ease. Upon gaining access to the identity provider, they are able to move laterally into Iaas, PaaS, and SaaS environments and steal data - all in the course of 2-3 days.

Join Ian Ahl, SVP of P0 labs and former Head of Advanced Practices at Mandiant, as he shares knowledge stemming from responding to hundreds of breaches in his career. Ian will walk through how advanced threat groups target human and non-human identities for compromise, how they maintain persistence in environments, and provide some tips for detecting suspicious and malicious activity in identity providers, cloud service provides, and SaaS applications. He’ll also provide actionable steps security teams can take to prevent breaches or know about them as quickly as possible.

Ian Ahl, Sr. Vice President, Permiso P0 Labs

10:45 AM

Session Four | Detection Engineering: Streamlined

Let's face it: IOC-based alerting just isn't cutting it anymore and falls short, creating high alert volume noise and inefficient workflows. Using the ALPHV & Black Cat ransomware group as a case study, we'll reimagine David Bianco's Pyramid of Pain, demonstrating how to normalize data, utilize noisy signals, and incorporate adversary TTPs for actionable alerts.

This session will demonstrate how Anvilogic can help you:

- Establish a strong detection program foundation with data hygiene
- Achieve rapid detection coverage in days, not months - Develop better, reusable detections using the Detection Engineering Framework
- Automate maintenance, tuning, and health monitoring for hundreds of detections

Join us to revolutionize your threat detection process and enhance your SOC's efficiency and effectiveness.

Alex Hurtado, Detection Engineering Leader, Anvilogic

11:15 AM

Session Five | Fool Me Once: The New Face of Deception and How DNS Can Help

In today’s fast-evolving tech world, distinguishing truth from deception is tough, leaving users as the most vulnerable link. Attackers are capitalizing on high-stress situations and leveraging events like the Crowdstrike outages to create convincing traps. This talk will scrutinize how these deceptive tactics play out in real-world scenarios and why they’re more dangerous than ever. We’ll look at specific examples and explore how DNS provides a critical layer of defense against these threats. Lastly, you’ll learn about recent trends seen on DNSFilter’s own network which resolves over 130 Billion DNS queries daily.

Brian Gilstrap, Associate Sales Engineer, DNSFilter

11:45 AM

Break

12:00 PM

Session Six | Keynote Session: Days of Future Past: The Impacts of GenAl on Cybersecurity

Join Rob Lee for an in-depth, hour-long, thought-provoking session on Generative AI and how it is re-shaping cybersecurity and the professionals within it. You'll learn:• GenAl’s Cybersecurity Impact: GenAl is reshaping cybersecurity, creating both challenges and opportunities, especially in nation-state strategies like disinformation and cybercrime.• Evolving Cyber Tactics: Organizations must adapt their defensive and offensive strategies to keep pace with GenAI-driven changes.• Essential Up-skilling: Cybersecurity professionals need to up-skill to harness GenAl’s potential while addressing its new vulnerabilities.

Rob Lee, Chief of Research and Head of Faculty, SANS Institute

12:50 PM

Afternoon Kick-off

Megan Roddie, Co-Author, SANS Institute & Sr. Security Engineer, Datadog

1:00 PM

Session Seven | Level Up Existing Cybersecurity Defenses with Sophos MDR

Cybercriminals don’t break in; they log in. And they make a lot of noise.

To avoid being blocked, today’s active adversaries increasingly deploy stealth tactics, exploiting unpatched vulnerabilities, leveraging stolen credentials, and outsmarting commonly used IT security tools.

The solution? Round-the-clock detection and protection. But faced with hundreds of daily security alerts, many organizations using the Microsoft Security suite lack the time and in-house expertise to make the most of its multi-product capabilities.

To counter advanced ransomware attacks and breaches, consider integrating Sophos MDR for Microsoft Defender. It not only consolidates all security events into a single dashboard, but it also extends protection 24/7 with human-led detection and response. It’s perfect for when IT teams are understaffed or off the clock. Join this session to discover cost-effective ways to fortify your Microsoft defenses and regain some well-deserved peace of mind.

Spencer Brown, Senior Sales Engineer, Sophos

1:20 PM

Session Eight | Under the Mask: Unveiling ELF Malware and DDoS-as-a-Service

Beneath the surface of the digital landscape, a growing threat is hiding in plain sight. In this revealing session, the Sysdig Threat Research Team will unmask the insidious world of ELF malware and its role in powering DDoS-as-a-Service botnets. Sysdig Threat Detection Engineer Alessandra Rizzo will take you through the inner workings of the "Rebirth" botnet, a Mirai variant exploiting vulnerabilities in cloud environments and beyond. Discover how these threats evolve, the tactics attackers use to avoid detection, and the steps you can take to protect your systems. Join us as we unveil the hidden dangers and provide actionable insights to strengthen your defenses.

Alessandra Rizzo, Threat Detection Engineer, Sysdig

1:40 PM

Session Nine | Overcoming Technology Gaps of Traditional Purple Teaming

Purple teams play an essential role in identifying the weaknesses of our defenses. A manual and labor-intensive process, traditional purple team exercises often take significant time and can be limited in their scope. By breaking down techniques into discrete parts, we can more efficiently and effectively evaluate security controls’ failure points at scale. During this session, Prelude will explore a practical application of its Detect platform to simulate the techniques exhibited by common threats and evaluate defenses against expected results to quickly identify gaps in controls and understand: - Has our defensive technology captured and observed the raw telemetry of malicious events? - Have we created detections that can appropriately classify and alert security operations teams that these events are malicious? - Are we so confident in our detection logic so as to enable our tools to act autonomously and prevent those events in the future?

Matt Hand, Director of Security Research, Prelude Security

2:10 PM

Session Ten | Detection Engineering Maturity: Helping SIEMs Find Their Adulting Skills

Is your SIEM still living in its parents' basement? It’s time to help it level up! Join us for a webinar that focuses on practical knowledge and actionable strategies to elevate your detection engineering game, regardless of your team's maturity.

We'll explore key milestones in a detection engineering team's journey – from basic log analysis to advanced threat hunting and automated response. Regardless of where you are today, you’ll find something relevant for you:

• For early stage teams: Identify crown jewels, build a foundational detection framework, and leverage out-of-the-box tools.
• For maturing teams: Harness threat intelligence, develop custom detection rules, and implement effective testing.
• For advanced teams: Unlock behavior analysis, anomaly detection, and machine learning for proactive threat hunting.

 Beyond just “more rules” and ingest optimizing, have a real plan to grow up! Expect real-world examples, battle-tested techniques, and practical advice you can implement immediately. Transform your team from reactive incident responders to proactive threat hunters!

(Because no one wants a SIEM that still can’t do its own laundry).

Jay Lillie, VP Customer Success for CardinalOps
Dr. Anton Chuvakin, Security Advisor at Office of the CISO, Google Cloud

2:40 PM

Break

2:55 PM

Session Eleven | Your Secret Weapon for Detecting and Stopping Threats Faster: Your Decrypted Network Data

How do you find new and unknown threats lurking in your network? With attack surfaces expanding and becoming more complex, especially with infrastructures that are spread across multiple cloud and on-premise environments, you need full visibility and real-time access.

Join ExtraHop’s Jamie Moles as he showcases how decrypted network data can be your secret weapon to detect new threats and stop them faster. You’ll learn:

-The limitations of EDR and SIEM based data for threat hunting.
-How decrypting and analyzing network traffic can give your SOC the edge on detecting and stopping new emerging threats.
-Tips to hunt further and deeper with network analytics
- leveraging decrypting and decoding network protocols to spot bad actors as they move laterally, east/west across your environment.

Jamie Moles, Senior Manager, Technical Marketing, Extrahop

3:25 PM

Session Twelve | Cloud Detection & Response: A Living Off the Cloud Attack

Living off the cloud attacks are on the rise. Executing rapid, cloud-native techniques to escalate privileges, move laterally between environments, and access critical assets, attackers are targeting the cloud more effectively than ever. This session will focus on a real-world living off the cloud attack case study, analyzing a step-by-step account of the attack as it unfolded from attackers’ perspective.

We will then switch gears and rewind the attack, explaining how effective detection and response methodologies could — and should — have prevented every step of the attack. Defeating these threats requires powerful centralized visibility and control of all cloud environments and resources. Our key takeaways will therefore be tailored to leveraging the best methodologies and tools to take back the initiative and stop even the most sophisticated cloud attacks.

Yotam Meitar Director, Cloud Detection & Response, Wiz

3:55 PM

Break

4:10 PM

Detection & Response Panel

In the detection and response market, organizations are often faced with a bewildering array of products and services, such as EDR, MDR, XDR, CDR, and NDR. It can be challenging to understand how these solutions differ and how they work together to provide effective protection against threats. This panel discussion will demystify the alphabet soup of detection and response solutions by exploring how each solution supports the overall visibility required to promptly detect and respond to threats targeting your organization. Join us to gain insights into the capabilities and limitations of these solutions and how to integrate them into your tech stack for a more robust defensive security posture.

Moderator:
Megan Roddie, Co-Author, SANS Institute & Sr. Security Engineer, Datadog

Panelists:
Brittany Deaton, Senior Sales Engineer - MDR, Sophos

Alex Lawrence, Field CISO, Sysdig

Crystal Morin, Cybersecurity Strategist, Sysdig

4:55 PM

Closing Remarks

Megan Roddie, Co-Author, SANS Institute