We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change.

Please check back frequently for changes and updates.

Monday, July 30 9:00-9:15 am

Welcome & Introductions Chris Crowley (@CCrowMontance), Summit Chair, SANS Institute

9:15-10:00 am

Keynote Measure Yo Bad Self Advancing in capability and maturity is a must for most any cyber security operations center (CSOC), as they are compelled to keep pace with their environment, mission, and adversaries. Measuring CSOC effectiveness through the right data gathering can drive evolution and focus the team’s efforts. Yet some CSOCs may view a formal metrics program as too complicated to try; for others, over-zealous obsession by management may turn “metrics” into a four-letter word in the eyes of many analysts. It doesn’t have to be this way. In this talk, Mr. Zimmerman will offer some practical examples for metrics usable by CSOCs of any age, maturity level, or size. The presenter will step through some practical metrics that help CSOCs measure and grow their level of effectiveness, and provide some advice on how to avoid common metrics pitfalls. Carson Zimmerman, Cyber Security Operations Center (CSOC) Engineering Team Lead, Microsoft

10:00-10:20 am

Networking Break

10:20-11:00 am

“Oops!”: Internal IR Communications & Why We Are Still Failing During Incident Response IR Plans will frequently concentrate on the technical elements, omitting communication. When communication is included in IR Plans, it is usually focused on external audiences for compliance, or notification requirements. Internal communications are integral to successful response activities and woe-betide the IR team that forgets! As a DFIR community, we all have a story to tell when it comes to mis-steps taken during an incident response, and the common denominator in many of the mis-queues are issues with communications. Stakeholders make assumptions, comms cadence loses its rhythm, chain of command is not understood, or important messages are not delivered well, if at all. Join the Cisco Security Incident Response team while we talk about the types of critical internal communications and how we can as responders can embed communication into our IR DNA. We’ll include tips on cadence, messaging, audiences, and mediums while giving examples of successes and failures we have experienced. Brad Garnett, Team Lead - Incident Response, Cisco Shelly Giesbrecht, Team Lead - Incident Response, Cisco

11:00-11:40 am

Give Your SOC a Soul The evolution of enterprise monitoring and detection technologies have made that pane of glass that sits between your analysts and piles of raw data hiding "evil needles" the stuff of magic. Increased automation continues to distill the duties of a SOC analyst to those that are most valuable and human driven. Yet, strides in process and technology do not necessarily equate to improved job satisfaction for SOC analysts. And this begets the question, what empowers and invigorates a team of analysts? What gives a SOC a SOUL (Self-driven sense of Ownership, Unity and Long-term commitment)? Join Alissa Torres in a session that introduces lessons learned on growing SOC culture through experimentation, investments and limitless bounds of exploration. Alissa Torres, Incident Response Manager, Cargill; Certified SANS Instructor, DFIR Marcus Ward, Senior Security Operations Center Analyst, Cargill

11:40 am - Noon

SANS SOC Survey Chris Crowley (@CCrowMontance), Summit Chair, SANS Institute

12:00-1:00 pm

Networking Lunch

1:00-1:40 pm

Panel Apples and Oranges?: A CompariSIEM SIEMs have been a central tool of SOCs for at least a decade. There are currently a significant number of vendors in this space, each of which offer different strengths that appeal to different organizations. While there are many measures that can be used to compare each vendor (i.e. Gartner magic quadrant, Proof of Concepts, or personal experiences), we want to focus on what they all do: Help SOCs monitor and find “bad.” This will show that just because your SIEM doesn't look like someone else's SIEM, you can monitor and detect the bad guys just as well as anyone else. To demonstrate this fact, we will take several SMEs, knowledgeable on different SIEM vendors, and give them two use cases each. They will demonstrate how each SIEM can be configured to monitor for and alert on that specific activity in an enterprise. This will include information about the level of effort needed, the data sources required, and a list of steps that you can use for implementation in your environment. The goal of this is not to bash competitors, but to encourage SOCs to not view their tool as a handicap, but be inspired to find creative solutions. Moderator: Chris Crowley (@CCrowMontance), Summit Chair, SANS Institute Panelists:

• Craig L. Bowser, Sr. Security Engineer, Dept. of Energy

• Justin Henderson, Instructor & Course Author, SANS Institute

• Dave Herrald (@daveherrald), Staff Security Strategist, Splunk

1:40-2:20 pm

How Your SOC Can Nourish Your Organization with FOOD, Not FUD Session description to come My-Ngoc Nguyen, CEO/Principal, Security IT Solutions, LLC; Instructor, SANS Institute

2:20-3:00 pm

What to Follow? The Sun or the Stars The “Follow the Sun” methodology of how most large scale SOCs are deployed are widely accepted for many reasons. Bad Actors do not care about your local open office hours. Your global incident response centers from all around the world may work together well, but are they able to offer your whole SOC team the best response to all of your alerts? While having a 24x7 SOC is important to any business, a developing SOC needs to delve deeper to realize their full potential. Important considerations to think about are: - How can you make sure you are getting the same powerful response from all SOC analysts everywhere in the world? - How can you make sure that having a 24x7 SOC does not just fill a “check mark” in an audit category? - How can you correctly allocate your SOC budget around the world? - How do you balance the difference between spending money on more headcount or redirecting that budget toward automation or more advanced detections capabilities that include behavioral or AI/ML detections? While even the most mature SOC is always in a development phase, pointed questions such as these need to be explored to realize the full potential of your SOC investment. The answers to these questions may be more revealing than just simply adding headcount and will prove to help your SOC grow beyond just being “world class” and into the stars. Kevin Garvey, Manager - Incident Response and Threat Management, Time Warner

3:00-3:20 pm Networking Break 3:20-4:00 pm

Hacking your SOEL: SOC Automation and Orchestration The world of daily IT security operations has not changed significantly for the past decade as far as process enablement, but now a new technology has arrived, enabling security teams to operate better, stronger and faster. Now with automation and orchestration, those mundane processes can be handled by computers, allowing the SOC team to truly focus on identifying and responding the real threats and attacks. Are you using the machine or is the machine using you? Hacking your SOEL is about looking at these processes whether it's a two-person security operation or a full complement SOC. This presentation will explain how to start identifying the processes that computers can handle on your behalf, and how to go beyond just simple use cases to truly leveraging all of the available security tools to enable agile detection and adaptive response. And if you don’t have those initial processes written down, we will explain how to hack your SOEL (Security Operations Event Lifecycle) model to get efficiency and effectiveness going. Security Automation and Orchestration isn't just for big SOC operations or MSSPs ... it's for everyone! Target Audience: SOC teams CISOs CIOs Key Takeaways - Automation and Orchestrations is a valuable tool that can help SOC teams be more agile and effective - Building play-books starts with mapping your available technologies and then discovering your response opportunities - APIs, integration and

the combination of both computer automation and human decision support is essential, you can’t take your hands off the wheel, yet. Rob Gresham, Security Solutions Architect, Splunk

4:00-4:40 pm

It's All About Your Assets: Inline Vulnerability and Event Management The key to successfully remediating vulnerabilities and responding to events is integrating into existing business processes and tools and consolidating relevant data to provide more information to SOC analysts and incident responders. This requires the organization to understand what information is important and to put in place processes, procedures, and technology to support gathering and maintaining these attributes. We will take a look at how we can integrate ServiceNow, Qualys, and Splunk to provide better visibility into vulnerability and event data and to accelerate remediation and response activities. David Hazar, Advisory Senior Manager, Deloitte

4:40-5:20 pm

The Healthy SOC: A Case Study Most organizations, especially those in healthcare, start with little in the way of a security operations center (SOC) and respond in an ad-hoc manner; Mayo Clinic was no exception. Starting with a team that consisted of IT colleagues who were rapidly trained into security professionals, in only a few years the Mayo Clinic SOC has grown into a multi-tiered 24x7x365 group that can rapidly respond to incidents, conduct forensics, and hunt existing threats in the organization. This presentation will focus on Mayo Clinic’s development of the Security Operations Center from its initial inception to its current form, focusing on the transition to a more mature organization. Topics covered will include what worked, what didn’t, what metrics measure our success, how analysts from all tiers are able to work together to quickly solve issues, and what the future holds.

• Tyler Hudak, Principle Engineer - Senior Manager -CyberSecurity Ops Center (CSOC), Mayo Clinic

• Richard Noel, Manager – MSSP, Mayo Clinic • Chad Sadosty, CISSP, Senior Manager - CSOC, Mayo Clinic

6:30-9:30 pm

Summit Night Out in NOLA!

Tuesday, July 31 9:00-9:45 am

What the CISO REALLY Wants Out of Your SOC You do not want the pilot of your next flight to have anything less than full visibility into the operation of the next airplane you board. Why would you allow your CISO to have anything less than full visibility into what is happening in your SOC? CISOs will either know now or they will unfortunately know later. How long can your CISO stand to not know there is trouble simmering in your SOC? This presentation will provide you with practical takeaways to demonstrate value from your SOC to your CISO and ultimately to your entire organization. Russell Eubanks, CISO, Federal Reserve Bank of Atlanta

9:45-10:25 am

Building The SecOps Use Case Use case development is an essential skill in defining how a security operations team works, the issues the team addresses, and how the team responds alarms and performs threat hunting. In this session, a well-defined and proven use case model will be presented. The model is designed to maximize meeting time, leverage the IT $pend, and provide clear guidance so that security incident response can achieve better outcomes. Don Murdoch, Security Operations Center Manager, SLAIT

10:20-10:50 am Networking Break and Vendor Expo 10:50-11:30 am

Back to Basics: There Is No Security Without System Integrity Security breaches are now outpacing security spending by a factor of 4:1, and the Department of Homeland Security recently indicated that 85% of organizations today have been breached and they just do not know it yet. How did we get here and what do we do about it? The answer lies within system integrity, which is the least understood and at best ambiguous where things like encryption and confidentiality and the latest greatest security tool has taken the spotlight. The good news is that SANS understands that Integrity is foundational and paramount to security and has defined it as the most critical pillar to achieving a trusted platform utilizing the CIA Triad. Case in point, a confidentiality breach in a car means someone learns of ones driving habits. An integrity breach means they can take control of the brakes and steering. IP Services and IT Process Institute will review and share strategies that incorporate systems integrity practices and tooling that include managing change, configurations, inventorying assets, and implementing effective release management processes. Deploying controls that are both visible and auditable is paramount. By implementing these processes organizations can install methods that ensure systems integrity that meets today’s security and compliance challenges, while ensuring that business objectives are met. Scott Alldridge, CEO, IP Services

11:30 am – 12:10 pm

Talk description to come Rob Gresham, Security Solutions Architect, Splunk Ismael Valenzuela (@aboutsecurity), SANS Certified Instructor, GSE #132; Principal Engineer at McAfee

12:10-1:30 pm

Networking Lunch and Vendor Expo

1:30-2:10 pm

Panel Moving on Up(?): Making the Leap from Technical to Managerial Positions SOC managers seem to come to that role through two paths. The first is they've been successful in an area of management (such as DevOps or IT Ops) and they're put into the SOC Manager role because they were successful at managing something else. The other path is a technical subject matter expert who starts to take on more responsibility for overseeing others work, then moves from technical expert to manager. We're going to ask several people at several different stages of their careers to discuss their personal career path. Moderator: Chris Crowley (@CCrowMontance), Summit Chair, SANS Institute Panelists:

• John Hubbard, SOC Manager, GlaxoSmithKline

• John Pescatore, Director – Emerging Technologies, SANS Institute

• Ismael Valenzuela (@aboutsecurity), SANS Certified Instructor, GSE #132; Principal Engineer at McAfee

2:10-2:50 pm

How to Turn Your Security Operations Center Into a Threat Hunting “Tour de Force” Many security leaders have decided to adopt threat hunting in their security programs. However, most don't know how to build their existing teams and establish them as a threat hunting “tour de force." This informative talk will share hiring strategies, team structure, processes, and tools to equip your team for success, as well as guidelines for aligning your plan with the threat hunting maturity model. Attendees will learn to: • Define and scope the mission or directive of their threat hunting team • Staff a new threat hunting team despite security talent shortages • Understand the tools, processes, and skill sets required at various stages of the threat hunting maturity model • Identify whether to add threat hunting to an existing operations team or build a net new group • Overcome unique challenges of managing a threat hunting team Joe Moles, Director of Detection Ops, RedCanary

2:50-3:30 pm Networking Break and Vendor Expo 3:30-4:10 pm

Burning Down the Haystack How do you find the needle in the haystack? Burn all the hay! In this talk, Tim aims to show how automation can help "burn the hay" and deal with the overwhelming volume of alerts that IR analysts deal with on a daily basis. Tim will

give examples of Security Automation & Orchestration (SAO) speeding up the alert triage process through enrichment from internal and external tools, proceeding to a human decision in the loop and then going directly to take response action through integration with existing security tools such as firewalls, proxies, and endpoint solutions. Tim Frazier, Security Engineer, Phantom Cyber

4:10-4:50 pm

The Most Dangerous Game: Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework Modern cyber defense requires the mindset of "assume breach,” but with so much data generated by our networks and endpoints, how can we collect the information needed to identify attacks in an affordable way, let alone sort through it all? This talk will discuss the unique challenges of finding post-exploitation activity in our mountains of data and walk through using the open source Elastic Stack to identify the techniques enumerated in MITRE's ATT&CK framework. Attendees will be given an overview of how to leverage the ATT&CK body of knowledge, options for data collection, and suggested rules and dashboards that specifically target finding post-exploitation activity. The goal of this talk is to arm defenders with industry validated attack knowledge, and demonstrate how late stage compromises can be identified and stopped before significant damage is caused. John Hubbard, SOC Manager, GlaxoSmithKline

4:50-5:00 pm

Closing Remarks Chris Crowley (@CCrowMontance), Summit Chair, SANS Institute

Speaker Biographies

Scott Alldridge (@scottalldridge), CEO, IP Services Scott brings a wealth of knowledge with over 30- years of experience in the Information Technology business arena. He was one of the first adopters of ITIL (IT Infrastructure Library) which has driven world-class service management deliverables for IP Services for more than 20+ years. Scott is also among a select group that is certified on the ITIL processes and standards and has advised the world’s top 5 service providers on IT best practices and service deliverables. Scott is also founding member and President of the IT Process Institute which is an organization that provides IT Standards Research, Prescriptive Guidance, and Benchmarking. Scott’s technical accomplishments and 30 years of experience being a technologist have made him a sought-after guest speaker, with his most recent engagements being a speaker at the Synergy-by-Association Banking and CyberSecurity Summit where he keynoted with Dr. Ron Ross from the National Institute of Standards and Technology N.I.S.T. Scott’s unique research based presentations relating to CyberSecurity has made him and in-demand speaker at many other conferences and technology and cybersecurity summits in the banking and health care sectors. Craig Bowser (@shad0wtrackers) Sr. Security Engineer, Dept. of Energy Craig Bowser is an Infosec professional with 18 years of experience in the field. He has worked as a Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer in DoD, DOJ and Dept of Energy areas. He has some letters that mean something to HR departments. He is a Christian, Father,

Husband, Geek, Scout Leader who enjoys woodworking, sci-fi fantasy, home networking, tinkering with electronics, reading, and hiking. And he has a to do list that is longer then the time to do slots that are open. Chris Crowley (@CCrowMontance), Summit Chair, SANS Institute Christopher has 15+ years’ experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense. Chris' work experience includes penetration testing, security operations, incident response, and forensic analysis. He is the course author for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management and holds the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN and CISSP certifications. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. Russell Eubanks (@russelleubanks) Vice President and Chief Information Security Officer; Federal Reserve Bank of Atlanta, Certified SANS Instructor Russell Eubanks is Vice President and Chief Information Security Officer for the Federal Reserve Bank of Atlanta. He is responsible for developing and executing the Information Security strategy for both the Retail Payments Office and the Atlanta Reserve Bank. Russell has developed information security programs from the ground up and actively seeks opportunities to measurably increase their overall security posture. Russell is a Handler for the SANS Internet Storm Center, Serves on the Editorial Panel for the Critical Security Controls and maintains securityeverafter.com. He holds a bachelor's degree in computer science from the University of Tennessee at Chattanooga.

Tim Frazier, Security Engineer, Phantom Cyber During his 12+ years of industry experience, Tim has built networks, led teams, architected security infrastructure and solutions and consulted for large organizations including the US Army and a large Electric Power Utility. Tim now spends his time helping Security Operations Centers automate workflows into code-based "playbooks" in their environments. Brad Garnett, (@brgarnett), Team Lead – Incident Response, Cisco IR Plans will frequently concentrate on the technical elements, omitting communication. When communication is included in IR Plans, it is usually focused on external audiences for compliance, or notification requirements. Internal communications are integral to successful response activities and woe-betide the IR team that forgets! As a DFIR community, we all have a story to tell when it comes to mis-steps taken during an incident response, and the common denominator in many of the mis-queues are issues with communications. Stakeholders make assumptions, comms cadence loses its rhythm, chain of command is not understood, or important messages are not delivered well, if at all. Join the Cisco Security Incident Response team while we talk about the types of critical internal communications and how we can as responders can embed communication into our IR DNA. We’ll include tips on cadence, messaging, audiences, and mediums while giving examples of successes and failures we have experienced. Kevin Garvey, Manager – Incident Response and Threat Management, Time Warner; SANS Mentor Incident Response is not just about gathering facts and stopping the enemy in its tracks. During an incident, a true incident responder must talk to, negotiate, calm others and lead an investigation with workers from all ranks of the company. At stake could be the reputation of a company and you are expected to lead a thorough and complete investigation to the best of both your technical and non-technical abilities. Are you ready to put your keen soft skills in action when the stakes are high? Rob Gresham (@SOCologize), Security Solutions Architect, Splunk Over 17 years of experience delivering both systems and security engineering services as well as specializes in Security Operations Management, Incident Response, and Threat Intelligence and Analysis. Rob has been a

keynote speaker and speaker at numerous conferences and BSides events over the years sharing his knowledge and experiences with the information security community. Shelley Giesbrecht, (@nerdiosity) Team Lead – Incident Response, Cisco Shelly is a Team Lead, Incident Response with Cisco Security, and a graduate student in the SANS Technology Institute’s Master of Science in Information Security Engineering Program. She has been focused on SecOps and Incident Response, both as an employee and consultant for the past 13 years. She is a contributor to the Cisco Security Blog and writes her own blog at nerdiosity.com. Shelly tries to learn one new thing every day and is a firm believer in the bow tie. David Hazar, (@davidhazar), Advisory Senior Manager, Deloitte David has over 18 years of broad, deep technical experience gained from a variety of hands-on roles serving the financial, healthcare, and technology industries. Currently, he focuses primarily on enterprise vulnerability management, application security, and secure DevOps helping Deloitte's clients understand how to move from scanning to an effective, integrated, and holistic vulnerability management program. In addition to leading client engagements, he is responsible for the technical training curriculum and instruction for new hires and both onshore and offshore managed service practitioners. He is a community instructor for DEV522 Defending Web Applications Security Essentials and SEC542 Web App Pen Testing and Ethical Hacking. David completed a bachelor of science in information systems and a master of information systems management at Brigham Young University, and currently holds the following certifications: CISSP, GWAPT, GWEB, GMOB, GCIA, GCIH, GCUX, & GCWN. He is located in Salt Lake City, UT and enjoys spending time with his family, skiing, and snowboarding. Justin Henderson, Instructor & Course Author, SANS Institute Justin Henderson is a passionate and dedicated Information Technology professional. He has been in the Information Technology field since 2005. Justin has a proven desire and ability to achieve comprehensive industry training and uses his knowledge and experience to mentor others. Justin has a high proficiency in technical platforms including operating systems, networking, security, storage, and virtualization but has also applied himself in governance, project management, as well as service management. Currently, Justin holds a Bachelors of Science in Network Design and Administration from Western Governors University and has over 40 certifications some of which are below: Networking - Cisco Certified Network Associate Virtualization - VMware Certified Professional 5 and VMware Certified Professional 5: Desktop Database - MySQL 5 Database Administrator Governance/Service/Project Management - Project Management Professional, ITIL Continual Service Improvement, Certified in Risk and Information Systems Control, Certified Information Security Manager Microsoft - Microsoft Certified Information Technology Professional: Enterprise Administrator and Microsoft Certified Security Engineer 2003: Security Security - GIAC Penetration Tester, GIAC Windows Security Administrator Certification, Licensed Penetration Tester, Certified Ethical Hacker v5, Computer Hacking Forensics Investigator, EC-Council Certified Security Analyst, Tenable Certified Nessus Auditor, Certified Sonicwall Security Administrator, Certified Information Systems Security Professional, Security+ Justin has also taught Network Security at Lake Land College. Some of his other achievements include mentoring individuals in the Information Technology field as well as developing the virtual dojo, a fully automated Cloud Computing solution showcase environment. Dave Herrald (@daveherrald), Staff Security Strategist, Splunk Dave Herrald is a veteran security technologist. He holds a number of security certifications including the GIAC GSE #79. Dave works on Splunk's Security Practice team, and rides bikes and skis for sanity. Tyler Hudak, Principle Engineer - Senior Manager -CyberSecurity Ops Center (CSOC), Mayo Clinic Tyler Hudak, Principle Engineer Cyber-Security Operations Center. Tyler has more than 15 years of extensive real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple Fortune 500 firms. Tyler has spoken and taught at a number of security conferences on the topics of malware analysis, incident response and penetration testing, and brings his front line experience and proven techniques to bear in the training. He currently works for a major medical institution as the team lead for the security operations center.

Joe Moles, (@FlyingMonkey127), Director of Detection Ops, RedCanary An IR and digital forensics specialist, Joe Moles has more than a decade of experience running security operations and e-discovery. As Director of Detection Operations at Red Canary, he leads a team of security analysts to help organizations defend their endpoints against threats. Prior to joining Red Canary, Joe built and led security operations, incident response, and e-discovery programs for Fortune 500 companies like OfficeMax and Motorola. He is regarded as an industry thought leader and regularly contributes to the Red Canary blog. Don Murdoch, Security Operations Center Manager, SLAIT Don Murdoch, GSE, is a seasoned IT leader with 25 years of IT and InfoSec experience, with the most recent decade as the Director of a MSSP and Security Operations Practice. Recent prior experience is in IT/InfoSec security Director, Enterprise and Security architect in the healthcare industry. Don also has significant experience as an instructor and course developer for SANS and other leading security organizations. Richard Noel, Manager – MSSP, Mayo Clinic Richard Noel is Mayo Clinic's Manager responsible for oversight of Mayo's Managed Security Services provider, and Tier 1 SOC staff. He has a long career in Infosec, having started his career in 2002 as an IDS analyst for an MSSP. Richard worked for a fortune 500 company as a security specialist working on various architecture, operational and compliance projects. Previously, he worked as an Infosec professional services consultant as technical lead on several multi-million dollar, globally deployed initiatives. Richard has served on the GIAC GSEC advisory board, and was a member of the SANS mentorship program. He is well known around the office as a fan of puns, and bad jokes. My-Ngoc Nyguen, CEO/Principal, Security IT Solutions, LLC; Instructor, SANS Institute My-Ngoc Nguyen (pronounced Mee-Nop Wynn) is the CEO/Principal Consultant for Secured IT Solutions. She brings 15 years of experience in information systems and technology, with the past 12 years focused on cybersecurity and information assurance for both the government and commercial sectors. My-Ngoc is highly experienced in IT security and risk methodologies, and in legal and compliance programs. She led a cybersecurity program under a federal agency for a highly-regulated, first-of-a-kind project of national importance. With that experience, she has been assisting client organizations in both public and private sectors to implement secure and compliant business processes and IT solutions using defense-in-depth and risk-based approaches. Along with a master's degree in management information systems, she carries top security certifications that include GPEN, GCIH, GSEC, and CISSP, and is a former QSA. She is a member of the FBI's InfraGard, the Information Systems Security Association (ISSA), the Information Systems Audit and Control Association (ISACA), and the International Information Systems Security Certification Consortium (ISC). My-Ngoc founded the non-profit organization CyberSafeNV to raise security awareness among Nevada residents and is currently the organization's chairperson. Chad Sadosty, CISSP, Senior Manager - CSOC, Mayo Clinic Chad Sadosty, Senior Manager Cyber-Security Operations Center. Chad Sadosty has been with Mayo Clinic for 17 years with 12 years of operational management experience. Chad had lead many incidents which include disaster recovery, hardware/software failures, and security events. Prior to Managing the CSOC Chad managed infrastructure teams with in Mayo Clinic across the enterprise. He is a former Microsoft Certified Trainer and instructor. Alissa Torres, Incident Response Manager, Cargill Alissa Torres works as Incident Response manager at Cargill, where her team recently stood up an in-house 24x7 Security Operations Center. She is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience spans government, academic and corporate environments and includes incident handling with the Mandiant CIRT and internal investigations for a large government contractor. A huge fan of GIAC, Alissa holds the GCFA, GCFE, GCIH, GCIA, GSEC, CISSP, and EnCE. Ismael Valenzuela (@aboutsecurity), SANS Certified Instructor, GSE #132; Principal Engineer at McAfee Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous projects across the globe over the past 17 years.

As a top cybersecurity expert with strong technical background and deep knowledge of penetration testing, security architectures, intrusion detection and computer forensics, Ismael has provided security consultancy, advice and guidance to large government and private organizations, including major EU Institutions and US Government Agencies. Prior to his current role as Principal Engineer at McAfee, where he leads research on threat hunting using machine-learning and expert-system driven investigations, Ismael led the delivery of SOC, IR & Forensics services for the Foundstone Services team within Intel globally. Previously, Ismael worked as Global IT Security Manager for iSOFT Group Ltd, one of the world’s largest providers of healthcare IT solutions, managing their security operations in more than 40 countries. He holds a bachelor's degree in computer science from the University of Malaga (Spain), is certified in business administration, and holds many professional certifications. These include the highly regarded GIAC Security Expert (GSE #132) in addition to GREM, GCFA, GCIA, GCIH, GPEN, GCUX, GCWN, GWAPT, GSNA, GMON, CISSP, ITIL, CISM, and IRCA 27001 Lead Auditor from Bureau Veritas UK. Marcus Ward, Senior Security Operations Center Analyst, Cargill In his current role Marcus Ward functions as a Senior Security Operations Center Analyst at Cargill within its command center. He has held similar roles with Optum and Patterson specializing in DLP. Marcus also currently serves as a senior intelligence analyst with the US Air Force holding the rank of MSgt/E7 supporting various theatres of operations. Marcus is passionate about researching and tracking cyber threat actors in an effort to drive mitigation measures. Carson Zimmerman, Cyber Security Operations Center (CSOC) Engineering Team Lead, Microsoft Carson Zimmerman has been working in cyber security operations for 15 years. In his current role at Microsoft, he is a Senior Security Engineering Lead. In his previous role, at The MITRE Corporation, Carson served as a Principal Cyber Security Engineer, specializing in CSOC architecture and CSOC consulting. His experiences as a CSOC analyst and engineer led Carson to author Ten Strategies of a World-Class Cybersecurity Operations Center, which can be downloaded for free at http://bit.ly/1sKCOH9. He received a BS in Computer Engineering from Purdue University and an MS in Information Systems from George Mason University.