SIGS Special Interest Group
14th SOC Forum

Save the DateClick on the .ics file to save the date

Target Audience Security Operations Center Professionals
CIO’s, CISO, IT Manager, Security Officer, Security Architects and Engineers – all from end customer side who are interested in IT Security

From Consultancies and Resellers/ Integrators are only technical peoples (which are involved in the Security Operation Processes) allowed to take part – max. one participant per company. Vendors and people with a Sales/Marketing role are not authorized as participants.

If you are not on the dedicated invitation list and you like to take part in this community and get the invitations, please fill out the application form.

CPE Credits Earn 4 CPE (Continuing Professional Education) for attending this SIGS event. Please request a confirmation.
Location UBS Building VZVB
Max Högger-Strasse 82

Date of Event 20th of September 2018
Further planned date: 29th of November 2018
Language English
Participation Costs Fr. 55.— per participants
Organization, presentations, beverages and Apéro riche included



1:30 – 2:00 pm Registration & Coffee
2:00 – 2:30 pm Marco Rottigni, CTSO EMEA at Qualys

How visibility and actionable vulnerability intelligence help streamlining SecOps
Security Operations are rapidly becoming a crucial process in a mature company.

The growing sophistication of attackers and an evolving cyberthreat landscape require to build new capabilities and to strengthen existing ones.

Security is more and more seen as a business enabler and as a competitive advantage, therefore the SOC operational efficiency is constantly challenged for skill and performance.

Technology alone will not suffice, but could represent an immense value to provide visibility across an ever-changing environment; intelligence to support tactical and operational decisions; awareness about exploitation of the vulnerable surface.

This allow SOC Team to prioritise actions, to detect the weak signals and respond to them to prevent breaches.

2:30 – 3:00 Jeff Hamm, Technical IR Director at Mandiant

Jeff Hamm has been employed with Mandiant since 2010 and is a Technical Director assigned to the Europe region, where he manages a team that conducts forensic examinations and incident response. Response and examinations range from a single host to over 100,000 hosts on a network.

He also works part-time as an adjunct lecturer at NTNU (Norwegian Science and Technology University) in Gjøvik, Norway since 2011. There he provides intense practical labs based on real world computer forensic incidents using both Windows and Linux servers and attacker systems. He has co-authored “Digital Forensics” edited by Andre Arnes in 2017. The book is designed for academia and practitioners.

How Was that Breach Detected?
Mandiant has done thousands of IR investigations across multiple industry types and networks. In each case, the customer was either altered by a third party about the breach or discovered something “not quite right” in the network. In several cases the alerts the customer discovered led to discovery of a targeted attacker in the environment – and a subsequent incident response investigation.

In this presentation, we will use international case examples Mandiant investigated to take a closer look at how the breach was discovered and what security lessons can be learned from the alerts – for example how a performance monitor on a domain controller spiked which led to discovery of credential harvesting. The take away will include actionable in many environments.

3:00 – 3:30 pm Gio Pecora, Lead EMEA Operation at Refraction Point

Build a SOC in 30’ at less than the cost of a coffee

  • Create your organization
  • Start protecting, Linux, Mac and Windows assets
  • Manage data retention
  • Manage Big Data analysis
  • Apply Threat Intelligence
  • Detect and Respond (D&R)
3:30 – 4:00 pm Euan Ramsay, CSIRT Director at UBS

Designing operational responses to cyber threats
(Details will follow)

4:00 – 4:45 pm Break
4:45 – 6:30 pm Workshop I (interactive sessions/talks)
by Leif Kremkow, Technical Director South EMEA & Marco Rottigni, CTSO EMEA at Qualys

A Hands-On Look at Feeding SOC with Vulnerability Data
SOCs using their SIM/SIEM/SEM as a core data store harvest vast amounts of data. Often too much data. Tuning data import and consolidation can dramatically change the efficiency and relevance of the SOC’s processes. During this workshop we’ll look at some data consolidation technologies and how data can be imported from Qualys. Bring your laptop if you want to test things out yourself in a bash shell, Perl, and JavaScript.


  • Present Splunk demo environment
  • Present ServiceNow demo environment
  • Present ELK demo environment
  • Present Qualys API
  • Demonstrate shell script to import all
  • Demonstrate Perl script to import all
  • Demonstrate JavaScript script to import all
  • Illustrate data overload in the 3 technologies
  • Look at documentation to introduce detections API to tune/reduce imported data
  • Adjust scripts to take into prioritisation
4:45 – 6:30 pm Workshop II (interactive sessions/talks)
by Dr. David Gugelmann, Security Analytics Researcher and CEO of the ETH Spin-Off Exeon Analytics

Threat Intelligence Feeds vs. Machine Learning for Security Analytics
In this workshop, we analyze, compare and combine two of the most promising approaches for threat hunting: cyber threat intelligence feeds and machine learning.

First, we show that applying freely available cyber threat intelligence feeds to network log data results in a surprisingly high false positive rate. We discuss causes for these false positives and present an unsupervised statistical approach for the identification of high value cyber threat intelligence feeds.

Second, we present multiple machine learning-based techniques for the detection of malicious behavior using HTTP(S), DNS and NetFlow-like connection logs, including:

  • Covert web-based C&C channels used in APT campaigns
  • Data collection by browser plug-ins
  • Covert DNS channels
  • Domain Generation Algorithms (DGA)
  • Scanning and lateral movement

Third, we show how a combination of intelligence feeds, machine learning and custom visualizations enables efficient threat hunting.

6:30 – open end Apéro Riche and Networking (therefore reserve as well the evening!)
The speakers will be onsite for Q&A


The Sponsors of this event are:

Main Sponsor Co-Sponsor


This is a ‘must attend’ event for all security professionals! We are confident that the relationships you develop here will prove to be crucial to your continuing success.

Register here!

With the registration for this event you accept, that SIGS may use the data entered for its own purposes and may share it with its event partners and event sponsors of this platform. In addition, we share the contacts as well with the community itself.

Earn CPE Credits for
attending SIGS Events


Registration here!

If it’s the first time you like
to attend, please send us in addition your application