SIGS Special Interest Group
17th SOC Forum

Save the DateClick on the .ics file to save the date

Target Audience Security Operations Center Professionals
CIO’s, CISO, IT Manager, Security Officer, Security Architects and Engineers – all from end customer side who are interested in IT Security

From Consultancies and Resellers/ Integrators are only technical peoples (which are involved in the Security Operation Processes) allowed to take part – max. one participant per company. Vendors and people with a Sales/Marketing role are not authorized as participants.

If you are not on the dedicated invitation list and you like to take part in this community and get the invitations, please fill out the application form.

CPE Credits Earn 4 CPE (Continuing Professional Education) for attending this SIGS forum. Please request a confirmation.
Location Hilton Zurich Airport Hotel
Hohenbuehlstrasse 10
8152 Opfikon-Glattbrugg

There are a lot of free park places available.
Train: railway station Zurich Airport – take the hotel shuttle

Date of Event 3rd September 2019
Further planned date in 2019: 5th December 2019
Language English
Participation Costs Fr. 55.— per participants
Organization, presentations, beverages and Apéro riche included



1:30 – 2:00 pm Registration & Coffee
2:00 – 2:00 pm Welcome from the moderator
2:00 – 2:30 pm Jan Brons, Lead Incident Response Cyber Defence Programme at Swiss Re
The right time to step up your incident preparedness
Latest since the Danish container shipment firm Maersk fell victim to global ransomware outbreak in summer 2017, board members no longer ask the question if the company they oversee ever becomes a target. Acknowledge the fact that you will be hit by cyber-attacks – the question is when. Times have changed and so have the fears of your board. According to recent survey, cyber-attack are amongst the top 3 business threats of board members. Time to step up incident preparedness with some serious exercises.

In this presentation, I would like to give you an overview on Swiss Re approach to cyber-attack exercises across different levels in the organization (from operations to the board) and how your siloed expert teams combined together make your organization more cyber resilient.

2:30 – 3:00 pm David Gugelmann, Founder & CEO of the ETH Spin-off Exeon Analytics

Log data preprocessing: The underestimated key to precise security analytics
Security analytics aims to transform large amounts of log data into actionable security insights. There are hundreds of scientific publications on machine learning algorithms for security analytics.

However, when applying such algorithms in practice, false alerts are often a major issue. Besides flaws in the machine learning algorithms, a common reason for false alerts are problems with the data recording that are not properly handled by the data preprocessing.

In this talk, David gives insights into commonly observed issues with the recording and collection of network log data. He then shows interactively how domain-specific data preprocessing can handle incomplete records and greatly improve the performance of security analytics algorithms, resulting in a much fewer false alerts.

3:00 – 3:30 pm Adrian Pisarczyk, Incident Response Consultant at Mandiant

Observations from incident response: investigating a live state-sponsored attacker
In this session I will present observations from a recent incident response engagement involving a live state-sponsored attacker. I will provide a brief overview of the threat actor involved – a prolific Chinese state-sponsored threat group with advanced capabilities. I will discuss some of their unique characteristics and the impact of these characteristics on the general threat landscape.

I will also present a few interesting, real examples of the attacker activity and their TTPs, discuss methods used to detect, analyze and track them and share anecdotes from the engagement.

3:30 – 4:15 pm Break
4:15 – 5:15 pm There are two workshops in parallel – chose the one you like to attend

Workshop 1.1
by Rob Huikeshoven, Manager Sales Engineering Continental Europe at Carbon Black
Rob started working in the IT security space in 1999 as a programmer, solutions architect, engineer, advisor, trainer and consultant, helping enterprise customers to design and implement various security solutions. In early 2016 he joined Carbon Black and now manages the Technical Sales Engineers in Continental Europe.

Threat Hunting – a Key Component of Enterprise Security Stack
A successful threat hunting operation depends on complete visibility across the entire enterprise – including every endpoint – and the unfiltered data needed to understand every process running on that endpoint. But when is the right time for an organization to begin hunting? How mature does your security program need to be?

In this session you will hear, when and why companies are implementing threat hunting as well as the benefits of threat hunting as a key component of your security practices.

4:15 – 5:15 pm Workshop 1.2
by Endre Bangerter
Endre Bangerter is co-founder of threatray, a startup in the field of code-based threat intelligence. He is also a professor of computer science at the Bern University of Applied Sciences and a lecturer at the Forensic Science Institute of the University of Lausanne.

Malware identification and contextualization
The detection of malware – using automated or manual forensics techniques – has been the primary focus of the cyber-defense community for many years. More recently the (complementary) disciplines of contextualization and identification of malware attacks have gained importance and popularity. Contextualization and identification often allow defenders to better understand their adversaries, to prioritize their reaction and to take more effective defensive measures. Contextualization is inherently based on finding similarities and correlation between attacks and thus necessities the availability of rich data sources (threat intelligence) on past attacks and adversarial activity.

In this workshop we’ll review malware contextualization and identification techniques using real world examples and discuss and compare the effectivity of various techniques. Finally, we’ll especially focus on code based malware correlation and contextualization techniques (e.g. using Yara rules) which in many cases turn out to be very effective.

5:15 – 6:15 pm Workshop 2
by Pascal Imthurn, Head of Cyber Defense Services and Oliver Locher, Service Product Manager at ISPIN AG

A new approach to select SIEM Use Cases by avoiding event per second estimations
Did you ever experienced the challenge to identify the adequate SIEM use cases to fulfil not only the compliance driven requirements but also the ability to have a high security detection coverage from day one? How can you ensure you will detect all attacks respectively you collect, and analysis all required events to identify anomalies?

We will introduce a comprehensive approach to directly address the challenge of SIEM use case identification and selection. In addition, we explain the answer of the problem of having a high detection maturity from day one with still a price efficient strategy and the capability to scale easily. Moreover, we present a recommended solution method to respond to attacks immediately, focused to the origin of the attack and to be able to collect all relevant data for additional investigations.

In this session you will learn how to

  • identify the adequate SIEM use cases based on a suggested methodology
  • avoid sizing and scoping of SIEM environments based on events per second
  • respond to attacks and malware infections by just pushing the trigger
  • plan and scale your SIEM environment with a simple approach
  • establish a high SIEM detection coverage from the beginning

6:15 – open end Apéro Riche and Networking (therefore reserve as well the evening!)
The speakers will be onsite for Q&A.


The Sponsors of this event are:

Main Sponsor Co-Sponsor


This is a ‘must attend’ event for all security professionals! We are confident that the relationships you develop here will prove to be crucial to your continuing success.

Register here!

With the registration for this event you accept, that SIGS may use the data entered for its own purposes and may share it for use with its event partners and event sponsors of this platform. In addition, we share the contacts as well with the community itself.

Earn CPE Credits for
attending SIGS Events

Registration here!

If it’s the first time you like
to attend, please send us in addition your application