SIGS Special Interest Group
18th SOC Forum

Save the DateClick on the .ics file to save the date

Target Audience Security Operations Center Professionals
CIO’s, CISO, IT Manager, Security Officer, Security Architects and Engineers – all from end customer side who are interested in IT Security

From Consultancies and Resellers/ Integrators are only technical peoples (which are involved in the Security Operation Processes) allowed to take part – max. one participant per company. Vendors and people with a Sales/Marketing role are not authorized as participants.

If you are not on the dedicated invitation list and you like to take part in this community and get the invitations, please fill out the application form.

CPE Credits Earn 4 CPE (Continuing Professional Education) for attending this SIGS forum. Please request a confirmation.
Location Hilton Zurich Airport Hotel
Hohenbuehlstrasse 10
8152 Opfikon-Glattbrugg

There are a lot of free park places available.
Train: railway station Zurich Airport – take the hotel shuttle

Date of Event 5th December 2019
Further planned date in 2020: 10th March, 23rd June, 15th September and 1st December 2020
Language English
Participation Costs Fr. 55.— per participants
Organization, presentations, beverages and Apéro riche included



1:30 – 2:00 pm Registration & Coffee
2:00 – 2:00 pm Welcome from the moderator
2:00 – 3:00 pm Todd James, Head of Detection Content Enhancements, Cyber Defense, Chief Information Security Office at UBS AG

Leassons learned about estate hardening incl. Q/A
There are significant gaps between the findings when an incident is closed, when a red or purple team engagement has ended or when threat or open-source intelligence is distilled. Meaningful feedback is simply lost in a document or the roadblocks are so large that there is never any reduction to the attack surface.

This session will review lessons learned about estate hardening and how closing the feedback loop between incidents and hygiene could help institutions prevent making the same mistakes.

3:00 – 3:30 pm Marcel Grabher, Technical Manager Cyber Security at Telecom Liechtenstein AG
Marcel Grabher graduated in business informatics (M. Sc., Focus: IT-Security) at the Technical University of Vienna and worked as a full-stack web-developer (Ruby on Rails), backend-developer (golang) & DevOps (GCP, Gitlab), technical project-manager, presale and sales.

Security Operation Center Misconceptions
You might not have a SOC. You might not get a SOC. Common misunderstandings and a sample for log correlation to detect and understand an attack at application level.

3:30 – 4:15 pm Break
4:15 – 6:00 pm There are two workshops in parallel – chose the one you like to attend

Workshop 1.1
by Jeff Hamm, Technical Director at Mandiant

Beyond Malware: What Characteristics and Behavioral Traits Can Identify Attackers in a Network?
Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019,” (Gartner, 2018). In the article, Gartner estimates networking equipment expenditures at $13.321 Million and services at $64.237 Million for the year 2019. Services that address compliance such as GDPR account for expenditures at 30% or more of businesses surveyed. Rob Sobers at Varonis lays out, “60 Must-Know Cybersecurity Statistics for 2019”, (Sobers, 2019), but these statistics focus on malware and vulnerabilities. We are, as an industry, spending large amounts of money and tools on compliance, vulnerability, and malware detection.

Currently, there isn’t a trustworthy source that concisely defines and details lateral movement and non-malware tools that attackers use to steal data. There are intelligence reports on certain Financial and APT groups by entities such as FireEye and CrowdStrike, but they don’t compare and contrast lessons learned and how to codify this behavior.

Jeff Hamm will lead a roundtable discussion formulated by a potential PhD research question, “How do we identify attacker behavior when the attack is using legitimate credentials and tools in a compromised environment?” He will illustrate three cases using: Powershell, PSEXEC, and typing patterns such as switch order or misspellings to generate discussion including observations by participants in their networks and what equipment or detections we can put in place to alert on malware-less attacker behavior.


  • Introduction
  • Who I Am
  • Who the Participants Are
  • PhD Research
  • Malware Constantly Evolves: Can We Make Other Detections for Attacker Activity
  • Mandiant and FireEye Experience
  • Powershell
  • Typing Patterns
  • Switches
  • Misspellings
  • Observations from Those In Attendance
  • How Can We Identify These
  • Technologies in Use
  • True “Signature-less” Detections
  • Take Aways
  • TBD By Participants

4:15 – 6:00 pm Workshop 1.2
by Antonio Barresi, Co-Founder and CEO at xorlab AG – spin-off from ETH

Antonio is Co-founder and CEO of xorlab, a Swiss IT security company. Before founding xorlab, he worked at the Laboratory for Software Technology (LST) at ETH Zurich on software security related topics. His research interests are software and systems security. Over the last years he has given talks at different industry and academic security conferences (e.g. Black Hat, CCC, Hacktivity, WOOT). Before joining LST, he worked in industry as a Software Engineer, Security Consultant, and IT Risk Officer. He holds a BSc and MSc degree in Computer Science from ETH Zurich.

You are training your employees to spot suspicious emails. Now what?
While email is still one of the most popular initial attack vectors, fighting email-based threats like phishing is evolving. Different new technical solutions exist but strengthening the human line of defense through awareness trainings is still considered to be one of the most effective measures.

Nevertheless, awareness trainings have limits. On the one hand phishing emails are becoming better on the other hand legitimate emails that look like phishing emails might have an adverse impact on user awareness. In the end, all it takes is one user to click or open the attachment.

In this session we will look at what we can do if we trained our users to spot suspicious emails and at the same time offer them an easy way to report them. Although we have seen many organizations that have such a process in place only a few are doing it with tool and automation support.

We will explore different ways of improving a manual process through tool support and how much we can get by interfacing with other third-party security systems like the email gateway or the web proxy.

Further, we would like to hear from the participants what their experiences are with user reported suspicious emails.


  • Introduction round / get to know each other
  • What you must expect if you allow users to report emails
  • Manual reporting vs. a reporting button
  • Handling the emails
  • The value of feedbacks
  • Where tools can support you
  • Possible ways to interface third party systems
  • Web proxy integration
  • How to handle malicious emails residing in user mailboxes
  • An attempt to quantify the value of such a process
  • When does tool support and automation make sense, and when not
  • Discussion
  • Take home messages

6:00 – open end Apéro Riche and Networking (therefore reserve as well the evening!)
The speakers will be onsite for Q&A.


The Sponsor of this event is:

Main Sponsor Co-Sponsor


This is a ‘must attend’ event for all security professionals! We are confident that the relationships you develop here will prove to be crucial to your continuing success.

Register here!

With the registration for this event you accept, that SIGS may use the data entered for its own purposes and may share it for use with its event partners and event sponsors of this platform. In addition, we share the contacts as well with the community itself.

Earn CPE Credits for
attending SIGS Events

Registration here!

If it’s the first time you like
to attend, please send us in addition your application