SIGS Special Interest Group – 11th SOC Forum

Save the DateKlick for the .ics file to save the date

Target Audience Security Operations Center Professionals
CIO’s, CISO, IT Manager, Security Officer, Security Architects and Engineers – all from end customer side who are interested in IT Security

From Consultancies and Resellers/ Integrators are only technical peoples (which are involved in the Security Operation Processes) allowed to take part – max. one participant per company. Vendors and people with a Sales/Marketing role are not authorized as participants.

If you are not on the dedicated invitation list and you like to take part in this community and get the invitations, please fill out the application form.

CPE Credits Earn 4 CPE (Continuing Professional Education) for attending this SIGS event. Please request a confirmation.
Location Hilton Zurich Airport Hotel
Hohenbuehlstrasse 10
8152 Opfikon-Glattbrugg

There are a lot of free park places available.
Train: railway station Zurich Airport – take the Hotel Shuttle

Date of Event 23rd of November 2017
Further planned dates for 2018 will follow
Language English
Participation Costs Fr. 55.— per participants
Organization, presentations, beverages and Apéro riche included



1:30 – 2:00 pm Registration & Coffee
2:00 – 2:30 pm John Salomon, Director Continental Europe, Middle East, and Africa at FS-ISAC

Threat Intelligence Automation – what do you need to know beyond the technology?
Automated threat indicator ingestion and sharing is a growing area of focus for many corporate SOCs and threat intel teams. Standards like STIX/TAXII, and ready-made platforms like MISP and various commercial offerings make it possible to both consume indicators from community and commercial sites for ingestion into corporate TIPs, and to share observables with vendors and other security teams. This has significant implications beyond how to ensure technical compatibility.

For example, how does my organization avoid duplicates and false positives? How do we focus on high-value indicators? Who should receive notification in the organization when something comes from outside? How can we avoid being overwhelmed by automated feeds? And how do I judge what I should subscribe to? And when sharing information out, how do we ensure we’re compliant with data protection and confidentiality rules?

This presentation will discuss several questions you should ask before planning an automated indicator feed subscription, and how to go about automated indicator sharing.

2:30 – 3:00 pm Leif Kremkow, Directeur Technique, EMEA Sud at Qualys

Your vulnerability management policy might be saturating your SOC unnecessarily
Leif Kremkow will review a typical vulnerability and patch management policy to determine if there is a favorable cost to benefit ratio. Perhaps it is possible to improve the signal to noise ratio by also considering the exploitability vector.

3:00 – 3:30 pm Dr. David Gugelmann, Security Analytics Researcher and the CEO of the ETH Spin-Off Exeon Analytics
Prior to founding Exeon Analytics in 2016, he was a postdoctoral researcher at ETH Zurich in the Networked Systems Group. His research interests are in big data analytics, digital forensics and machine learning for anomaly detection. He combines these areas by developing big data security analytics solutions to fight advanced cyber attacks.

Security Intelligence for Web Traffic: Unsupervised Detection of APT C&C Channels
Most organizations allow Web access to some degree. This makes HTTP an ideal covert command and control (C&C) channel for cyber attackers. By controlling infected devices via regular HTTP requests, attackers can hide their activities among millions of benign events, making it very difficult to detect ongoing cyber attacks.

There exists a number of supervised approaches to identify C&C channels. However, supervised approaches require the availability of malware samples for training. Since the malware used for advanced persistent threat (APT) campaigns is often custom-built and used against selected targets only, a collection of corresponding malware samples is often not available.
In this talk, we present a novel, unsupervised approach to detect C&C channels in Web traffic. Our approach is based on the observation that the HTTP requests triggered by malware are different from the Web request patterns occurring during regular Web browsing. Therefore, by reconstructing and filtering the activities occurring during regular Web browsing, we can identify Web requests that are related to malware without training a malware-specific model. Our evaluation shows that we can reliably identify the C&C requests of nine APT malware campaigns that had been active during years without being detected.

This talk is based on the research publication “Lamprakis et al. Unsupervised Detection of APT C&C Channels using Web Request Graphs”, which was published at the DIMVA 2017 security conference ( The research was conducted in collaboration between the Zurich Information Security and Privacy Center (ZISC) of ETH Zurich and armasuisse Science and Technology.

3:30 – 4:15 pm Break
4:15 – 6:00 pm Breakout Sessions (interactive sessions/talks)

Technical Breakout Session

by Pierrick Prévert (Senior Software Engineer) and Rémi Le Mer (Product Manager, Web Application Firewall) from Qualys

Testing Apache for Struts vulnerabilities yourself
Patrick and Rémi will use command line tools and browsers to demonstrate how you too can test if your web servers have vulnerabilities in the Apache Struts framework.

Attendees are encouraged to come with their laptops to put into practice what Pierrick and Rémi will demonstrate. WiFi will be provided but be prepared to have curl available on your machine.

Qualys publishes detailed reports how users can check findings themselves (such as This workshop will help attendees hone their skills in manual penetration testing against web applications that were deliberately left vulnerable.

Strategic Breakout Session

by Freddy Dezeure, former Head of CERT EU – today CEO of Freddy Dezeure BVBA

Freddy Dezeure graduated in 1982 as Master of Science in Engineering. He was CIO of a private company from 1982 until 1987. He joined the European Commission in 1987 where he held a variety of management positions in administrative, financial and operational areas. He was COO of the EU’s Joint Research Centre for three years. He set up the EU Computer Emergency and Response Team (CERT-EU) for the EU institutions, agencies and bodies in 2011 and made it into one of the most mature and respected CERTs in Europe. Until May 2017 he held the position of the Head of CERT-EU. Presently, he is an independent management consultant providing strategic advice in cyber security and cyber risk management and acting as Board Member and Advisory Board Member in several high-tech companies. He is a recognized thought leader in cyber security, risk and privacy and is much in demand as a speaker.

Intelligence driven prevention and detection
The workshop will provide an overview of the recent developments in the threat landscape and how threat intelligence can support active management of prevention and detection. With adversaries becoming stealthier and adapting their infrastructure and techniques to evade detection we need to change gear in the way we make our observations of their behaviour more actionable. Furthermore, we need to advance our techniques to protect personal data and monitor leaks to comply with the GDPR and to protect our key assets.

This workshop will provide strategic insights as well as hands-on advice. It will be followed by extensive opportunity to interact with the speaker.

6:00 – open end Apéro Riche and Networking (so reserve as well the evening!)
The speakers will be onsite for Q&A

The Sponsors of this event are:

Main Sponsor


This is a ‘must attend’ event for all Security Operation Professional! We are confident that the relationships you develop here will prove to be crucial to your continuing success.

So don’t wait and register or send us the application form by email

With the registration for this event you accept, that SIGS may use the data entered for its own purposes and may share it with its event partners and event sponsors of this platform. In addition, we share the contacts as well with the community itself.

Mobile Menu