1) From Cavalry to Ninjas: How to Continuously Maintain Organizational Security
It is important for organizations to assess their ability to detect attacks and respond to them. However, traditional cyber battles tend to focus on fast, noisy attacks, leaving slow and stealthy ones out of scope. Continuous, long-term activities by ethical hackers targeting IT infrastructure help simulate low-and-slow attacks and build resilience against them. These talks will introduce approaches and methods for continuous validation of organizational security.
2) Prioritization of Cyber Incidents and Incident Response
Responding to all incidents simultaneously is physically impossible — resources are limited. Incident response requires prioritization. How should a SOC identify critical incidents that require immediate action?
Prioritization can be based on two interrelated assessments. The first is the assessment of damage caused by the incident itself. Does the organization understand the potential consequences of cyber incidents? Can incidents be prioritized based on their potential business impact?
The second is the assessment of damage caused by the response itself. What actions can the organization take quickly, without lengthy approvals? The cure should not be worse than the disease. Assessing the consequences of response actions (service blocking, system isolation, process shutdown) is just as critical as assessing the threat itself.
Together, these two assessments form the basis of a response mandate — an agreement between the business and information security that defines the boundaries of autonomous SOC actions. Such a mandate enables fast response without additional approvals, which is especially important when implementing automated (including AI-agent-based) response. These talks will focus on prioritizing cyber incident response.
3) Synergy or Symbiosis? On the Importance of SOC Trust in AI
In these talks, attendees will hear expert opinions on the transition from AI assistants to AI agents (agents capable of independently deciding how to achieve a given goal). What can we entrust to an AI agent, and how can we verify that it will act exactly as intended? How can we delegate incident response to AI agents, and is it possible to formulate our own “three laws” for such response? How can AI models be trained within closed environments?
4) SOC: How Does It Work?
A SOC is a combination of technologies, people, and processes that together deliver valuable services to customers. Historically, the concept of a SOC was primarily associated with incident monitoring and response. Over time, as information security matured, SOC functions expanded to include threat analysis and hunting, security posture assessment, vulnerability management, risk assessment, and more.
Processes provide the environment that enables synergy between various technological solutions in delivering SOC services. Teams execute processes. How should this be designed, and how can all components be connected? To what extent do processes and technologies define each other? What type of SOC is optimal — in-house, outsourced, or hybrid? Where should organizations start when implementing a SOC under current Russian conditions?
Expert talks will address these questions, present approaches to building a SOC with broad functionality, and share real-world SOC implementation stories from different companies.
5) How to Demonstrate the Value of a SOC, or Metrics That Matter
We all understand that organizations need a SOC — whether in-house, outsourced, or hybrid.
But how can its value be demonstrated to the business? Metrics that show operational efficiency (such as meeting incident response SLAs) do not always prove the SOC’s business value.
In some cases, the best outcome is that incidents do not occur at all. How can we prove to the business that organizational resources and employee time are well spent? Which business-friendly metrics can reflect this value? Is it possible to estimate the financial impact of prevented incidents and compare it with the cost of building and operating a SOC?
In these talks, experts will share real examples of how they demonstrated the value of their SOCs to the business.
6) Pivot, Pivot, and Pivot Again: What Value Do Graphs Bring to a SOC?
No matter how effective incident response in a SOC may be, an organization’s ability to withstand security incidents largely depends on the earliest possible detection and accurate qualification of an incident, based on data enrichment from multiple sources.
Preventing incidents requires analysis of the IT infrastructure (its connectivity, resilience, and the speed at which threats can propagate), threat analysis, and the development of countermeasures tailored to that infrastructure. Both response and prevention rely on investigations of past incidents and on threat hunting within the IT environment.
Graphs, as a way of representing interconnected information, as well as tools for processing graph-based data, are becoming increasingly important in SOC operations. Graphs provide a more natural representation of related data, although they are less familiar than traditional tabular models. Working with graph data can be more complex, but the insights gained are often far more valuable.
What do SOC experts think about this? These talks will focus on practical examples of using graphs and graph-processing tools in everyday SOC activities.
7) Approaches to Detection and Response
How do you detect new attacks and respond to them? How do you organize information sharing within the SOC to develop effective detection and response approaches? What role do threat intelligence and threat hunting play in shaping these approaches? How do you preserve and transfer expertise within the SOC?
These talks will be dedicated to answering these questions.
8) How Do You Know It Works — and Works as Intended?
A SOC is a complex combination of technologies, processes, and people. It is not enough to design, implement, and launch it. Processes can be tested, and people can be interviewed. But how can we verify that technological solutions (for example, a SIEM) are delivering their full value?
What practices do you use to assess the “health” and effectiveness of your technology stack? These talks will address these questions.
