Blue team con online

Upcoming Blue Team Con Online Events

February 20, 2025 @ 10:00 AM CDT

The Fault in Our Metrics: Rethinking How We Measure Detection & Response

Presented by Allyn Stott

Your metrics are boring and dangerous. Recycled slides with meaningless counts of alerts, incidents, true and false positives… SNOOZE. Even worse, it’s motivating your team to distort the truth and subvert progress. This talk is your wake-up call to rethink your detection and response metrics.

Metrics tell a story. But before we can describe the effectiveness of our capabilities, our audience first needs to grasp what modern detection and response is and its value. So, how do we tell that story, especially to leadership with a limited amount of time?

Measurements help us get results. But if you’re advocating for faster response times, you might be encouraging your team to make hasty decisions that lead to increased risk. So, how do we find a set of measurements, both qualitative and quantitative, that incentivizes progress and serves as a north star to modern detection and response?

Metrics help shape decisions. But legacy methods of evaluating and reporting are preventing you from getting the support and funding you need to succeed. At the end of this talk, you’ll walk away with a practical framework for developing your own metrics, a new maturity model for measuring detection and response capabilities, data gathering techniques that tell a convincing story using micro-purple testing, and lots of visual examples of metrics that won’t put your audience to sleep.

February 27, 2025 @ 10:00 AM CDT

Operationalizing AI For Network/SOC Analysts

Presented by Chris Roffe

The presentation focuses on using Human Design Engineering (HDE) principles for the development of AI tools that are more adaptable to the varying levels of expertise within a SOC or analyst team.

Using logic-rails, behaviors, and trigger-actions to craft the AI assistant into a functional interface that integrates disparate systems, and enable analysts to access and cross-reference data. This integration is crucial for rapid threat identification and response, as it allows analysts to draw connections between indicators of compromise and potential threats without manually navigating through multiple platforms

We will also highlight how AI assistants can be configured to align with the workflows and preferences of human analysts, ensuring that the technology adapts to the user rather than the other way around. This user-centric design is essential for maintaining the human analyst’s role as the decision-maker, leveraging the AI’s processing power to enhance their situational awareness and investigative capabilities. The concept of “human in the loop” is a critical component of this approach. It emphasizes the importance of human oversight in automated processes to ensure that decisions are made with a level of discernment that AI currently cannot replicate.

By reducing the time spent on manual data aggregation and preliminary analysis, AI assistants empower analysts to dedicate more effort to tasks that require their expertise. AI Assistants help not only improve the efficiency of a task workflow but also ensures that human judgment remains at the forefront of the decision-making process for small, medium, or global sized security teams.

March 6, 2025 @ 10:00 AM CDT

Building on CVSS, EPSS, and KEV: A Practical Approach to Vulnerability Prioritization

Presented by Omer Tal

These days, the overwhelming number of vulnerabilities in any system, combined with resource constraints, makes it impossible to remediate all vulnerabilities. Effective prioritization is essential, ensuring that the most critical threats are tackled first to safeguard an organization’s key assets efficiently.

Frameworks like CVSS, EPSS, the KEV catalog, and SSVC have been widely adopted to aid this task. Each framework offers unique insights, yet they often fall short of providing a holistic solution. This leaves organizations juggling multiple tools without a clear path to optimal prioritization.

Join my talk where I explore the strengths and weaknesses of these popular frameworks. I will discuss why no single framework should be used alone and how to develop a comprehensive vulnerability prioritization strategy that leverages the best aspects of each framework. Learn how to transform these theoretical tools into a practical, actionable plan that fits your security needs.

March 13, 2025 @ 10:00 AM CDT

Security In An IaC Defined World

Presented by Dwayne McDaniel

While it would be amazing to focus 100% on our code in our work, the reality of modern DevOps is we also need to worry about where it runs. In a simpler time, the operations team would grant us precious disk and machine resources after a requisition request. Security was tight, as those servers were locked down behind private networks and gateways. Living in the modern world of platforms as a service and infrastructure as code, IaC, means just taking security for granted is no longer an option.

Even if the security team could manage every possible bit of your infrastructure, understanding how to manage security better is going to help everyone stay safe, especially at scale.

Takeaways:

• What does good security look like
• Everything you need to know about Infrastructure as Code in 3 minutes
• The security issues (and benefits) IaC brings
• Securing the world around your IaC
• When the security team should be involved
• Local/individual testing for scale

There is a huge misunderstanding of vulnerability management. It is commonly incorrectly defined as being synonymous with software updates and patches. It is so much more than that! We will take the audience through a hands-on journey of scanning, enriching data, and creating high-value prioritization to protect against the number one method of threat actor initial access: software vulnerabilities.

Previous Blue Team Con Online Events

February 13, 2025 @ 10:00 AM CDT

Bridging the Generation Gap: Cyber Workforce Development Through STEM Outreach and Mentorship

Presented by Moeiini Reilly

The future of cybersecurity is defined by today’s workforce evolving and persisting through volatile threat landscapes. In order to facilitate this growth, the next generation of information technology (IT) and cybersecurity leaders must enter the field with diverse perspectives and fundamental understandings of computing. As industry professionals, we feel first-hand how gaps in the cybersecurity workforce affect the risk postures of the organizations we work for, and the intensity with which ourselves and our colleagues experience burnout. Instead of waiting for the next generation to find the cyber industry, this presentation showcases research that incorporates industry-led outreach and mentorship networks to bridge the gap between what is accessible through traditional career pathways, and what we need to develop and improve the cybersecurity community.

Attendees will gain insights into concrete programming designed to address these challenges head-on. From paid high school internships to immersive job shadowing experiences, from extracurricular STEM club mentorship to interdisciplinary networking between students, educators, and industry professionals, we outline a comprehensive roadmap for nurturing talent and fostering community engagement. Together, we can bolster our collective resilience and ensure a vibrant future for cybersecurity.

February 6, 2025 @ 10:00 AM CDT

Cloud Kleptos: Lessons Learned Responding to Scattered Spider

Presented by Abian Morina

Cloud-focused attacks are on the rise, moving far beyond the commonplace cryptomining campaigns or initial access gained by poor password policies and lack of MFA. Persistent threat actors have adapted to rising defensive best practices, even evading MFA by push fatigue attacks and SIM swapping.

LUCR-3 (Permiso’s name for the threat actor group also known as Scattered Spider), who notably compromised MGM and Caesars in late 2023, epitomizes this level of persistence in their methodical approach to targeting specific industry verticals and effectively compromising, escalating and exfiltrating the desired intellectual property from their victims.

Permiso’s P0 Labs team has tracked and responded to LUCR-3 for the last 1.5 years, noting their effective traversal of technology boundaries from IaaS to SaaS and even PaaS. Additionally noteworthy is their practice of infiltrating internal communications and SaaS-based knowledge sharing platforms immediately upon initial access to retrieve internal processes, playbooks and stakeholders required to carry out their mission.

This presentation will inform defenders about many of LUCR-3’s notable TTPs, with a specific technical focus on those TTPs targeting the SaaS and IaaS layers from both an offensive and defensive perspective. While Scattered Spiders’ TTPs range widely, their persistence and focus is anything but scattered.

August 22, 2024 @ 10:00 AM CDT

Vulnerability Cognition: Adding Psychology to VulnMgmt Programs

Presented by Dr. Nikki Robinson

Vulnerability Management continues to be more and more complex, especially with large sprawling API’s, containers and serverless deployments, and introducing a CI/CD pipeline. With all of these factors, it is increasingly important to understand psychological concepts behind VulnMgmt programs. Without understanding mental workloads, cognition, and perception, it will continue to be a struggle to keep up on vulnerabilities. With the numerous vulnerability scoring metrics, increasing severity and exploitability, blue teams must consistently learn about new exploits and what that means to their environments. This session will cover what “Vulnerability Cognition” is, how it affects VulnMgmt programs, and how Blue Teams can use these skills to increase awareness and effectiveness in their VulnMgmt programs.

August 8, 2024 @ 10:00 AM CDT

Keep the F in DFIR: The Importance of Digital Forensics in Incident Response

Presented by Partha Alwar and Carly Battaile

In recent years, blue teamers have greatly benefited from advanced security tools such as EDRs and XDRs. While these tools provide valuable visibility and containment mechanisms during DFIR investigations, over-reliance of these tools in DFIR investigations may lead to an incomplete picture of the incident. In this presentation, we will discuss how traditional forensic analysis methods can provide a more holistic look at an incident and reduce gaps in visibility.

Our presentation will provide an overview of challenges encountered when using EDR tools such as telemetry retention, OS compatibility, deployment scope and the lack of forensic artifacts that track interactive activity by an attacker. Next, we will introduce several forensic artifacts such as Amcache, Shellbags, Windows UAL etc. that provide deeper, historical visibility into attacker activity. Using forensic artifacts introduced in this presentation, blue teamers will be able to piece together and timeline crucial pieces of evidence on systems that provide insight into historical process executions, file/folder access, lateral movement, etc. Finally, we will introduce real-life case studies where forensic methods have proved vital in incident response investigations.

Attendees of this presentation will gain a better understanding of forensic artifacts and how they can be utilized in incident response investigations. They will also learn about free and open-source tools available to parse these artifacts at scale.

July 25, 2024 @ 10:00 AM CDT

Non-Traditional Paths Into Cyber-Security: How recognizing and targeting complimentary skillsets can ease the skills shortage

Presented by Kayla Williams

Since inception, the Information Security industry has had a perpetual human capital and skills gap. With the advent of a variety of Massive Open Online Course (MOOC) programs such as EdX, Khan Academy and The Great Courses, the barrier to upskill across numerous domains is easier than ever. In addition, as companies explore removing college degree requirements, job requisitions open up to more candidates. As a result, the opportunity for a growing successful career in Information Security has not been greater. Despite this, the perception of the skills gap still exists.

As a result of these false perceptions, employers may miss out on skilled candidates with unique backgrounds and perspectives. Thus, organizations may suffer from the same issues as intelligence agencies by being stuck in old ways of thinking, much in the way Richard Heuer describes in The Psychology of Intelligence in 1999. By integrating these new and unique perspectives, employers can build in diversity of thought with different base skill-sets and come up with new perspectives and innovations.

This talk will dissect how to approach this systemic issue. Included will be the presenter’s personal experiences, professional experiences with individuals transitioning into the industry, and provide concrete solutions for companies looking to overcome this hurdle. Solutions will focus on how to apply these new hiring paradigms from the top down, in addition to a potential avenue to resolution by building a pipeline avenue by creating relationships with education institutions.

July 11, 2024 @ 10:00 AM CDT

Building Yourself Into a Strong Identity Practitioner

Presented by Eric Woodruff

Whether you’re a seasoned Active Directory admin who cut your chops as a sysadmin, or coming into the identity space fresh, it can be daunting to understand how to get started within the identity space or transform yourself at the rapid pace the industry moves. And while “identity is the new security perimeter”, it is often overlooked as a skillset in most cybersecurity degree programs.

In this conversation we’ll dive into building yourself as a strong identity practitioner. For those newer to identity, we’ll take a look at the many areas available for specialization. If you’re looking to advance or change your career, we’ll explore the different types of roles available as well – from security researchers to identity program managers, the types of jobs available in identity are as deep as identity platforms themselves. Along with a look at the field, we’ll explore ways to gain the technical and non-technical skills to bring yourself and your career to the next level.

June 27, 2024 @ 10:00 AM CDT

Dude, Where’s My Domain Admins?

Presented by Joel M. Leo

*Attacker pops a workstation on your domain*
*Attacker establishes her foothold and local persistence*
*Attacker begins recon of AD, starting with Domain Admins*

ERROR: The group name could not be found.

Attacker, with a disconcerted look on her face: “Dude, where’s my Domain Admins?”

Killchains that involve AD usually involve enumeration of highly-privileged accounts: members of Domain/Enterprise/Builtin Admins, Server Operators, etc. Those groups and their members can be enumerated in AD by default, exposing members as targets of exploitation to obtain those privileges. However, there’s a way to use in-the-box AD capabilities to thwart these attempts. Using List Object mode, implicit deny, and AdminSDHolder/SDProp, AD defenders can hide these principals from unprivileged users. In this talk, I’ll walk you through the principles, process, and pitfalls, so you can raise the bar on your AD defenses without blowing things up.

May 30, 2024 @ 10:00 AM CDT

There is no ‘I’ in team, but if you look closely, there is a me: being the first dedicated security hire and growing a team

Presented by Mike Sheward

Being the first dedicated security hire at any organization is an incredible learning experience. One moment you could be hands-on deploying EDR and MDM tools, the next, you’re on a sales call with a prospect, or talking to the board. But amongst the opportunity, there is of course plenty of stress, anxiety, and burnout. When you’re doing the things that might otherwise be done by a team of folks, how do you know where to get started? How do you prioritize? In this talk we’ll answer those questions.

I’ve gone from being the first dedicated security hire, to building teams on three separate occasions now, and each time, I’ve done some things in the same way, and some things differently. The talk is a lesson’s learned going from absolutely nothing on day one to a reasonably large security team with dedicated sub teams.

We’ll discuss how the decisions you make early on, as the wearer of many hats, can have long lasting impacts when you start to distribute those hats. This includes technology and process decisions, along with hiring and delegation.

A final key message in the talk will be that even though there may only be one dedicated security person at a company, that person should never be expected to carry the weight of the whole company’s security and privacy decisions, so we’ll talk about how to set that boundary as well.

After all, there is no ‘I’ in team, but if you look closely, there is a me.

May 2, 2024 @ 10:00 AM CDT

Defending Beyond Defense

Presented by Dr. Catherine J. Ullman

Assumptions burn defenders every day. Perhaps the most pernicious one is that systems and their controls will always work as designed. Best practices in security may be good guidelines, but unfortunately also suffer from these same blind spots. For example, best practice recommends the use of LAPS for local administrator account passwords of domain-joined computers, yet misconfiguration of active directory can turn it from a protective control into a vulnerability. But what if there was a way to challenge these assumptions up front? The best way to dismantle these types of assumptions is to experience how deeply flawed they are. There is no better way to gain first hand experience into this perspective than immersion in the offensive security space. In this talk we’ll explore how to immerse yourself in the offensive security world to obtain this knowledge without needing to change careers or obtain additional certifications. By being more informed about offensive security, defenders are better able to recognize relevant intel, understand existing threats, and more readily discover attacker behavior. Join me as I discuss how there’s more to defending than just defense, and how you can find and engage with the amazing resources that are out there waiting to be explored.

March 21, 2024 @ 10:00 AM CDT

Your OT/ICS Security Blackhole

Presented by Huxley Barbee

The rise of Operational Technology (OT) and Industrial Control System (ICS) networks has created new challenges for security teams. Existing tools and practices for securing IT environments tend to be ineffective or even damaging when applied to OT/ICS environments. Protecting OT/ICS environments involves a different mindset, fit-for-purpose tooling, and engaging with a different organizational culture. This presentation will explore why culturally and technically securing OT environments is so different. This presentation is a primer to equip the audience with the knowledge and skills to protect their organizations’ OT/ICS networks while ensuring these systems’ safety and availability.

March 7, 2024 @ 10:00 AM CST

PCI DSS v4.0 Is Here – Now What?

Presented by Kyle Hinterberg

The Payment Card Industry Security Standards Council (PCI SSC) released v4.0 of the PCI Data Security Standard (DSS) in 2022 and the countdown is on. Organizations that need to comply with PCI DSS only have until April 2025 to implement all the new requirements. Are you ready and, more importantly, do you even know what it will take to be ready?

Many organizations need to comply with the PCI DSS and a major version change can be daunting. To make things worse, most of the information provided by the PCI SSC and other organizations can be vague and/or marketing focused. This leaves individuals confused as to what they really need to be doing to prepare themselves and their organizations. My goal is to break it down Barney-style so that no one gets stuck behind the eight ball when they run their first v4.0 assessment.

This presentation will:

• Provide brief definitions of the PCI SSC and PCI DSS
• Explain the history of the PCI DSS (how we got to where we are)-Provide an overview of the changes in v4.0, specifically avoiding any vague marketing talk and focusing on actionable items to help prepare organizations for v4.0
• Provide a summary of the big-ticket items that organizations should be working on to ease into v4.0

July 20, 2023

Everyone Can Play! Building CTFs To Teach Non-Security Folks

Presented by Joe Kuemerle

Most security practitioners are aware of the learning and fun that comes from participating in Capture the Flag competitions. Racing against other teams, solving brain-twisting challenges and seeing new ways to compromise systems teaches and entertains.

CTFs are also a great tool to give non-security folks a hands-on understanding of how security vulnerabilities enable criminal activities, reduce user privacy and degrade system reliability.

In this session you will learn to build interesting, educational and easy to use Capture the Flag events targeted at developers and other technical, non-security, users.

We will cover specific considerations for each audience you target, how to create interesting (yet solvable) challenges, and how to make the overall experience friction free for the participants.

You will also learn tools and techniques to create easily repeatable, consistent events with minimal work. We will cover collaborative development, external system integration techniques, tooling and a fully automated deployment pipeline to make spinning up a new CTF as easy as pushing a button.

July 6, 2023

Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program

Presented by Ross Flynn

In a sea of candidates, why should you consider hiring a teacher as a SOC analyst? In what world would you hire a salesperson as a pen tester? As the need for more holistic security professionals grows, the Infosec field has a unique opportunity to address security concerns by leveraging the unprecedented number of converts from seemingly unrelated field.

The bad guys will always continue to develop and evolve their techniques, so strategic organizations are finding success pulling from more diverse backgrounds. Fresh thinking and function-specific experience can help these diverse defenders protect data and the basic human right to security and privacy.

Let’s talk about the influx of new blood, strategic positioning, and how qualified professionals from other industries can leverage their experiences to benefit your security team.

Session attendees will leave with:

1. Advice on qualities to look for when searching for non-traditional team members – what can we give HR to help them help us find the right people?
2. Tips for supporting employees with non-traditional backgrounds in demonstrating their strengths
3. Real world examples of diverse backgrounds uniquely benefiting security programs

June 22, 2023

Blue Team Social Impact: How to volunteer your cyberdefense skills without getting burned out

Presented by Tom Costello

Want to give back to your community by volunteering your blue team skills, but don’t want to turn into a small nonprofit’s 24/7 unpaid on-call helpdesk? We’ll explore ways you can maximize your happiness & social impact by taking your blue team talents into the volunteer space. You’ll learn how to avoid re-inventing the wheel when it comes to blue team charity work, along with many lessons learned on avoiding volunteerism burnout due to a busy dayjob. When done properly, volunteering your technology skillset or helping to train/mentor others interested in your occupation can have a gigantic positive impact both to your community and your mental wellbeing! When done poorly, you might burn bridges and find yourself more stressed out than necessary due to a volunteer situation gone wrong. Don’t do that to yourself; attend this talk and let’s make the world a better place one blue team volunteer opportunity at a time!

June 1, 2023

Improving Alert Recall: miss fewer attacks through customizable ML anomalies

Presented by Karishma Dixit, Sharon Xia

In the ongoing game of cat and mouse between attackers and defenders, attackers continually find new ways to evade detection. Whilst high fidelity security detections tend to have high precision, they can sometimes have low recall, therefore some new attack techniques can go undetected. Anomalies on the other hand are much noisier but can capture attacks that would otherwise be missed. Anomalies don’t necessarily indicate malicious behavior on their own. But when combined with other anomalies or alerts their cumulative effect is much stronger.

In this talk, we explore our approach at Microsoft Sentinel to provide the user with customizable anomaly rules. Our engineering methodology uses a PySpark backend to implement a variety of ML techniques including both supervised and unsupervised learning. We deep dive into the ML behind one of our customizable anomalies and then demonstrate the ease at which the rules can be configured by the user. Lastly, we demonstrate, via simulated attacks, how anomalies and alerts can be combined at various stages of the kill chain to produce high quality incidents.

Thus, we can see how customizable anomaly rules improve recall while reducing the noise of traditional anomalies via machine learning and customization.

May 18, 2023

Formulating An Intelligence-Driven Threat Hunting Methodology

Presented by Joe Slowik

Consultants and marketing departments refer to “threat hunting” as a desired position for network defenders. By adopting this mindset, defenders can take an active role pursuing intrusions. Yet precise methodologies for threat hunting are hard to come by, making the concept something amorphous. In this discussion, we will explore a methodology to standardize the threat hunting process, using an intelligence-driven, adversary-aware approach to drive investigation. This discussion will reveal a series of concrete steps or operational techniques that defenders can leverage to produce a measurable, repeatable, sustainable hunting process. To illustrate the concept, we will also look at several recent examples of malicious activity where an intelligence-driven hunting process allows defenders to defeat fundamental aspects of adversary tradecraft. Audiences will emerge with a roadmap for building a robust threat hunting program to improve the defensive posture of their organizations.

April 27, 2023

From the Ground Up: Lessons Learned from Starting a Vulnerability Management Team

Presented by Bryan Garcia

As the Cybersecurity field continues to mature and vulnerability numbers increase, there is a growing need to form specialized teams to handle dedicated areas of Cybersecurity. From the Ground Up shares the lessons learned from the creation of a dedicated Vulnerability Management team, the successes and struggles the team faced, the impact and value the team would bring to the company, and what choices could be made to help others be more effective in their decision-making to create an efficient Vulnerability Management team.

April 13, 2023

Breaking Boundaries, Securing Perimeters: A pragmatic approach to Attack Surface Management

Presented by Katie Inns

Security teams can often become overwhelmed by large lists of vulnerabilities that affect their systems and have trouble knowing which to prioritize first when it comes to remediation. This can lead to ineffective vulnerability management processes that focus on addressing issues from a top-down approach and do not reflect real-world exploitation or the risk to the organization. This becomes more problematic when organizations don’t fully understand their attack surface and their systems that may be at risk.

This talk will discuss how organizations can adopt a more pragmatic approach to attack surface management, by understanding the assets at risk, how to prioritize remediation and how to adapt based on emerging threats.

March 30, 2023

The Defender’s Guide to Budgetless Endpoint Hardening

Presented by Matt Coons

Hardening the endpoint is one of the first and most effective measures implemented by defenders to protect organizations against attackers. The EDR, XDR and antivirus space is full of vendor solutions to detect and prevent malware, but what can a budget conscious blue team do to block malware without spending a dime?

This talk will dive into cost free hardening tools and techniques that can be implemented to better protect endpoints from attack. Hardening techniques like leveraging Windows Firewall to block unwanted outbound network traffic, implementing Windows Attack Surface rules, disabling unneeded endpoint services and more will be discussed throughout the interactive session.

Session participants will leave with zero cost, actionable, and easy to implement endpoint hardening measures that can be implemented in various types of computing environments.

March 16, 2023

Building Better Security Metrics

Presented by Jake Williams

Let’s face it: most of us don’t like gathering and reporting metrics. But the boss says “that which isn’t measured isn’t managed.” Of course, there’s the problem of users gaming metrics to paint unrealistic pictures to stakeholders. Good metrics should serve as a heuristic for stakeholders to understand a situation at a high level without needing to understand all the nuance of how the sausage is made. In other words, metrics should tell a story. Since you’ll be generating security metrics anyway, shouldn’t they tell the right story?

Beyond the obvious justification of “management says you have to,” as an aspiring security leader you should be self-motivated to create and deliver better metrics. If there’s one thing leadership abhors, it’s uncertainty. Better metrics don’t eliminate uncertainty, but they do promote better understanding, leading to better evaluation of risk.

In this presentation, you’ll learn the principles of generating compelling metrics. We’ll then cover examples of easy-to-gather metrics across a range of security disciplines, including SOC, cyber threat intelligence, threat hunting, and incident response. Come learn how to level up your metrics game in this session!

March 2, 2023

Going Atomic: The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach

Presented by Alfie Champion

Atomic purple teaming, i.e. testing individual permutations of offensive techniques outside of a scenario-based exercise, offers an approach that can maximise kill chain coverage and provides a means to benchmark a SOC’s detective capability.

Initially, the methodology for atomic testing will be presented, alongside example results from a typical engagement. We’ll evaluate the significant data set that such testing can produce – e.g. which test cases produce telemetry, which produce alerts, which were prevented – and consider its application in informing SOC strategy, demonstrating Return on Investment, and providing insight into general security posture.

This empirical, data-driven approach is invaluable in developing a bottom-up view of our defenses, i.e. understanding how our detection stack fares when faced with the tactics, techniques and procedures of legitimate actors, but it is not a one-stop shop for adversary emulation. As such, this talk will consider the limitations of such an approach, and how other supplementary collaborative testing can offer a more complete view of detective capability.

February 16, 2023

Preparing your IT SOC for OT Network Security Monitoring

Presented by Wesley Lee

OT and IT convergence is here. One of the biggest push in OT/ICS is the implementation of better visibility and increased network security monitoring. No matter if you have a fully in-house or hybrid Security Operation Center augmented with Managed Security Services. If you don’t have the funding or time to implement a separate OT Security Operations Center dedicated to monitoring your OT environment. This talk will discuss strategies, tactics, people, processes, and lessons learned in effectively integrating your OT NSM program into you IT SOC. This talk will lay out a flexible roadmap and walk you through the process of the before, during, and after steps that should be done in order to integrate your OT NSM program in your IT SOC, how to integrate, mature, response, and measure your OT NSM program within your IT SOC without losing the focus and critical aspect with better OT NSM monitoring within your organization.