X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

Agenda Fal.Con

AGENDA AT A GLANCE

With a jam-packed agenda of keynotes and over 70 learning sessions, you’ll be sure to leave feeling inspired, driven, and prepared to outperform adversaries. Download the Fal.Con UNITE 2019 Agenda Overview.

Monday
November 4th

Bayview Foyer

7:00am - 6:00pm
Registration Open

Pavillion

6:00pm - 8:00pm
Partner Showcase & Welcome Reception

Tuesday
November 5th

Bayview Foyer

7:00am - 5:15pm
Registration Open

Pavillion

7:00am - 8:00am
Breakfast

Grande Ballroom

8:00am - 11:20am
General Session

  • Hear from the following speakers:
  • George Kurtz, CEO & Co-Founder, CrowdStrike
  • Shawn Henry, Chief Security Officer, CrowdSrike
  • Brian Krebs, Leading Cybercrime Journalist & New York Times Bestselling Author of “Spam Nation”
  • Roxanne Austin, President & CEO, Austin Investment Advisors
  • Earvin "Magic" Johnson, Chairman and CEO of Magic Johnson Enterprises and NBA Hall of Famer

11:20am - 11:40am
break

Harbor Island 2

11:40am - 12:20pm
Phishing Emails and Web Exploits: Attack Scenario

  • Phishing emails and web exploits are prevalent modes of attack encountered by all organizations. This session examines artifacts related to them, such as drive-by downloads, and focuses on telling the story with events, triage methods and scoping the campaign. Learn what data a host search, and process and host timelines, can provide and how to efficiently acquire that data. You will also learn how to navigate from a detection to an event search (Splunk) and the additional data it provides.
  • Ken Warren, Manager Training Delivery, CrowdStrike

Harbor Island 3

11:40am - 12:20pm
Applying the Lessons of a Formula One™ Team to the World of Cybersecurity — With Mercedes-AMG Petronas Motorsport

  • Formula 1™ racing is renowned for its fast pace and excitement, with live broadcasts drawing a global audience of over 490 million. It is also a sport that involves significant risk, demanding continuous innovation, teamwork and strategy. This session provides insight into the world of F1™ and the unique security challenges facing the current World Champions. Mercedes-AMG Petronas Motorsport will share how the lessons they’ve learned can be applied to all organizations, increasing your ability to defend against today’s sophisticated and evolving threats.
  • Zeki Turedi, Technology Strategist, CrowdStrike & Matt Harris, Head of IT for Mercedes-AMG Petronas Motorsport

Nautilus 1 / 2

11:40am - 12:20pm
Taming the Falcon: A Guide to the New Features You Might Have Missed

  • CrowdStrike wants you to experience the full benefits of your Falcon platform deployment. Toward that end, this session features the CrowdStrike Product Management team taking you on a deep-dive into many of the new Falcon features and capabilities you may have missed. Learn key tips and tricks that will help you take advantage of all the powerful Falcon platform has to offer.
  • Brian Trombley, Senior Director of Product Management, CrowdStrike & Spencer Parker, Director of Product Management, CrowdStrike

Nautilus 4

11:40am - 12:20pm
MacOS Incident Response: Lessons from the Front Lines

  • The macOS platform continues to gain adoption in organizations of all sizes, which means macOS threats are also becoming more prevalent. This session will delve into the threats and adversaries targeting macOS environments and the artifacts CrowdStrike Services uses and has developed to aid in investigating incidents and determining their root causes. This session will also include a case study demonstrating how these artifacts can improve detection and prevention and speed post-compromise recovery.
  • Jai Musunuri, Principal Consultant & Erik Martin, Principal Consultant CrowdStrike

Belaire Ballroom South

11:40am - 12:20pm
Investigating Cyber Cold Cases

  • Just like cold cases the police encounter, there are cyber cold cases that can linger for years. In this session you will learn a new process for investigating these cyber cold cases. The session will examine several popular malware families and threat actors, including Conficker, FANCY BEAR, ENERGETIC BEAR, Sality and ZeroAccess, and show you how applying the process provides new insights. You’ll also learn the key concepts and technology that will enable you to immediately apply this method to existing cases in your environment.
  • Tillmann Werner, Sr Director of Technical Analysis, CrowdStrike

Belaire Ballroom North

11:40am - 12:20pm
How EDR and Network Detection and Response (NDR) Join Forces to Stop Attacks Faster (Vectra)

  • Today, organizations use multiple sources of data for threat detection and response. While EDR provides a detailed ground-level view of the processes on a host and their interactions, NDR offers an aerial view of the interactions on all devices whether EDR is running on them or not. In this session, learn how a customer benefited by leveraging Crowdstrike EDR and Vectra Cognito together. There will also be an open discussion about integrating threat detections from EDR and NDR to make tools like SIEMs more powerful. Partner: Vectra
  • Marcus Hartwig, Product Marketing Manager, Vectra AI, Inc. & John Shaffer, CIO, Greenhill & Co., Inc.

Fairbanks A/B

11:40am - 12:20pm
Intel Ninja Skills: How to Become a Falcon Intel Master

  • This session focuses on the value of contextualized intelligence delivered via the Falcon platform and shows you how you can use it to mature your organization’s intelligence efforts. It includes an overview of Falcon Intelligence elements and shows you how to pivot from a data point to related information. You will also learn the use of intelligence doctrine and frameworks to help you accelerate your organization’s intel maturity.
  • David Morgan, Principal Instructor and Curriculum Developer, CrowdStrike

Fairbanks C/D

11:40am - 12:20pm
Hyatt Hotel’s Security Transformation – Network to the Endpoint (Zscaler)

  • This session features Hyatt Hotel Corporation VP and CISO Benjamin Vaughn sharing his experience in delivering a network-to-endpoint security transformation with CrowdStrike and Zscaler. Learn how Zscaler’s cloud-native, multi-tenant network security platform integrated with the CrowdStrike Falcon platform to secure Hyatt’s cloud-first mobile enterprise against zero-day and advanced threats, across all users, everywhere. Partner: Zcaler
  • Punit Minocha, SVP Corporate Business Development, Z-Scaler & Benjamin Vaughn, VP & CISO, Hyatt Hotels Corporation

Point Loma A/B

11:40am - 12:20pm
Real Time Response (RTR) for Forensics and Hunting

  • This session will cover RTR uses cases beginning with basic examples and building to more advanced uses. Based on observations by the CrowdStrike Services team in customer environments, attendees will learn how RTR was used against real malware, including building run-books to remediate common threats. The session will conclude with a demonstration and discussion of triage forensics using RTR and free tools.
  • Jim Miller, Senior Consultant, CrowdStrike

Coronado B

11:40am - 12:20pm
Practical Application Whitelisting (Airlock Digital)

  • Application whitelisting has been around a long time and the security benefits are well known. However, it is regularly dismissed as being too difficult to implement, especially on user-facing endpoints. This session will dive into the challenges of application whitelisting, offer tips and tricks to increase the success of your deployments, and demonstrate how EDR solutions and application whitelisting go hand in hand. You will also hear customer case studies demonstrating why application whitelisting is a must-have strategy. Partner: Airlock Digital
  • David Cottingham, Co-Founder, Airlock Digital

Pavillion and Bayview Lawn

12:20pm - 1:50pm
Lunch & Partner Expo

  • Join CrowdStrike and our partner sponsors at the Welcome Reception to kick off Fal.Con UNITE 2019!! Network with your peers and learn more about how CrowdStrike partners with other security providers to offer you integrated solutions that keep your environment secure. Don’t forget to scan the QR code at partner booths to be entered into the raffle for prizes.

Harbor Island 2

1:50pm - 2:30pm
Falcon and the MITRE ATT&CK Framework, Better Together

  • The security community is quickly adopting Mitre's ATT&CK matrix as a framework for understanding and analyzing targeted intrusions. Did you know that CrowdStrike has integrated the MITRE ATT&CK for Enterprise into Falcon? This provides the analyst with quick access to Mitre’s technical information giving immediate context to the detection, while providing the analyst access to technical information on the specific tactics and techniques the adversary is using against them. This session will explore this integration and how it can significantly reduce your time to respond.
  • Ken Warren, Manager Training Delivery, CrowdStrike

Harbor Island 3

1:50pm - 2:30pm
WIZARD SPIDER: A Peek Inside Adversary Operations

  • This presentation will detail the infrastructure and components that comprise the TrickBot Banking Trojan system currently used by WIZARD SPIDER. A brief historical overview of the banking malware and the different systems that assist the actors in achieving account takeover (ATO) activities will be covered. Please refrain from recording or taking photographs of the slides during this presentation to protect sensitive sources.
  • Paul Burbage, Sr. Security Researcher, CrowdStrike

Nautilus 1/2

1:50pm - 2:30pm
Executive Intelligence Briefing: State of Cybersecurity

  • This executive session will discuss the current threat landscape and how executives can keep their companies safe.
  • Adam Meyers, VP, Intelligence, CrowdStrike

Nautilus 4

1:50pm - 2:30pm
IT Asset Management and the Importance of Hygiene in Cybersecurity

  • Cyber hygiene refers to the proper maintenance and basic protection organizations need to defend against cyberattacks. IT asset management and cyber hygiene typically involve basic practices such as knowing what assets are on the network and their configuration, the applications installed, password policies and user privileges. This session will show you how the CrowdStrike Falcon platform helps you adhere to these practices and solve a wide range of cyber hygiene use cases to better protect your organization.
  • Mike Sentonas, VP Technology Strategy, CrowdStrike

Belaire Ballroom South

1:50pm - 2:30pm
Using FalconX Threat Intelligence to Protect IoT: Scripps Research Case Study (ThreatSTOP)

  • The same threat intelligence that’s part of the Falcon platform can be redeployed to protect vulnerable IoT devices using the ThreatSTOP service. This session describes how this system works and includes a case study of an attack against The Scripps Research Institute (TSRI), an elite biotech research center that is a prime target for nation-state and other cyberattacks. The case study includes the sequence of events from the FBI's knock on the door, through CrowdStrike Falcon’s protection of endpoints, and finally the IoT defense. Partner: ThreatSTOP
  • Tom Byrnes, Founder & CEO, ThreatSTOP, Paul Mockapetris, Chief Scientist, ThreatSTOP & Cary Thomas, The Scripps Research Institute Former CIO

Belaire Ballroom North

1:50pm - 2:30pm
Customer Case Study: Real-life Threat Protection from Endpoints to the Cloud (Netskope)

  • The traditional network perimeter is dissolving and now there are more users, endpoints, applications and data outside the enterprise than inside it. Securely enabling the enterprise in a cloud-first world means securing users and their devices wherever they are. This session explains the risks in cloud applications' synch and share functionality and shows you, via a customer case study, how Netskope and CrowdStrike reduce attack surfaces by sharing forensic information between endpoints and the cloud in near real time. Partner: Netskope
  • Bob Gilbert, VP Chief Evangelist, Netskope & Colin Chisholm, Principal Security Architect, Zebra Technologies

Fairbanks A/B

1:50pm - 2:30pm
Mapping Active Directory Using BloodHound: Blue Team Edition

  • BloodHound is an Active Directory (AD) enumeration and analysis tool used by attackers (red team) to identify complex attack paths, which could not otherwise be identified. As defenders, the blue team can control their organization’s AD environment, but they need to know its current state. This session will show you how the blue team leverages BloodHound to improve the security posture of AD and how both the red and blue teams can utilize it to model changes in AD.
  • Nick Bindeman, Consultant, CrowdStrike & Ian Barton, Consultant, CrowdStrike

Fairbanks C/D

1:50pm - 2:30pm
Advice From the Frontlines: How to leverage Falcon As an Asset When Navigating GDPR, CCPA, and Works Councils

  • CrowdStrike’s customers are global, yet, many face common compliance challenges. Whether requirements come from data protection regulations such as GDPR and CCPA or codetermination arrangements with Workers Councils, implementing state-of-the-art solutions should be viewed as a compliance asset rather than an impediment. This session will provide an overview of many of the cybersecurity requirements currently imposed on organizations. You will also receive practical advice on how to identify key stakeholders to successfully navigate data protection laws and implement cloud-based solutions such as the CrowdStrike Falcon platform.
  • Drew Bagley, VP & Counsel, Privacy and Cyber Policy, CrowdStrike & Chris Meidinger, Sales Engineering Manager, CrowdStrike

Point Loma A/B

1:50pm - 2:30pm
What's In A Name: Tracking The Development of A1Lock Ransomware

  • A1Lock is a sophisticated ransomware family that has been under development since December 2016, with at least six distinct versions. Although the author of A1Lock was not experienced in cryptography and ransomware development, he eventually learned from prior mistakes and the ransomware became more effective. This session examines how CrowdStrike reverse engineered the malware to understand its origins and the incremental developments that made the ransomware successful. It will also provide attribution for the potential author and criminal users.
  • Brett Stone-Gross, Manager e-Crime, CrowdStrike

Coronado B

1:50pm - 2:30pm
The Next Speed Supremacy Battle: Breaking the 24/72 Endpoint Hardening Threshold (Automox)

  • The endpoint security revolution didn’t end with cloud-native EDR and in fact, it’s only just begun. Tackling unacceptable dwell times was the first challenge, now radically compressing exposure-time through endpoint hardening — expressed as MTTH (mean time to harden) — is next. This session will discuss why modern tooling and deployment approaches are required to compress exposure time within acceptable tolerance for operational risk, and how cloud-native cyber hygiene can make your CrowdStrike investment even more effective and efficient. Partner: Automox
  • Jay Prassl, CEO, Automox

Harbor Island 2

2:40pm - 3:20pm
Applying the Lessons of a Formula One™ Team to the World of Cybersecurity — With Mercedes-AMG Petronas Motorsport

  • Formula 1™ racing is renowned for its fast pace and excitement, with live broadcasts drawing a global audience of over 490 million. It is also a sport that involves significant risk, demanding continuous innovation, teamwork and strategy. This session provides insight into the world of F1™ and the unique security challenges facing the current World Champions. Mercedes-AMG Petronas Motorsport will share how the lessons they’ve learned can be applied to all organizations, increasing your ability to defend against today’s sophisticated and evolving threats.
  • Zeki Turedi, Technology Strategist, CrowdStrike & Matt Harris, Head of IT for Mercedes-AMG Petronas Motorsport

Harbor Island 3

2:40pm - 3:20pm
Through the Eyes of the Adversary: The Synthesis of Threat Intelligence & Threat Hunting Operations

  • The ability of cybersecurity professionals to see their organizations through the eyes of the adversary is crucial. This session helps security professionals achieve that point of view and leverage it to help you build and deploy your own threat intelligence and threat hunting programs. By adding these capabilities to your organization’s security stack, you’ll have the capacity to not only defend against adversarial malware and TTPs, but also gain invaluable insights into their strategies and ingenuity.
  • Jen Ayers, VP, OverWatch and Security Response, CrowdStrike & Jason Rivera, Director, Global Threat Intelligence Advisors, CrowdStrike

Nautilus 1/2

2:40pm - 3:20pm
Falcon and Splunk 101

  • Are you new to Falcon? Are you new to Splunk? Or are you a “Splunk Ninja” who just needs to get rolling in Falcon? This session is for you! It covers not only how data is organized in Falcon but also explores several basic and advanced queries. Learn how to perform basic searches in Falcon Event Data and understand data relationships. You will also receive a handout of basic and advanced commands you can use in your organization.
  • David Morgan, Principal Instructor, CrowdStrike

Nautilus 4

2:40pm - 3:20pm
WIZARD SPIDER: A Peek Inside Adversary Operations

  • This presentation will detail the infrastructure and components that comprise the TrickBot Banking Trojan system currently used by WIZARD SPIDER. A brief historical overview of the banking malware and the different systems that assist the actors in achieving account takeover (ATO) activities will be covered. Please refrain from recording or taking photographs of the slides during this presentation to protect sensitive sources.
  • Paul Burbage, Sr. Security Researcher, CrowdStrike

Belaire Ballroom South

2:40pm - 3:20pm
Knowing Normal: How Understanding Your Network Can Save Your Bacon

  • Why didn’t we see it?” is a question that is often asked in the aftermath of a breach. The answer frequently lies in the ability of an organization to identify anomalous activities in their environments. This requires knowing what “normal” is. Using stories from the trenches, this session will demonstrate how understanding what normal looks like on endpoints can dramatically shorten time to detection and possibly save your organization from total annihilation.
  • Shelly Giesbrecht, Principal Consultant, CrowdStrike

Belaire Ballroom North

2:40pm - 3:20pm
Building Security Best Practices with AWS and CrowdStrike (AWS)

  • This session features a presenter from Amazon Web Services (AWS) who will discuss the advantages of the cloud and the use cases that can power customers’ infrastructure, making them more agile, while lowering costs. Learn about the Shared Security Responsibility Model and the balance of cloud security between AWS and customers, and how partners such as CrowdStrike can drive additional value-add to solve customer challenges. The session includes technical use cases on the integrations CrowdStrike has with AWS that help drive enterprise customer adoption. Partner: AWS
  • Scott Ward, Principal Solutions Architect, AWS

Fairbanks A/B

2:40pm - 3:20pm
Optimizing Threat Intelligence: A Falcon X Premium Elite Customer Case Study

  • Effectively optimizing threat intelligence requires knowing your organization, your network environment, the adversaries that may target you and what influences each of them. This knowledge helps ensure the heightened level of situational awareness crucial to effective intelligence consumption and production and ultimately leads to a more secure organization. This session shows you how CrowdStrike’s new Falcon X Elite program can help maximize the value of your threat intelligence investment by becoming more focused and effective intelligence consumers.
  • Matt Miller, Sr. Intelligence Analyst, CrowdStrike & Eric Jackson, Information Security Intelligence Analyst, Bayer

Fairbanks C/D

2:40pm - 3:20pm
Achieve Application Visibility, Control & Protection with TrueFort & CrowdStrike (TrueFort)

  • Applications are the lifeblood of business and securing them in hybrid/multi-cloud environments is essential but challenging. Unfortunately, configuration snapshots of intent and their connection to production reality remains a major disconnect for most organizations today. This session will show how organizations are employing real-time visibility, monitoring and analytics from CrowdStrike Store Partner, TrueFort, to gain full-stack cloud workload protection leveraging their existing CrowdStrike investments without deploying additional agents. Partner: Truefort
  • Sameer Malhotra, CEO & Founder, TrueFort

Point Loma A/B

2:40pm - 3:20pm
Deep visibility Into Mobile Malware Samples with Falcon for Mobile

  • This session offers a brief overview of Falcon for Mobile and then delves into its current EDR capabilities and provides practical examples of data exfiltration mechanisms and logging capabilities. The session will also demonstrate Falcon for Mobile’s visibility into malware samples on Android and offer an exploit/malware case study on iOS. You’ll also receive a preview of new features and functionality being added to this solution.
  • Spencer Parker, Director of Product Management, CrowdStrike & Matilde Stefanini, Engineering Manager, CrowdStrike

Coronado B

2:40pm - 3:20pm
A Security Strategy for Container Orchestration Systems

  • Emerging technologies such as container orchestration systems demand a well-formed security strategy to ensure protection. This session will explain how CrowdStrike's security strategy applies to container orchestration systems that are new and still being developed. The session will present an overview of the security strategy and the type of threats orchestration systems face and then focus on applying the strategy criteria to the current suite of container security solutions. You will also learn how CrowdStrike can help stop breaches, even in containers.
  • Wes Widner, Engineering Manger, CrowdStrike

Bayview Lawn & Catalina Room

3:20pm - 3:35pm
Refreshment Break

Harbor Island 2

3:35pm - 4:15pm
Tales from the Crypt: Case Studies in Ransomware

  • Ransomware continues to plague organizations of all sizes. This session will discuss some of today’s most fascinating ransomware case studies, highlighting the threat actors involved and the impact attacks had on victim organizations. You’ll learn the tactics, techniques and procedures (TTPs) of specific threat groups, why legacy AV continues to fail, and leave with an understanding of why ransomware is preventable and an IR plan is essential. Case study names will be anonymized to protect client interests.
  • Mark Grasso, Sr Consultant CrowdStrike & Josh Dalman, Principal Consultant, CrowdStrike

Harbor Island 3

3:35pm - 4:15pm
Getting the Most out of Real Time Response (RTR)

  • Real Time Response is a feature of Falcon Insight that gives incident responders deep access to systems across the distributed enterprise. This session will focus on getting the most out of the features of RTR accessed via the Falcon platform UI. Attendees will learn basic permission levels, basic and advanced commands, and running executables and scripts. You will also learn which commands yield what information and the potential impact of risky commands.
  • Ken Warren, Manager Training Delivery, CrowdStrike

Nautilus 1/2

3:35pm - 4:15pm
Building Custom Indicators of Attack (IOAs): Practical Advice and Real-Life Examples

  • The Falcon platform now offers the ability to define custom behavioral IOAs that allow you to detect or prevent not just static indicators of compromise (IOCs) but complex behavioral patterns. This session will help you create your own alerting and blocking ability by introducing short, relevant regular expressions and showing you how to test these patterns in Event Search. You will also learn how to detect and block activity across multiple processes in a process tree using real-world examples of custom IOAs.
  • Adam Hogan, Sales Engineering Manager, CrowdStrike

Nautilus 4

3:35pm - 4:15pm
Security Cost vs. Benefit - A Shifting Paradigm

  • Security leaders are constantly asked to balance their security programs against a cost vs. benefit calculation. The availability of cyber insurance shifted this balance for many organizations. However, recent regulatory fines are moving the pendulum back toward more substantial security investments. This session will delve into what cyber insurance typically covers, the upcoming regulations and their potential impact, and the critical considerations you should be aware of as you plan your security program going forward.
  • Adam Cottini, Director Business Development, CrowdStrike & Justin Weissert, Senior Director, Services, CrowdStrike

Belaire Ballroom South

3:35pm - 4:15pm
Automate Incident Response at Machine Speed with Splunk and CrowdStrike (Splunk)

  • Security analysts are being pressured to shorten their incident response times and meet the 1-10-60 challenge, but they lack guidance and best practices on how to accomplish that. This session will demonstrate how to leverage the Splunk Phantom, the leading SOAR (security orchestration, automation and response platform) with CrowdStrike Falcon API to automate and orchestrate playbooks for fast and effective response and the mitigation of threats across your enterprise. Partner: Splunk
  • Wissam Ali-Ahmad, Lead Solutions Architect, Splunk Global Strategic Alliances & Tim Sullivan, Global Senior Strategic Solutions Architect, CrowdStrike

Belaire Ballroom North

3:35pm - 4:15pm
Secureworks, CrowdStrike, and Dell: Elevating Detection and Response Capabilities (Dell and Secureworks)

  • An increase in threats, larger attack surfaces, manual processes, disparate tools and a lack of staff continue to be core security operations challenges for organizations. These challenges come amidst a heightened need for businesses to improve detection and response capabilities. In this session you’ll learn the details on solutions from Secureworks, CrowdStrike and Dell and how they have partnered together to meet these challenges. Learn how their combined approach helps you achieve exceptional security outcomes by elevating detection and response capabilities. Partner: Dell and Secureworks
  • Joakim Lialias, Director of Portfolio Marketing, Secureworks & Alex Herd, Endpoint Product and Alliance Manager, Secureworks

Fairbanks A/B

3:35pm - 4:15pm
Operationalizing the Crowdstrike Platform - Verizon Case Study

  • This session features the Verizon case study and the operational role of this organization as they successfully implemented and maintain the Falcon platform. This session will also cover the process Verizon used to choose the Falcon platform, performing a successful POC to prepare for rollout, deploying the agent across the enterprise, creating the operational model for support, and maintenance of the platform.
  • Glenn Hellriegel, Sr. Manager Digital Workspace, Verizon

Fairbanks C/D

3:35pm - 4:15pm
Et Tu, Voicemail? The Emerging Threat of Encrypted Messaging Compromise

  • Today, people from all walks of life, including key leaders, are looking to expand communication methods such as phone calls and emails to popular apps like WhatsApp and are relying on the promise of encryption to protect them. However, compromising communications doesn’t need to rely on breaking encryption, it can be accomplished by breaking the device or its authentication. This session shares research and real-world examples of how actors are exploiting voicemail or SIM swapping as a method for defeating authentication and compromising a WhatsApp, Telegram, or Signal account.
  • Pablo Brum, Manager, Intelligence Analysis Cell, CrowdStrike

Point Loma A/B

3:35pm - 4:15pm
Finding and Remediating Vulnerabilities with Falcon Spotlight and Insight

  • This session shows you how Falcon Spotlight can proactively reduce your attack surface and minimize the impact of your next incident. First, the CrowdStrike product team will demonstrate the latest release of Spotlight and share the future roadmap. Then, the CrowdStrike Services team will demonstrate how Real Time Response (RTR) can be used in conjunction with Falcon Spotlight to quickly remediate vulnerabilities.
  • Hamilton Yang, Sr. Product Manager, CrowdStrike & Yinan Yang, Principal Consultant, CrowdStrike

Coronado B

3:35pm - 4:15pm
The Importance of Network Contextual Information and Mitigating Controls in Prioritizing Vulnerabilities

  • This session will go through a detailed anatomy of a real-world hack to demonstrate the importance of network contextual information and mitigating controls. Attendees will learn where the information comes from, what controls are at the network and endpoint levels and how these controls related to vulnerabilities, ports and protocols. In discussing the real-world hack, this session will delve into the kill-chain, the mitigating controls that could have prevented the hack, and how to combine endpoint and network security information and vulnerabilities to prioritize remedial actions.
  • Michelangelo Sidagni, CTO, NopSec

Harbor Island 2

4:25pm - 5:05pm
Emotet’s Summer Vacation: What Malware Falcon Complete Saw Filling the Gaps and How to Fix Them

  • In the Summer of 2019, Emotet operations suddenly halted, leaving a significant void in the malware landscape. While speculation mounted on whether MUMMY SPIDER, the adversary associated with Emotet, was taking a vacation or using this time to re-tool, Trickbot and other malware rushed in to fill the void. This session offers an analysis of the artifacts left behind by these malware variants and shows you how the Falcon Complete team remediates systems that have been infected, preventing further compromise.
  • Ryan Campbell, Analyst Falcon Complete, CrowdStrike

Harbor Island 3

4:25pm - 5:05pm
Taming the Falcon: A Guide to the New Features You Might Have Missed

  • CrowdStrike wants you to experience the full benefits of your Falcon platform deployment. Toward that end, this session features the CrowdStrike Product Management team taking you on a deep-dive into many of the new Falcon features and capabilities you may have missed. Learn key tips and tricks that will help you take advantage of all the powerful Falcon platform has to offer.
  • Brian Trombley, Senior Director of Product Management, CrowdStrike & Spencer Parker, Director of Product Management, CrowdStrike

Nautilus 1 / 2

4:25pm - 5:05pm
Let APIs Do the Work for You: A Guide to Key Automations With the CrowdStrike Platform

  • This session focuses on three powerful automations that can be achieved via CrowdStrike APIs, including Detections, Real Time Response (RTR) and Falcon X. The session will include use cases with live demonstrations for each of the APIs. You will also receive a briefing on what to expect from these APIs in the future.
  • Prashant Jain, Director of Product Management, CrowdStrike & Rekha Das, Sr. Product Manager, CrowdStrike

Nautilus 4

4:25pm - 5:05pm
Using Custom Indicators of Attack (IOA) Rules in the Falcon Platform

  • This session will cover best practices and implementation of custom indicator of attack (IOA) rules within Falcon. Custom IOAs is a feature recently added to the platform. You’ll learn what this new features is, the use cases for Custom IOAs, and how to implement basic rules. The session also covers best practices and risks involved in Custom IOA use.
  • David Morgan, Principal Instructor, CrowdStrike

Belaire Ballroom South

4:25pm - 5:05pm
Phishing Emails and Web Exploits: Attack Scenario

  • Phishing emails and web exploits are prevalent modes of attack encountered by all organizations. This session examines artifacts related to them, such as drive-by downloads, and focuses on telling the story with events, triage methods and scoping the campaign. Learn what data a host search, and process and host timelines, can provide and how to efficiently acquire that data. You will also learn how to navigate from a detection to an event search (Splunk) and the additional data it provides.
  • Ken Warren, Manager Training Delivery, CrowdStrike

Belaire Ballroom North

4:25pm - 5:05pm
Mapping Active Directory Using BloodHound: Blue Team Edition

  • BloodHound is an Active Directory (AD) enumeration and analysis tool used by attackers (red team) to identify complex attack paths, which could not otherwise be identified. As defenders, the blue team can control their organization’s AD environment, but they need to know its current state. This session will show you how the blue team leverages BloodHound to improve the security posture of AD and how both the red and blue teams can utilize it to model changes in AD.
  • Nick Bindeman, Professional Services Consultant, CrowdStrike & Ian Barton, Senior Consultant, CrowdStrike

Fairbanks A/B

4:25pm - 5:05pm
From Commodity Malware To Big Game Hunting: How Targeted Ransomware Became a Highly Profitable Criminal Enterprise

  • Targeted ransomware attacks have evolved into a highly profitable criminal business known as "Big Game Hunting.” Typically launched using penetration testing tools and tactics, and driven by hands-on-keyboard operators, these attacks demand millions in ransom and can cripple an organization. This session presents CrowdStrike research into the malware, operations, and actors behind big game hunting. Through malware reverse-engineering, code attribution, and stories from incident response investigations, you’ll receive a comprehensive analysis of this threat as well as actionable takeaways to mitigate risk.
  • Sergei Frankoff, Sr. Security Researcher, CrowdStrike & Bex Hartley, Deputy Manager, eCrime, CrowdStrike

Fairbanks C/D

4:25pm - 5:05pm
Riding Through a Red Team Exercise with Expel and CrowdStrike (Expel)

  • CrowdStrike helps organizations track, investigate and remediate intrusions via red team exercises. This session features CrowdStrike and Expel as they discuss how they worked with a joint customer’s security team to track a red team through their environment from the enterprise to the cloud. During this session, you’ll learn the details of the red team engagement and how CrowdStrike helped enable Expel and the customer to track, investigate and remediate the intrusion activity as it was happening. Partner: Expel
  • Peter Silberman, Chief Technology Officer, Expel & Tyler Fornes, Senior Detection and Response Analyst, Expel

Point Loma A/B

4:25pm - 5:05pm
Achieving Fully Automated Investigations With Falcon X

  • While technology and alerting capabilities have improved, investigations and intelligence still remain slow manual processes. Flagging suspicious events isn’t enough — organizations need a way to automate these processes to save time and resources. This session shows you how the Crowdstrike Falcon X tool solves these challenges by giving investigators, intel professionals and decision-makers the information needed to triage, prioritize and investigate effectively. Learn how to better understand who is behind an attack, respond effectively and optimize your defenses against future attacks.
  • Matt Russell, Threat Intel Advisor, CrowdStrike

Special Location Announced Soon

7:00pm - 10:00pm
Fal.Con UNITE Party

  • Fal.Con UNITE Party on the USS Midway. Buses leaving beginning at 6:30 PM.

Wednesday
November 6th

Bayview Foyer

7:00am - 12:00pm
Registration Open

Pavillion

7:00am - 8:30am
Breakfast

Grande Ballroom

8:30am - 10:45am
General Session

  • Come hear from the following speakers:Dmitri Alperovitch, CTO & Co-Founder, CrowdStrikeDan Ariely, James B. Duke Professor of Psychology and Behavioral Economics at Duke University and a founding member of the Center for Advanced HindsightCaitlin Conley, Executive Director (now former) for the Defending Digital Democracy Project
  • Dmitiri Alperovitch, CTO & Co-Founder, CrowdStrike
    Dan Ariely, James B. Duke Professor of Psychology and Behavioral Economics at Duke University and a founding member of the Center for Advanced Hindsight
    Caitlin Conley, Executive Director (now former) for the Defending Digital Democracy Project

Harbor Island 1

11:00am - 11:40am
Insights from Falcon OverWatch: Hunting in Today's Threat Landscape

  • Global intrusion activity remains high, but improvements in monitoring/detection capabilities now provide threat hunters with unprecedented visibility. Yet, managing the rapid increase in breaches and large volumes of intrusion data remain challenging. This session provides insight into the Falcon OverWatch team’s approach to these problems and offers recommendations, including how to capture relevant takeaways from an intrusion to create hunting leads, and how to build threat assessments with robust context. The session also includes findings from the 2019 OverWatch Mid-Year Report.
  • Karl Scheuerman, Sr. Strategic Intrusion Analyst, CrowdStrike

Harbor Island 2

11:00am - 11:40am
CrowdScore: Get in the Driver's Seat

  • This session is aimed at SOC managers and practitioners and offers an overview of CrowdStrike’s new solution, CrowdScore. Learn why CrowdStrike built CrowdScore and the problems it helps you solve. Receive a step-by-step walkthrough of CrowdScore and learn how you can incorporate it into your existing SOC workflows. The session will also discuss how to balance CrowdScore with your existing detection-based workflows, as well as offer insight into how this solution is expected to evolve.
  • Dan Brown, Principal Detection Architect, CrowdStrike & Brian Trombley, Senior Director, Product Management

Harbor Island 3

11:00am - 11:40am
Stop the Madness: Performing Enterprise Incident Response with CrowdStrike Services

  • Incident response (IR) is a critical service given today’s treacherous threat landscape, but not all IR is alike. This session offers a deep dive into IR, including its history, how it has been performed over the years, the challenges of performing IR on a large scale, and the strategies and tools CrowdStrike Services employs to solve these problems. You’ll also learn what to look for in an IR vendor and the advantages of CrowdStrike methodology compared to other approaches.
  • Tim Parisi, Director of Services, CrowdStrike & Jai Musunuri, Professional Services Principal, CrowdStrike

Nautilus 1 / 2

11:00am - 11:40am
Hunting with Falcon

  • Are you familiar with event searching in Falcon but want to explore more advanced queries to expand your threat hunting capabilities? This session, focuses on a few useful queries that form the basis of many successful hunting activities. Attendees will leave with an understanding of how to perform basic frequency and time-based analysis in Splunk, and how to find suspicious outliers and properly sequence events. You will also receive a guide with many useful queries you can put to immediate use in your own environment.
  • David Morgan, Principal Instructor, CrowdStrike

Belaire Ballroom South

11:00am - 11:40am
The Confidence Game: How Attackers Exploit People and How to Stop Them (Proofpoint)

  • The vast majority of malware is human-activated and phishing and social engineering attacks are how most organizations get compromised. However, organizations are often unaware that some members of their workforces receive large volumes of sophisticated and targeted threats — these very attacked people or “VAPs”, inadvertently are a big risk for organizations. This session will explain how to identify VAPs, how to protect them and how to leverage data to better understand your adversaries. You will also learn how Proofpoint integrates with CrowdStrike to ensure people-centric threat intelligence. Partner: Proofpoint In this session, you will:• Learn how to identify who’s being attacked in your organization, and how to protect them better• Discuss how to leverage data to better understand your adversaries• How Proofpoint integrates with CrowdStrike to ensure that your endpoints benefit from people-centric threat intelligence
  • Ryan Kalember, Executive Vice President, Cybersecurity Strategy, Proofpoint

Belaire Ballroom North

11:00am - 11:40am
Getting the Most out of Real Time Response (RTR)

  • Real Time Response is a feature of Falcon Insight that gives incident responders deep access to systems across the distributed enterprise. This session will focus on getting the most out of the features of RTR accessed via the Falcon platform UI. Attendees will learn basic permission levels, basic and advanced commands, and running executables and scripts. You will also learn which commands yield what information and the potential impact of risky commands.
  • Ken Warren, Manager Training Delivery, CrowdStrike

Fairbanks A/B

11:00am - 11:40am
Doxxing Kittens: Assessing Origins and Impact of Leaks on Iranian Cyber Operations

  • In the spring of 2019, several KITTEN adversaries were the subject of an unprecedented wave of leaks targeting government, aviation and telecommunications sectors on a global scale that exposed operator identities, infrastructure, tooling, campaigns and internal documents. This session will focus on the origins and motivations for these leaks, as well as the material revealed and its impact on adversary behavior. It will also highlight the CrowdStrike Intelligence response, which leveraged linguistic, technical and geopolitical expertise to quickly and efficiently evaluate a complex set of data for customers.
  • Charlie Cullen, Intelligence Analyst, CrowdStrike & Hannah Maleki, Sr. Security Researcher, CrowdStrike

Fairbanks C/D

11:00am - 11:40am
Protecting Industrial Control Systems (ICS) – Making the right choices in a complex environment (Dragos)

  • Industrial control systems (ICS) are the lifeblood of essential services, however, the differences between ICS environments and traditional enterprise environments pose challenges that increase business risk due to operational safety and disruptions. In addition, adversary attacks targeting ICS are getting more sophisticated and frequent. This session from Dragos, a CrowdStrike Store partner, explains what ICS is and covers the industrial threat landscape, the differences between ICS security and traditional infosec, industry trends, lessons learned, and suggestions on the required skills and tooling for solving these challenges. Partner: Dragos
  • Matt Cowell, Director of Business Development, Dragos

Point Loma A/B

11:00am - 11:40am
Smooth Operators: VELVET CHOLLIMA from Korean Nuclear to US Academia

  • This session looks at a decade of activity by VELVET CHOLLIMA, an adversary that has operated under the radar for many years. Recently, this actor’s tempo of operations has increased and CrowdStrike has stopped breaches for several customers. This session will examine the VELVET CHOLLIMA adversary, their targets, tool development and relevant malware threats, and show you how to spot and stop them.
  • Harley Halsey, Sr. Intelligence Analyst, CrowdStrike & Paul Moon, Principal Security Researcher, CrowdStrike

Coronado B

11:00am - 11:40am
How Social Media Endpoint Protection Can Help CrowdStrike Customers Detect and Stop APTs (SafeGuard Cyber)

  • Organizations have moved critical operations such as customer service, sales, marketing and recruiting to social media. Nation-state and other bad actors now exploit social media to infiltrate governments and private enterprises to steal IP. We will cover how APT risks have evolved, how social infiltration works, and how it can be stopped with new digital endpoint technology to protect against data loss, insider threats, VIP exposure and brand damage.
  • Otavio Freire, President, CEO and Co-Founder, SafeGuard Cyber & Kevin Walters, VP Product Marketing, SafeGuard Cyber

Harbor Island 2

11:50am - 12:30pm
CrowdScore: Get in the Driver's Seat

  • This session is aimed at SOC managers and practitioners and offers an overview of CrowdStrike’s new solution, CrowdScore. Learn why CrowdStrike built CrowdScore and the problems it helps you solve. Receive a step-by-step walkthrough of CrowdScore and learn how you can incorporate it into your existing SOC workflows. The session will also discuss how to balance CrowdScore with your existing detection-based workflows, as well as offer insight into how this solution is expected to evolve.
  • Dan Brown, Principal Detection Architect, CrowdStrike & Brian Trombley, Senior Director, Product Management

Harbor Island 3

11:50am - 12:30pm
Intel Ninja Skills: How to Become a Falcon Intel Master

  • This session focuses on the value of contextualized intelligence delivered via the Falcon platform and shows you how you can use it to mature your organization’s intelligence efforts. It includes an overview of Falcon Intelligence elements and shows you how to pivot from a data point to related information. You will also learn the use of intelligence doctrine and frameworks to help you accelerate your organization’s intel maturity.
  • David Morgan, Principal Instructor and Curriculum Developer, CrowdStrike

Nautilus 1 / 2

11:50am - 12:30pm
“TRUST NO ONE THING”: Trust vs Control – Complete Zero Trust

  • Everything old is new again or so goes the cliché. This presentation will take the attendee through the industry’s “re-discovery” journey of the principles associated with Zero Trust and help them weather the coming tsunami of FUD and marketing hype, while enjoying the security benefits the approach provides. Disappearing perimeters and workloads that are migrating to the cloud necessitate a change. Complete Zero Trust might be the way forward. The speaker will discuss “latent” capabilities that exist in most environments and field proven techniques for exploiting them for the benefit of the organization without the need to purchase more “stuff".
  • Bryan Fite, Account CISO, BT Security

Nautilus 4

11:50am - 12:30pm
Security Cost vs. Benefit — A Shifting Paradigm

  • Security leaders are constantly asked to balance their security programs against a cost vs. benefit calculation. The availability of cyber insurance shifted this balance for many organizations. However, recent regulatory fines are moving the pendulum back toward more substantial security investments. This session will delve into what cyber insurance typically covers, the upcoming regulations and their potential impact, and the critical considerations you should be aware of as you plan your security program going forward.
  • Adam Cottini, Director of Business Development, CrowdStrike & Justin Weissert, Sr. Director of Services, CrowdStrike

Belaire Ballroom South

11:50am - 12:30pm
Complete Visibility Inside and Outside Your Network With RiskIQ Investigator and CrowdStrike Falcon (RiskIQ)

  • Visibility and context are critical to threat investigations and reducing risk in today’s enterprise. The RiskIQ’s Investigator application brings Internet-wide enrichment and context to endpoint interactions, accelerating both incident response and proactive security investigations. In this session, you will learn how the RiskIQ Investigator app and the CrowdStrike Falcon platform work together to dramatically accelerate your threat investigations and reduce your time to remediation. Partner: RiskIQ
  • Brandon Dixon, VP of Product, RiskIQ

Belaire Ballroom North

11:50am - 12:30pm
A Novel Approach to Threat Hunting With Acalvio (Acalvio)

  • Deception technology has been used traditionally to detect and engage threats inside the enterprise network by providing details of the attack activity on the decoys. By combining deception alerts with detailed insight into activity inside enterprise network and hosts, the attacks can be tracked and hunted into the enterprise network. This session will show you how the threat hunting features in Acalvio ShadowPlex combine these deception incidents with the detailed data and query capabilities of CrowdStrike Threat Graph. Partner: Acalvio
  • Sreenivas Gukal, Chief Product Officer, Acalvio & Raj Gopalakrishna, Chief Product Architect, Acalvio

Fairbanks A/B

11:50am - 12:30pm
Falcon and the MITRE ATT&CK Framework, Better Together

  • The security community is quickly adopting Mitre's ATT&CK matrix as a framework for understanding and analyzing targeted intrusions. Did you know that CrowdStrike has integrated the MITRE ATT&CK for Enterprise into Falcon? This provides the analyst with quick access to Mitre’s technical information giving immediate context to the detection, while providing the analyst access to technical information on the specific tactics and techniques the adversary is using against them. This session will explore this integration and how it can significantly reduce your time to respond.
  • Ken Warren, Manager Training Delivery, CrowdStrike

Pavilion and Bayview Lawn

12:30pm - 1:30pm
Lunch

*Intermediate Training Courses are available on a pre-registered and pre-paid basis. Limited spaces available. Course registration and payment is available through the Fal.Con UNITE event registration process.

Please note - times are subject to change. A final agenda will be provided when you arrive at the conference and through the event mobile app.