3317 - CANCELLED - 'I' Before 'R' Except After 'IOC' - CANCELLED

Wednesday, October 10
1:45 PM - 2:45 PM
Location: Floor 3: Mardi Gras H, G, F

Just because the security industry touts indicators of compromise (IOCs) as much needed intelligence in the war on attackers, the fact is that not every IOC is valuable enough to trigger an incident response (IR) activity. All too often our provided indicators contain information of varying quality including expired attribution, dubious origin and incomplete details.

So, how many IOCs are needed before you can confidently declare an incident? Using actual investigations and research, this session will help attendees better understand the true value of an individual IOC, how to quantify and utilize your collected indicators, and what constitutes an actual incident.


Learning Objectives:

Andrew Hay, CISSP

Co-Founder & CTO
LEO Cyber Security

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst and executive. As the co-founder and chief technology officer for LEO Cyber Security, he is a member of the senior executive leadership team responsible for the creation and driving of the strategic vision for the company. One of his primary responsibilities is the development and delivery of the company’s comprehensive cybersecurity, digital forensics, incident response, cloud architecture,and advanced research centers of excellence.


Send Email for Andrew Hay


3317 - CANCELLED - 'I' Before 'R' Except After 'IOC' - CANCELLED

Presentation Slides


Attendees who have favorited this

Please enter your access key

The asset you are trying to access is locked. Please enter your access key to unlock.

Send Email for CANCELLED - 'I' Before 'R' Except After 'IOC' - CANCELLED