Trellix logo
Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

Trellix Launches Advanced Threat Research Center
Trellix Launches Advanced Research Center

Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.

The Threat Report - Summer 2022
Latest Report

Our Summer 2022 threat report details the evolution of Russian cybercrime, research into medical devices and access control systems, and includes analysis of email security trends.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

XPand Live 2022 Logo

ARIA Resort & Casino | Las Vegas
September 27-29, 2022

Xpand Live 2022 Logo

September 27-29, 2022
Aria Hotel & Casino

Keynote Speakers

Trellix Xpand LIVE 2022

On January 19th of this year, Trellix was born. Over 40,000 customers of both McAfee Enterprise and FireEye became part of one family – all committed to the same mission: To power a resilient, thriving world.

On September 27-29, at the Aria Hotel in Las Vegas, Trellix Xpand Live will share our vision for a new kind of defense. Cybersecurity that’s alive and embedded, that learns and adapts as fast as threat actors do - and can turn today’s threats into tomorrow’s advantage.

Through compelling keynotes to over 60 sessions of best practices, case studies, technical training, speaker panels, product demonstrations and our Innovation Xpo – you will learn our platform and product roadmap for bringing security to life.

Live Keynotes  |  3 Full Days of Content  |  Final Night Celebration

Discovery Themes

Discovery Themes
SecOps Revolution
Unifying Endpoint
Securing the EcoSystem
Activating Intelligence
#SoulfulWork

Arranged across five key areas of modern security all content of Xpand Live will dig deep, both strategically, and technically.

Select a key area to the left to get started.

Threats have evolved, but security hasn't until now. Learn how XDR will be a key driver for the Security Operations Center (SOC) of the future.

Key use cases, practical guidance, what to expect from XDR and how it makes your SOC more efficient, empowers your security practitioners and analysts, and automates and drives your end-to-end detection and response workflows.

Future-proof your defenses and build resilience with unified endpoint protection.

Accelerate detection and response with the context, visibility, and capabilities to uncover, investigate, and act on threats with increased speed and accuracy. Proactively protect every endpoint, prevent ransomware and other advanced threats, and find how to easily scale and manage all your endpoints.

Get an in-depth look at the most comprehensive set of security controls and control points in the industry all designed to provide you with earlier, better protection across all phases of the attack chain.

Network, Email, Data and Cloud Security learn deployment and operational best practices and use-cases.

Learn the depth and breadth of our visibility, research, and thought leadership in the threat intelligence space.

Whether it's the bad actors we track, specific takedowns of cyber criminals, discovered vulnerabilities — we will share how research and innovations make it from the lab and into our products.

The cybersecurity industry is seeking 2.72 million professionals, and that number is only continuing to grow. For decades, we have relied on the same tactics to close the talent gap.

We need to rethink who we view as talent and work together as an industry to solve this talent shortage. Collectively, we can make a difference. Hear from customers on their challenges and successes in the human element of cybersecurity.

Breakout Sessions

Discovery Theme
SecOps Revolution
Session Title Presenter(s) Session Abstract

Best Practices of Today’s SOC

Riana Smallberger, Director, Advanced Cyber Threats, Trellix
Mark Boltz-Robinson, Manager, Advanced Cyber Threats, Trellix

Why is a Cyber Security Operation Center so important?
A SOC exists with the core mission to monitor a wide range of possible threats against an organization. During this session we will discuss some of the best practices, procedures, and processes to modernize a SOC. We will also cover the importance of incorporating Threat Intelligence as a requirement to be successful.

Roadmap: Trellix SecOps Platform Empowering XDR

Rob Capiello, Director of Product Management, Trellix
Kathy Trahan, Product Marketing Manager, Trellix

Imagine the possibility of 50% more time to focus on the things that matter in Security Operations - delivered through a powerful SecOps platform that automates security tasks with no coding required, guides the necessary investigations, provides the triaging – and maps to MITRE techniques to move the SOC professional closer to meaningful detection and quick resolution.
This is Trellix XDR – and we will walk you through the product story for this exciting new platform and what is in store for its future.

Making Security Staff Effective in the Cloud with XDR

Martin Holste, Chief Technology Officer, Cloud, Trellix

What information do security staff have to do their job? When they get an alert, do they understand what is affected, who is involved, a timeline of what happened, and what normal behavior looks like? It’s hard enough for SOC operators to get quality alerts, it’s even harder for them to know what to do with them, and impossible to make thousands of good decisions every day without being armed with the insights they need.
Learn how Trellix Helix is the truly open managed XDR platform that incorporates over a hundred vital integrations to collect raw event telemetry from things like cloud infrastructure, directories, security products, and source code repositories and forges it into meaningful models and timelines. This session will detail how Helix Cloud Connect makes integrating data sources quick and easy and shows the power of what can be done when defenders are armed with answers. It will dive into the different types of data Helix can collect, how they are used in detection and response, and advanced hunting use cases.

Enterprise ePO, DXL and TIE Infrastructure Designs

Steen Pedersen, Principal Architect, CISSP, Trellix

This session will take a look at enterprise designs for ePO infrastructures with Data Exchange Layer (DXL) and Threat Intelligence Exchange (TIE).
Several real-world examples of infrastructure architectures will be showcased, as will how a current ePO, DXL and TIE infrastructure can transform to include cloud servers located in AWS, AZURE and more, to create a hybrid ePO architecture.

Invasion of the Information Stealers

Taylor Mullins, Sales Engineer, Trellix

Information stealers have become one of the most utilized, damaging, and simplest to acquire variants of malware observed today. The effects of a successful information stealer attack can lead to access of company accounts, deployment of ransomware, and widespread data exfiltration.
In this presentation, we will unveil how threat intelligence and utilizing an open XDR framework can help a security team proactively apply countermeasures to prevent, detect an ongoing activity, and monitor the aftermath of a successful attack across their security solutions.

How XDR is a Game Changer for SecOps

Deepak Seth, Director, XDR Platform Services, Trellix

In the current threat environment, SOC teams continuously face the pressure of detecting an intrusion as quickly as possible before it becomes a major security incident. With so many point products in use in a typical organization, it is often very time consuming and challenging for the SOC team to search through the noise to find important alerts that may indicate the presence of a threat in the environment.
XDR can enable a SOC team to detect, respond to and remediate threats across all attack channels. These include Email, Endpoint, Network and Cloud - without the inefficiencies of switching between multiple point solutions, and with the ability to work with relevant data that is actionable.
This session will highlight different phases of a malware attack, the challenges SecOps face in these phases and how Trellix XDR can help in each of these phases. We want to help the SecOps team ultimately achieve a stress-free life. We will demonstrate through a live example of an Advance Persistent Threat, how various attack phases map to the MITRE/ATT&CK Framework - and how Trellix XDR enables the SecOps team in each of these phases of the attack kill chain.

Automated Responses - Out of the Box!

Simon Tiku, Snr Director, Engineering, Trellix

We want to make life simpler for security analysts. This session will share templated security playbooks, task flows and scripts that can be easily tailored to your organization’s needs.
Built by Trellix security experts, this template library takes the work out of developing things from scratch for common use cases. For example, a task flow that covers common functionality and processing related to specific plugins, which can then be inserted into a multi plugin playbook.

Discovery Theme
Unifying Endpoint
Session Title Presenter(s) Session Abstract

Advanced Forensics

Ryan Fisher, Senior Engineer, Trellix
Fred House, Snr Director, Engineering, Trellix

The Endpoint Security Research and Custom Engineering (RACE) team has been operating since 2015 with the mission of building rapid-response endpoint capabilities in support of Mandiant Incident Response engagements. The team has built over 50 forensic capabilities that enable advanced endpoint forensic investigations at scale. These forensic capabilities have been used on thousands of IR engagements, including some of the most high profile breaches around the world.
The RACE team’s recently released Extended Forensics module, gives customers, partners, and other IR firms access to this advanced forensic tool set.
In this session, the RACE team will dive into the advanced forensics capabilities, describing why they are relevant to forensics, how to run them, and how to analyze the results. We will cover common investigative workflows such as frequency analysis (stacking), indicator searching (sweeping), YARA hunting, live response, and timelining across the enterprise.

Roadmap: Trellix Endpoint Security

Jim Waggoner, Vice President of Product Management, Trellix

At the edge of any organization are its endpoints – and securing them in a world and threat landscape that quickly evolves around us is the big challenge for today’s security teams.
Attend this session and you will see the future of Endpoint Security through the lens of two endpoint leaders and technologies coming together - McAfee Enterprise and FireEye.
We will reveal the trends that are influencing how we approach security, and how endpoint is one of the cornerstones of the Trellix XDR Platform. We also have exciting announcements to make on the endpoint product roadmap – this is a session you won’t want to miss!.

Endpoint Efficacy and Coverage Reporting

Chris Ubando, Senior Principal Architect, Trellix
Charles Wiggins, Principal Architect

How do we prove to the business the value of any cyber security investment?
Attend this session and learn ways to build reporting within ePO that can be used to present to the business to the value the Trellix solutions are providing across the environment.
We will show how to report on the coverage of protection features that help protect against common malware attacks like Ransomware. We will also discuss how to use ePO with Active Directory and SCCM to provide clear reporting on the coverage of the Trellix solutions on systems within the environment - and highlight systems that are potentially at risk of being targeted by malware that are unprotected.

Leveraging EDR Integrations into SOC Processes to Build a Better Defense

Matt Smith, Snr Manager, Professional Services, Trellix

Adding another SecOps tool into the day-to-day mix of tools and techniques used during investigation and triaging threats creates a common concern for the SOC. How can that tool be incorporated into existing processes so that it does not duplicate functions provided by an assortment of free and commercial tools? Is the full value of the new data collected used to pre-emptively block attacks before they need to be triaged?
Trellix EDR offers several features natively - and externally through via API integration - which can provide the SOC the ability to consolidate their tools and techniques used during investigation and triage. It also enables direct integration with the defense layer to save the business both on time and costs when tackling threats.
Learn how Trellix EDR is being used by Trellix Professional Services consultants to enable SOCs to collect information needed during DFIR processes, as well as provide the ability to react to threat activity using a combination of Trellix EDR, DXL, ePO and other tools found in many SOC toolkits. We will also explain how EDR can serve as a data stream to enrich other threat intelligence, data analysis and defense platforms.

Trellix Endpoint Security for Breach Investigations

Vinoo Thomas, Principal Product Manager, Trellix

Learn how Trellix Endpoint Security can handle investigating 1000’s of endpoints in a security breach. Get an inside look into how breaches are discovered and how one compromised endpoint can turn a company upside down.
We will demonstrate how Endpoint Security unleashes world class forensics - from detection to containment. From detecting data theft, credential harvesting, compromised assets, actioning alerts, new features and much, much more!

Trellix Unified Endpoint: An Architectural Overview

John Teddy, Engineering, Trellix

This session will preview the architecture of the upcoming Trellix Unified Endpoint – bringing together the best capabilities of FireEye and McAfee technologies into an endpoint framework with a common agent serving protection, detection, and forensics.
We will cover the design goals, the elements that comprise the platform, the phases of implementation, with some minor deep dives into event handling, orchestration, and reputations.

Address Hybrid Cloud Security with Agent and Agentless Solutions

Alison Wong, Principal Product Manager, Trellix

Trellix Cloudvisory and Trellix Cloud Workload Security suite provide a unique approach to hybrid cloud security.
This session will highlight flexible deployment options supporting both private and public cloud infrastructure. We will also explain how aligning Trellix Application Security and Endpoint Security for Linux with Cloudvisory enables both visibility and control of all cloud environments.

Discovery Theme
Securing the Ecosystem
Session Title Presenter(s) Session Abstract

Accelerating Transformation with Detection-as-a-Service

Arthur Cesar Oreana, Account Manager, Trellix

In a Digital Transformation journey, meeting the demands of business areas quickly is essential for survival in a competitive and connected world. With businesses needing to launch products quickly - security cannot be an impediment. Security can be a facilitator and a great ally to business agility.
Attend this session to learn how one of the largest Brazilian digital banks managed to address the risks of analyzing all files received from external sources, quickly and easily, positively impacting the customer experience.

Roadmap: Trellix Data Security

Rob Ayoub, Snr Product Marketing Manager, Trellix
Ted Wilson, Director of Product Management, Trellix

Data Protection is a top priority for today’s organizations. In addition to adhering to constantly changing regulatory requirements, there are continuous concerns over external and internal threats. Any breach can have an impact beyond just the cost of clean-up. Fines can add up, and the loss of trust can take a very long time to overcome.
In this session, we will discuss the Trellix Data Security portfolio and its roadmap. We will show the challenges faced by administrators today and illustrate how Trellix Data Protection products help customers classify, monitor, and protect their most sensitive data. We will also highlight recent features that have been added to the products and give a forward-looking view of plans that are in progress for this suite of products.

Roadmap : Trellix Email Security

Rob Ayoub, Snr Product Marketing Manager, Trellix
Arun Kumar, Director of Product Management, Trellix

Email continues to be the top attack vector. It is imperative that customers continue to evaluate their Email security solutions to ensure that they are capable of detecting the latest threats. Many customers must also protect a wide range of Email systems including on-premise and Cloud deployments.
In this session we will discuss the Trellix Email Security portfolio of products that provide protection to on-premise and cloud based deployments. We will discuss the deployment challenges customers face today and highlight how Trellix provides the industry’s most comprehensive set of detection engines to keep users safe.

Roadmap: Trellix Network Security

David Batty, Principal Technical Director, Trellix
Teja Kalidindi, Sr. Product Manager, Trellix

With network infrastructure now located on-premises, as well as in private, hybrid and multi-cloud environments - managing and securing them has become increasingly complex.
In this session, we explain why the role of network has extended to support response – and that network visibility and detection provides scale and speed for an investigation.
We will also discuss the opportunities and challenges our customers face across a growing variety of use cases, how customers can integrate Trellix detection directly into their custom application, and how they can leverage the Trellix Network Security portfolio to address infrastructure security wherever they need it.

Achieve a True Zero Trust Architecture with Trellix and Okta

Martin Holste, Chief Technology Officer, Cloud, Trellix

Trellix and Okta have a strong partnership, demonstrated by the popular Helix XDR integration - and advanced anomaly detection for Okta.
Learn how organizations are taking advantage of the ability to analyze identity audit events to find anomalies and correlate those anomalies with a wide range of information, such as application behavior and user roles. This allows the matching of suspicious logins with post-login actions in the context of the person’s role. Response actions can then be taken to limit any potential damage from a compromised identity. This extended detection and response (XDR) forms the basis for a Zero Trust Architecture (ZTA).
But what about ZTA for on-prem? Businesses are operating hybrid environments and manage many endpoints in addition to SaaS and cloud infrastructure. Attend and preview a universal Trellix ePO connector for Helix XDR that will ensure that on-prem solutions are fully cloud-aware. The insights shared in the link between Trellix ePO on-prem and Helix XDR in the cloud lets defenders unlock complete Zero Trust.

The Cyber EO 14028’s Effect on Software Development

Kent Landfield, Chief Standards and Technology Policy Strategist, Trellix

The US 2021 Executive Order 14028 is changing the way the U.S. Federal government is viewing the software it purchases and deploys. The EO will alter the way the software industry creates and delivers software and services.
From the definition of critical software, to requiring software bill of materials (SBOMs), to documenting secure software development lifecycle practices, and more, the Cyber EO is impacting the way software producers view the way they do business.
This lively panel includes those involved in delivering on the requirements of 14028, from NIST and CISA, and a former Federal CISO who will discuss the EO’s intended impacts and the effect it is having both in and out of government.

Eye-Mail

Srini Seethapathy, Research Science Manager, Trellix
Bernard Sapaden, Research Scientist, Trellix

In the Digital Transformation journey, meeting the demands of business areas quickly is essential for business survival in a competitive and connected world! Business areas want to launch products quickly, and security cannot be an impediment, on the contrary, it must be a facilitator and a great ally!
Find out how one of the largest Brazilian digital banks managed to address the risks of analyzing all files received from external sources, quickly and easily, positively impacting the business area.

Integrating DLP into XDR

Giovanna Shimabukuro, Senior Sales Engineer, Trellix
Gus Arias, Senior Sales Engineer, Trellix
Ligia Forgaciu, Senior Sales Engineer, Trellix

The crown jewel of any company is data. It can raise or destroy a reputation if not properly protected. Data protection strategy is beyond products. Siloed solutions can have a lot of blind spots if they’re not orchestrated.
Most companies have already adopted several data protection solutions just like protecting the permiter - endpoint protection, data loss prevention, e-mail security and classifiers.
An effective data protection is both a strategy and a challenge. To demonstrate this, we will show you the creation of a DLP rule set - based on the integration with Boldon James and the visibility of the data protection solutions and response using the Trellix XDR platform.

Discovery Theme
Activating Intelligence
Session Title Presenter(s) Session Abstract

PhishVision: Caught on Camera

Manoj Ramasamy - Research Scientist, Trellix

URL Phishing is one of the most well known threats in the wild where attackers try to deceive the users by fake websites of various brands.
Learn how a new state-of-the-art machine learning model is used to interpret and understand URL screenshots - to predict if a brand is being spoofed. PhishVision uses deep learning techniques, including the implementation of a deep convolutional neural network, to determine whether a webpage screenshot associated with a URL is part of a phishing attack.
Discover how PhishVision learns and adapts through the retraining of its convolutional neural network at periodic time intervals, with new datasets retrieved by an automated dataset collector – improving the detection of zero-days cyber-attacks.

Catch Me If You Can: Living Off the Land Binaries, and The Adversaries Who Abuse Them

Tim Hux, Security Researcher, Trellix
Alfred Alvarado, Security Researcher, Trellix

The Trellix Threat Intelligence Group collects, correlates, and analyzes attack techniques deployed by threat actors, and their use of malicious and non-malicious tools.
This presentation will detail the most common tools used by threat actors, their associated MITRE techniques, and the countermeasures which can be used to assist organizations defend their network.
Living off the Land (LotL) attacks are increasing, and often going unnoticed during the initial infection phase, due to the method’s use of common non-malicious tools and Windows binaries. You will learn how threat actors may gain initial access via spear-phishing, access brokers or unpatched vulnerabilities, and then use common tools and Windows binaries to allow reconnaissance and persistence phases to remain undetected while additional payloads are retrieved, exfiltration is automated, and the final payload is prepared. Tools such as Rclone can be used to exfiltrate data, PsExec to execute commands and load binaries, and AD Explorer may be used to perform reconnaissance tasks like user and computer asset discovery.

US Government Cyber Security and Privacy Policies: What to expect in 2023

Panel hosted by Kent Landfield, Director, Trellix Public Policy

This panel session will provide a perspective on what public policies to expect from both the White House and Congress in 2023.
Government policies define the contours of the cyber security market. New legislative initiatives will focus on protecting critical infrastructures and government agencies, with a focus on EDR, XDR and Zero Trust solutions. Congress will once again take up national, privacy legislation. These initiatives impact both government and private sector users of cyber security solutions.
Speakers will include former, senior government officials, Jeff Greene, Aspen Institute, and former White House national security official, Grant Schneider, Venable Law, a former White House official and federal Chief Information Security Officer, and James Lewis, Senior Vice President at the the Center for Strategic and International Studies, and Tom Gann, Chief Public Policy Officer, Trellix. The panel will be moderated by Kent Landfield, Director, Trellix Public Policy team.

Cyber Tools Shaping Foreign Policy? A False Chinese APT Responds to Nancy Pelosi’s Visit to Taiwan

Ann An, Security Researcher, Trellix

Trellix endpoint detections reveal cybersecurity and geopolitical activities well before the media begins reporting them.
On July 29, 2022, Trellix telemetry data showed a spike in detections in Taiwan, with over 32,000 detections hitting the self-governed island in one day - well over a typical day range of 9,000 to 17,000 detections. This spike occurred five days before Nancy Pelosi’s visit to Taiwan on August 3, 2022. Telemetry data also showed that a significant portion of detections were directed at Taiwan’s government entities between July 29 and August 6, 2022.
We later noticed an increase in small and medium-sized distributed denial of service attempts against Taiwan’s website that either report on the Pelosi’s visit or are perceived as hostile to China. On August 3, 2022, the day after Pelosi’s visit, one Chinese hacker collective that calls themselves “APT27” announced a special cyber operation against Taiwan’s government services, infrastructure, and commercial organizations.
Trellix analysts will explain these DDoS operations and scrutinize the true identify of APT27 and subsequent activities throughout this Xpand session.

Using Critical Threat Intelligence Strategically

Panel hosted by Patrick Flynn, Head of Advanced Programs Group, Trellix

The overarching threat facing cyber organizations today is a highly skilled asymmetric enemy, well-funded and resolute in their task and purpose. While you never know exactly how they will come at you, come they will. It’s no different than fighting a kinetic foe in that, before you fight, you must choose your ground and study your enemy’s tendencies.
Much focus has been placed on tools and updating technology, but often we are pushed back on our heels and in a defensive posture.
This panel features senior US government representatives debating that while technology strategy is important, we must embrace and create a thorough Cyber Threat Intelligence (CTI) doctrine which must take many forms.

Discovery Theme
#SoulfulWork
Session Title Presenter(s) Session Abstract

From Books to Beating Bad Guys

Mike Kizerian, Principal Technical Instructor, Trellix

We have long lamented the growing need for soulful cyber security roles to be filled as we struggle to find the experienced hires to fill them.
Ten years ago, Mike was a Team Lead in Kuwait as a contractor for the Army. Although asked for his open requisitions to be filled with candidates that were experienced cyber security professionals, he was constantly given candidates with no security background. But, it did not deter him. Through a careful program of on-the-job training, each of the hires easily filled their cyber security roles. They have gone on to have extremely successful cyber security careers.
Come and learn how the desktop support tech, the developer, the server admin, and anyone with a desire to learn can find rewarding, #soulfulwork in cybersecurity.

Panel Session: Cyber Security – the Soulful Profession

Hosted by Michael Alicea, Chief Human Resources Officer, Trellix

There’s a place for people who want to protect others. Who want to contribute to the greater good of society? Who want to keep businesses, essential infrastructure, and vital information safe? That place? Cybersecurity.
If you’re looking for a career that provides you with the opportunity to do meaningful, soulful work that enriches people’s lives—you’ve found it. Michael Alicea will host a thought-provoking panel designed to inspire us to help others blaze their own trail in cybersecurity.

Training

Trellix Data Loss Prevention - Endpoint Introduction

With more data to track, classify, and store, that also means more data to protect. This task has become increasingly difficult due to data volume as well as limited visibility, organizational silos, and changing compliance needs. The Trellix Data Loss Prevention - Endpoint Introduction provides attendees with basic knowledge on the tools you need to design, implement, and configure Trellix DLP - Endpoint to safeguard intellectual property and ensure compliance.

This course details how this solution uses the XDR solution for centralized management and can expand your data security by extending on-premises DLP policies to the cloud to ensure consistent protection. The course also explains how to monitor and address risky, day-to-day end-user actions such as emailing, web posting, printing, clipboards, screen captures, device control, uploading to the cloud, and more.

Date: Tuesday, 27 September

Time Session #1: 9:00AM – 12:00PM

Time Session #2: 1:00PM – 4:00PM

Price: Included with Xpand registration

CPE Credits: 3

Room: Bluethorn 3

Course Details

At the end of this course, students should be able to:

  • Provide an overview of Data Loss Prevention Solution
  • Describe the features of Data Loss Prevention Policy Manager

Agenda

  • Product Introduction
  • Data Loss Prevention Overview

Who Should Take This Class?

System and network administrators, security personnel, auditors, and/or consultants concerned with system endpoint security should take this course.

Participants should have a working knowledge of Microsoft Windows administration, system administration concepts, and networking technologies. It is also desirable to have a basic understanding of computer security and cloud security concepts, and a general understanding of web technologies. Trellix ePO - On-prem product knowledge is recommended.

Please note that students are responsible for bringing their own laptop to class to access the lab materials.

Trellix ePolicy Orchestrator - SaaS Introduction

The Trellix ePolicy Orchestrator - SaaS course provides attendees with basic knowledge to use Trellix ePO - SaaS software for Extended Detection and Response (XDR) to accelerate incident response, keep ahead of cyberthreats, and unify your security tools. In addition, students will learn the benefits of running Trellix ePO - SaaS in their environment, such as the ability to control and administer all your endpoints from a single console, complete automation and optimization, and the ability to orchestrate multiple products in an integrated single pane of glass for policy management and enforcement across the entire enterprise. You will also learn basic configuration of Trellix ePO – SaaS to help you maximize these benefits. This course combines lectures, demonstrations, and practical lab exercises.

Date: Tuesday, 27 September

Time Session #1: 9:00AM – 12:00PM

Time Session #2: 1:00PM – 4:00PM

Price: Included with Xpand registration

CPE Credits: 3

Room: Bluethorn 3

Seating is limited - You must register to attend.

Course Details

At the end of this course, students should be able to:

  • Describe the Trellix ePO - SaaS offering
  • Discuss the basic features, functionality, and architecture for the Trellix ePO - SaaS offering
  • Describe the process for initial configuration, migration, and deployment of Trellix ePO - SaaS
  • Explain how to manage users and roles in Trellix ePO - SaaS
  • Describe basic configuration tasks in Trellix ePO – SaaS

Agenda

  • Product Overview
  • Features and Architecture
  • Installation, Migration, and Deployment
  • Configuration

Who Should Take This Class?

System and network administrators, security personnel, auditors, and/or consultants concerned with Trellix ePO - SaaS should take this course. Participants should have a working knowledge of Microsoft Windows administration, including Microsoft Windows Defender. It is also desirable to have a basic understanding of system administration concepts, computer security and cloud security concepts, and a general understanding of viruses and anti-virus technologies.

Please note that students are responsible for bringing their own laptop to class to access the lab materials.

Product Agnostic Threat Hunting

Many organizations have SIEM technology and a variety of detection points that generate millions, if not billions, of alerts per day. SOC analysts spend time trying to stave off this tidal wave of data, attempting to identify the key alerts indicative of an incident - be it a breach, malware outbreak, or adversary.

During this 3-hour session we will cover methodologies to enable analysts to effectively hunt for threats in their environment proactively.

Date: Tuesday, 27 September

Time Session #1: 9:00AM – 12:00PM

Time Session #2: 1:00PM – 4:00PM

Price: Included with Xpand registration

CPE Credits: 3

Room: Bluethorn 4

Seating is limited - You must register to attend.

Course Details

At the end of this course, students should be able to understand anomalies and threats in their environments.

This course is designed to enable students to understand hunting methodologies and how to hunt for threats proactively and effectively in applications and endpoint alerts, and to apply critical reasoning skills to stay focused and avoid pitfalls.

Agenda

  • Introductions
  • Threat Hunting Overview
  • Analytical Thinking
  • Augmenting with Threat Intelligence
  • Organizational Threat Hunting Maturity
  • Threat Hunting Methodology
  • Hunting with Network Tools
  • Hunting with Endpoint Tools
  • Hunting with Application Tools

Who Should Take This Class?

Participants should have a basic understanding of threats, SOC monitoring, computer forensics, and TCP/IP networking for the course to be fully beneficial.

Basic understanding of Threat Intelligence would also be an advantage.

Network Hunting with Trellix XDR

Through the Trellix XDR platform, this one-day workshop introduces the essential concepts for network hunting and how an XDR platform allows you to pivot from network logs into critically related endpoint logs to find attacker malware and its associated C2 connections. C2 communication and data exfiltration are not always obvious. This course will provide analysis methods to help identify the communication happening as it leaves your network and how those connections correlate to the processes creating that communication.

Throughout the course, students will have the opportunity to perform hands-on activities that follow real-world use cases using typical security toolsets such as SIEM, packet capture, and EDR. In our lab, we leverage Trellix XDR platform technologies including Helix, Endpoint Security (HX) and Network Forensics for packet capture.


This course combines lectures, demonstrations, and practical lab exercises.

Date: Tuesday, 27 September

Time: 9:00AM – 4:00PM

Price: Included with Xpand registration

CPE Credits: 6

Room: Bluethorn 8

Seating is limited - You must register to attend.

Course Details

At the end of this course, students should be able to identify network anomalies and uncover threats in their environments. This course is designed to enable students to:

  • Enhance an existing hunting program
  • Leverage provided use cases for your hunting program and network data for successful hunting
  • Use relevant threat models to implement a network hunt mission by acquiring and analyzing relevant data
  • Understand how to ingest and view network and endpoint logs from the unified console within the Trellix XDR platform
  • Understand how to implement host-based logging to support network analysis

Agenda

  • Hunting Overview
  • Network Hunting
  • Network Logs
  • Endpoint Correlation
  • Analysis Techniques
  • Use Cases - Real-world Threats
  • Use Cases - Mitre ATT&CK® Framework
  • Automation

Who Should Take This Class?

Incident response team members, threat hunters, and information security professionals. Students should have a working understanding of networking and network security as well as the Windows operating system. Hands-on use of SIEM and EDR tools would also be of benefit. Please note that students are responsible for bringing their own laptop to class to access the lab materials.

Endpoint Investigations with Trellix XDR

This one-day workshop introduces essential XDR concepts of log analysis and endpoint investigations. Using attack methodologies from the Mitre ATT&CK® framework, you will learn which specific Windows telemetry is critical to a successful investigation. Within the Trellix XDR platform, you will also learn how to collect endpoint data and pivot out to an endpoint alert to aid in your investigation.

Throughout the course, students will have the opportunity to perform hands-on activities that follow real-world use cases using typical security toolsets such as SIEM and EDR. In our lab, we leverage Trellix XDR platform technologies including Helix, Network Security and Endpoint Security (HX).


This course combines lectures, demonstrations, and practical lab exercises.

Date: Tuesday, 27 September

Time: 9:00AM – 4:00PM

Price: Included with Xpand registration

CPE Credits: 6

Room: Bluethorn 9

Seating is limited - You must register to attend.

Course Details

The one-day primer covers the analyst workflow: triaging alerts, creating and scoping incidents, and using the Trellix XDR platform, including Helix and Endpoint Security (HX) tools, to conduct investigative searches across the enterprise. At the end of this course, students should be able to identify anomalies on endpoints and uncover threats in their environments.


This course is designed to enable students to:

  • Describe methods of live analysis
  • Identify critical log sources to send to Helix
  • Use core analyst features of Endpoint Security such as alerting, enterprise search, and containing endpoints
  • Validate and provide further context for Trellix alerts
  • Analyze an endpoint data acquisition using a defined methodology

  • Identify malicious activity hidden among common Windows events

Agenda

  • Helix Fundamentals
  • Helix Detections: Rules and Analytics
  • Initial Alerts
  • Windows Telemetry and Acquisitions

Who Should Take This Class?

Incident response team members, threat hunters, and information security professionals. Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, and use of the CLI.

Please note that students are responsible for bringing their own laptop to class to access the lab materials.

Trellix ENS Expert Rules Introduction

Building on the ENS Platform, ENS Expert Rules allow the advanced Trellix ENS administrator to add deeper security to their Trellix ENS Deployment by authoring rules to reconnoiter and block TTPs observed through XDR or obtained via industry intelligence.

The course provides insights into our proprietary syntaxes, and a basic view into Operating System concepts and references needed to better understand how ENS works and fully comprehend how ENS Expert Rules can provide a more customized and secure environment.


This course combines lectures and demonstrations.

Date: Tuesday, 27 September

Time: 9:00AM – 12:00PM

Price: Included with Xpand registration

CPE Credits: 3

Room: Bluethorn 1

Seating is limited - You must register to attend.

Course Details

At the end of this course, students should be able to:

  • Understand Microsoft Windows Operating System Concepts relevant to Expert Rules
  • Understand AAC (Arbitrary Access Control)
  • Understand how to create Expert Rules

Agenda

  • Concepts
  • Technologies
  • Expert Rules Type
  • Expert Rules Syntax

Who Should Take This Class?

This course is intended for system and network administrators, security personnel, auditors, and/or consultants concerned with system endpoint security.

Trellix ENS Expert Rules Advanced

Building on the ENS Platform, ENS Expert Rules allow the advanced Trellix ENS administrator to add deeper security to their Trellix ENS Deployment by authoring rules to reconnoiter and block TTPs observed through XDR or obtained via industry intelligence.

The course provides insights into how ENS Expert Rules work and fully comprehend how ENS Expert Rules can provide a more customized and secure environment.


This course combines lectures and demonstrations.

Date: Tuesday, 27 September

Time: 1:00PM – 12:00PM

Price: Included with Xpand registration

CPE Credits: 3

Room: Bluethorn 1

Seating is limited - You must register to attend.

Course Details

At the end of this course, students should be able to:

  • Understand the system impact of expert rules
  • Understand what kinds of items can be protected with Expert Rules
  • Create custom rules

Agenda

The lecture 'Trellix ENS Expert Rules Advanced' demonstrates ENS Expert Rules designed for environmental reconnaissance and threat blocking.

Who Should Take This Class?

This course is intended for system and network administrators, security personnel, auditors, and/or consultants concerned with system endpoint security.


It is recommended for participants to attend the Trellix ENS Expert Rules Introduction lecture prior to attending this course.

Capture The Flag

Blue Team with Trellix - Defending Your Organization

This unique CTF challenges you to uncover adversary TTPs using the Trellix XDR platform.

Take on the #soulful role of a cyber defender. As you come in for your shift, you are hit with an alert! It’s all-hands-on-deck as you dig in to find out who is on your network and what they have done, while ensuring management is well-informed. Through simulated attacks and scenarios based on the MITRE ATT&CK® framework, participants will leverage a combination of Trellix solutions and best-of-breed open-source tools to triage, investigate, and hunt for the presence of the adversary. Participants will practice their security skills through a series of questions and challenges to interpret alerts, understand various network and host telemetry, and discover what the threat actor has done.

You will leverage the Trellix XDR platform, navigating between the Helix unified console and available telemetry from Endpoint Security (HX), as well as the Network Forensics platform. Questions range from basic to advanced, and participants earn points in our interactive scoreboard for prizes, unique SWAG, and bragging rights.

24-hour challenge

StartTuesday, 28 September – 11:30 AM

End Wednesday, 29 September - 11:30 AM

Price: Included with Xpand registration

CPE Credits: 3

Room:Xpo Hall – CTF Area in Trellix Booth

Participation is limited - You must register to attend.

Categories Include:

  • Endpoint Investigations
  • Network Analysis
  • Log Analysis

Participants will have conference-long access to required tools through the Education Services Learning Lab. The Education Services team will be on-site to provide hands-on support for the CTF during the conference.

Who Should Register for CTF?

Anyone can participate and learn! SOC managers, analysts, incident responders, and other general security practitioners are encouraged to join us in this fun CTF designed to accommodate all levels of expertise: from the junior analyst to the expert one.

Participants should possess general security knowledge, including working knowledge of security tools and investigations. You must have a laptop computer equipped with Wi-Fi – Laptops will not be provided.

Space is limited. Pre-registration required.

Demo Stations

Demo Station # Collateral Links

DS1 / DS9 : Trellix Platform

The Trellix XDR SAAS platform connects detection, investigation and integrated response across Trellix and third-party products against a panoply of threats.

  • Turn-key Security operations, SOC, response platform
  • SOAR, security orchestration, security automation platform.
  • Threat Intelligence platform, Security Incident Response Platform

DS2 / DS10: Endpoint Sensor

Collaborate and accelerate the identification of suspicious behaviors, facilitate better coordination of defenses, and provide better protection against targeted attacks and zero-days.

  • Machine learning to identify and prevent new malware
  • Security that aligns with your top priorities
  • Real-time forensics investigation

DS3 / DS11: Threat Intel

Trellix Insights powered by best in class intelligence capabiltites drives your Security Operations Processes with native, integrated and currated threat intelligence.

  • Native: Realtime Threat Intelligence Assessments
  • Integrated: Flexible and Accessible APIs
  • Curated: Best-In-Class Research yields actionable Threat Intelligence

DS4 / DS12: Data Protection Sensor

Trellix Data & Users Security gives you real-time visibility and security of data, protecting against data leakage through dynamic access adjustment, intelligent threat identification, and automated response.

  • Protects data everywhere
  • Applies intelligence at scale
  • Adapts across the enterprise

DS5 / DS13: Network Sensor

Detection On Demand is a threat detection cloud service that scans content on demand to identify resident malware.

  • Detects threats others miss
  • Alerts that matter
  • Security your way

DS6 / DS14: Open Sensors

Trellix Open XDR Platform helps you secure your internal networks, cloud infrastructure and services, industrial control systems, and air gapped networks.

  • Native: Realtime Threat Intelligence Assessments
  • Integrated: Flexible and Accessible APIs
  • Curated: Best-In-Class Research yields actionable Threat Intelligence

DS7 / DS15: Multi Cloud

Trellix Cloudvisory is a control center for cloud security management that delivers visibility, compliance and governance to any cloud environment.

  • Go (Cloud) Native
  • Trust, but Verify
  • Detect and Respond

DS8 / DS16: Email Sensor

Email Security leverages the industry’s best detection and incident response capabilities to protect email infrastructure against the wide range of threats facing organizations.

  • Stops advanced threats other solutions miss
  • Rapidly adapts to the evolving threat landscape
  • Consolidates your email security stack single vendor solution

DS22: Health Watch Symantec Utility Migration

Health Watch provides an automated review of your environment and provides a clear remediation plan to get the most out of your Trellix solutions.

  • Analysis of your Trellix policies against industry best practices
  • Quickly identify features in solutions that are not being utilized
  • 30/60/90-day action plan to get your environment into a optimal configuration

Symantec Utility Migration Quick and simple migration from Symantec Endpoint Protection and Data Loss Prevention to Trellix solutions.

  • Produces a report with policy mapping from SEP/SDLP to Trellix
  • Provides a comprehensive document for policy and settings
  • Automates conversion of policies from SEP/SDLP to Trellix format
  • Migrates defined configurations (systems, system tree, etc.) into ePO
https://www.trellix.com/en-us/services/solution-services.html

Keynote Speakers

Bonnie
St John

Olympian, Author
Radio Personality

Three-time Olympic medalist and best-selling author, Bonnie St. John shares how to be more resilient every day with this simple, easy life hack that will immediately and sustainably boost your positivity, gratitude, and creativity.

Guy
Raz

Award-Winning
Reporter, Radio &
Podcast Host
& Creator

Acclaimed radio and podcast personality Guy Raz shares lessons he has learned from the world’s greatest entrepreneurs and business innovators, providing a mixture of anecdotes and lessons on rejection, perseverance, optimism, flexibility, failure, and empathy.

Bryan
Palma

Chief Executive Officer

“Cyber threats aren’t static, and our adversaries never stand still. Security operations teams are bearing the brunt of more sophisticated threats, increasing technology complexity, and the cyber security skills shortage. Trellix is focused on helping our customers deploy XDR capabilities to level the playing field with attackers. Xpand Live offers the opportunity for security practitioners to learn more about the next generation of Trellix technology.”

Aparna
Rayasam

Chief Product Officer

“Xpand Live offers an insider’s view of the industry’s most comprehensive XDR platform, powered by Trellix’s innovative technology. Come meet with the experts delivering the great security outcomes needed to ensure your organization is fast enough to keep up with dynamic threats, intelligent enough to learn from them, and constantly evolving to keep the upper hand.”

Amol
Mathur

SVP, Product Management

“Xpand Live provides access to the world’s largest network of cybersecurity experts, sharing the coveted insight required to deliver earlier, better detection, response, and remediation across all phases of the attack chain.”

John
Fokker

Head of Cyber Investigations for Trellix Threat Labs

“The threat landscape is rapidly evolving and becoming more sophisticated, and this needs to be understood by every government, organization, and person. We’re seeing the lines between nation-state actors and common cybercriminals blurring, all while adversaries are finding clever ways to leverage non-malicious tools to infiltrate a network.”

Adam
Philpott

Chief Revenue Officer

“It's a long-held best practice to create harmony between people, process and technology. However, complexity arising from the myriad tools that support security tomorrow's digital platforms has natively impacted this balance. It's time to put that right, thinking not about the next tool but about the entire system. Bringing together a huge network of cybersecurity experts at Xpand Live will kick-start these incredible conversations and represent a huge steppingstone to the future of our customer's businesses.”

Xpand Live 2022 Agenda At-A-Glance

Day 1 – September 27th Activity
9:00AM – 3:00PM CAB
9:00AM – 5:00PM Training Sessions
12:00 Noon – 5:00PM Partner Summit
7:00PM – 10:00PM Partner Summit Poolside Reception
Day 2 – September 28th Activity
7:30AM – 9:00AM Breakfast
9:00AM – 10:30AM General Session Keynote – Main Stage
10:45AM – 11:45AM Technical Breakout Sessions
11:30PM – 1:00PM Lunch in Xpo Hall / Xpo Hall Open
Capture the Flag Challenge - Begins
Trellix Booth with Live Q&A
Solution Demos
Sponsor Booths
UX Team 1:1 Meetings
Innovation Spotlight
#Soulfulwork Luncheon
Women in Security Luncheon
1:15PM – 2:15PM Technical Breakout Sessions
2:30PM – 3:30PM Technical Breakout Sessions
3:45PM – 4:45PM Technical Breakout Sessions
5:30PM – 7:00PM Xpand Welcome Reception in Xpo Hall
Day 3 – September 29th Activity
7:30AM – 8:30AM Breakfast
8:30AM – 10:00AM General Session Keynote – Main Stage
10:15AM – 11:15AM Technical Breakout Sessions
11:30PM – 1:00PM Lunch in Xpo Hall / Xpo Hall Open
Trellix Booth with Live Q&A
Solution Demos
Sponsor Booths
UX Team 1:1 Meetings
Innovation Spotlight
Capture the Flag Challenge – Closes
1:15PM – 2:15PM Technical Breakout Sessions
2:30PM – 3:30PM Technical Breakout Sessions
3:45PM – 4:45PM Technical Breakout Sessions
7:00PM – 10:00PM Final Night Party at JEWEL Nightclub

Xpand LIVE 2022 Accommodations

ARIA Resort & Casino
3730 Las Vegas Blvd. South
Las Vegas, NV 89158 USA

Questions on Accommodations?
Reservation Questions please email: XpandRegistration@ITAGROUP.com

ARIA Resort & Casino is offering special summit rates to Xpand LIVE 2022 attendees.
ARIA Discounted Room/Suite Rates: Please note-tax is based on current tax and subject to change (Available nights of September 9/23 - 9/30, 2022)

9/23/22: $245 + Resort Fee + tax / night
9/24/22: $245 + Resort Fee + tax / night
9/25/22: $169 + Resort Fee + tax / night
9/26/22: $169 + Resort Fee + tax / night
9/27/22: $245 + Resort Fee + tax / night
9/28/22: $245 + Resort Fee + tax / night
9/29/22: $169 + Resort Fee + tax / night
9/30/22: $169 + Resort Fee + tax / night

Room Cost Per Day 23-Sep 24-Sep 25-Sep 26-Sep 27-Sep 28-Sep 29-Sep 30-Sep
Deluxe King @ $245 $245 $245 0 0 $245 $245 0 0
Deluxe King @ $169 0 0 $169 $169 0 0 $169 $169

You can book your Xpand Live 2022 hotel accommodations during Xpand Live 2022 registration. NOTE: Hotel reservations should be made ONLY through the Xpand registration site to secure our special ARIA discounted room rates. Do not accept external solicitations.

About the ARIA Resort & Casino
ARIA Resort & Casino is a stunning AAA Five Diamond resort on The Strip featuring spectacular amenities, high-end service, premium meeting and convention space, striking architecture and sustainable design. Combined with its unparalleled offerings including the luxurious Shops at Crystals and the first-of-its-kind public Fine Art Collection, ARIA sets the bar for a new generation of resort experiences. And because the ARIA Convention Center is hosting Xpand Live 2022, you’ll enjoy the convenience of having the summit all under one roof.

Questions on Accommodations?
Reservation Questions please email: XpandRegistration@ITAGROUP.com