MGT551: SANS Amsterdam August 2023

What You Will Learn

IMPORTANT NOTICE: SANS is in process of changing course prefixes from “MGT” to “LDR”. There is no change in course content or pricing. MGT551 will run through August 31, 2023, then LDR551 will run thereafter. Course books may reflect the “MGT” prefix even for "LDR" classes of the course during the transition. If you would like to take the course after August 31, 2023, please visit the LDR551 course page.

Managers must show alignment to the business and demonstrate real value - a challenge when the threats are constantly changing and sometimes unseen. Managing a security operations center (SOC) requires a unique combination of technical knowledge, management skills, and leadership ability. MGT551 bridges gaps by giving students the technical means to build an effective defense and the management tools to build an effective team. Common questions SOC leaders face are:

• How do we know our security teams are aligned to the unique threats facing our organization?
• How do we get consistent results and prove that we can identify and respond to threats in time to minimize business impact?
• How can we build an empowering, learning environment where analysts can be creative and solve problems while focusing on the mission at hand?

Whether you are looking to build a new SOC or take your current team to the next level, MGT551 will super-charge your people, tools, and processes. Each section of MGT551 is packed with hands-on labs and introductions to some of the industry's best free and open source tools, and each day concludes with Cyber42 SOC leadership simulation exercises. Students will learn how to combine SOC staff, processes, and technology in a way that promotes measurable results and covers all manner of infrastructure and business processes. Most importantly, students will learn how to keep the SOC growing, evolving, and improving over time.

"There are so many [organizations] that seem to be trying to reinvent the wheel. All they need to do is invest in this course for real world, actionable information that can put them on a solid path toward building, staffing, and leading their own SOC." - Brandi Loveday-Chelsey

BUSINESS TAKEAWAYS:

• Strategies for aligning cyber defense to organizational goals
• Tools and techniques for validating security tools and processes
• Methodologies for recruiting, hiring, training, and retaining talented defenders&Effective management and leadership techniques for technical teams
• Practical approaches to optimizing security operations that can be applied immediately

SKILLS LEARNED:

• Collecting the most important logs and network data
• Building, training, and empowering a diverse team
• Creating playbooks and managing detection use cases
• Using threat intelligence to focus your budget and detection efforts
• Threat hunting and active defense strategies
• Implementing efficient alert triage and investigation workflow
• Effective incident response planning and execution
• Choosing metrics and long-term strategy to improve the SOC
• Team member training, retention, and prevention of burnout
• SOC assessment through capacity planning, purple team testing, and adversary emulation

HANDS-ON TRAINING:

While this course is focused on management and leadership, it is by no means limited to non-technical processes and theory. The course uses the Cyber42 interactive leadership simulation game to put you in real-world scenarios that spur discussion and critical thinking of situations that you will encounter at work. Throughout the five days of instruction, students will work on fifteen hands-on exercises covering everything from playbook implementation to use case database creation, attack and detection capability prioritization and visualization, and purple team planning, threat hunting, and reporting. Attendees will leave with a framework for understanding where their SOC should be focusing its efforts, how to track and organize defensive capabilities, and how to drive, verify, and communicate SOC improvements.

• Section 1: Threat actor assessment, Attack path development, Developing and implementing SOC playbooks
• Section 2: Attack tree assessment, Visualizing attack techniques and security controls, Writing priority intelligence requirements
• Section 3: SOC capacity planning; Structuring, documenting, and organizing Use Cases; Planning a threat hunt
• Section 4: Designing table-top exercises, Planning incident response using RE&CT, Investigating quality control
• Section 5: Building a skills self-assessment and training plan; Creating, classifying, and communicating your metrics; Purple team assessment

"The labs are great in walking you through practical activities." - Sean Mitchell, Babcock International

"Great labs - will use these a lot." - Andrew Head, dentsu

"[I] liked the Cyber42 game activities as they enforce the concepts learned during the day." - Ilyas Khan, Ericsson

"The exercises while mostly non-technical triggered the thinking process to ensure that all aspects for the building of a SOC are in place."- Wee Hian Peck, INTfinity Consulting PL

SYLLABUS SUMMARY:

• Section 1: MGT551 starts with the critical elements necessary to build your Security Operations Center: understanding your enemies, planning your requirements, making a physical space, building your team, and deploying a core toolset.
• Section 2: Section 2 focuses on building a threat model that includes attacker tactics, techniques, and procedures and how we might identify them in our environment, as well as defensive theory and mental models that can guide our assessment and planning efforts, data collection and monitoring priorities, and cyber threat intelligence collection.
• Section 3: Section 3 is all about utilizing the monitoring approach and threat model developed on Day 2, from alert triage to analytic design to SOC capacity planning and active defense.
• Section 4: From toolsets to proven frameworks to tips and tricks learned in countless real-world scenarios, section four covers the full response cycle, from preparation to identification to containment, eradication, and recover, for operations managers.
• Section 5: The fifth and final section of MGT551 is all about measuring and improving security operations. We focus on three areas: developing and improving people, measuring SOC performance, and continuous validation through assessment and adversary emulation.

ADDITIONAL FREE RESOURCES:

• Guide to Security Operations poster
• Operational Cybersecurity Executive Triad
• Rekt Casino Hack Assessment Operational Series - Security Operations Center Ill-equipped and Unprepared Part 3 of 4
• Rekt Casino Hack Assessment Operational Series -Putting It All Together Part 4 of 4

WHAT YOU WILL RECEIVE:

• Custom distribution of the Linux Virtual Machine containing free open-source SOC tools
• MP3 audio files of the complete course lecture
• Printed and Electronic Courseware
• A digital download package that includes the above and more

WHAT COMES NEXT:

• MGT516: Managing Security Vulnerabilities: Enterprise & Cloud
• SEC566: Implementing and Auditing Security Frameworks and Controls