About the course
SEC450 provides students with technical knowledge and key concepts essential for security operation centre (SOC) analysts and new cyber defence team members. By providing a detailed explanation of the mission and mindset of a modern cyber defence operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.
What You Will Learn
Is your organization looking for a quick and effective way to onboard new Security Analysts, Engineers, and Architects? Do your Security Operations Center (SOC) managers need additional technical perspective on how to improve analysis quality, reduce turnover, and run an efficient SOC?
SEC450 is an accelerated on-ramp for new cyber defense team members and SOC managers. This course introduces students to the tools common to a defender's work environment, and packs in all the essential explanations of tools, processes, and data flow that every blue team member needs to know.
Students will learn the stages of security operations: how data is collected, where it is collected, and how threats are identified within that data. The class dives deep into tactics for triage and investigation of events that are identified as malicious, as well as how to avoid common mistakes and perform continual high-quality analysis. Students will learn the inner workings of the most popular protocols, and how to identify weaponized files as well as attacks within the hosts and data on their network.
The course employs practical, hands-on instruction using a simulated SOC environment with a real, fully-integrated toolset that includes:
- Security Information and Event Management (SIEM)
- An incident tracking and management system
- A threat intelligence platform
- Packet capture and analysis
- Automation tools
While cyber defense can be a challenging and engaging career, many SOCs are negatively affected by turnover. To preemptively tackle this problem, this course also presents research-backed information on preventing burnout and how to keep engagement high through continuous growth, automation, and false positive reduction. Students will finish the course with a full-scope view of how collection and detection work, how SOC tools are used and fit together, and how to keep their SOC up and running over the long term.
It is our belief that hands-on training is a crucial component of classroom learning, so each day of this course will include multiple hands-on exercises. To achieve the most realistic scenario possible, the class virtual machine is loaded with all the tools typically used in a SOC. Students will be introduced to the concepts, interconnections, and workflow associated with each of those tools. Throughout the class we will utilize a SIEM, threat intelligence platform, incident management and ticketing system, automation and orchestration tools, full packet capture, and analysis software, as well as multiple command line, open-source intelligence, and analysis tools. All of these tools have been set up and integrated to work with each other in order to re-create the workplace environment as closely as possible, allowing students to gain experience that they can directly translate to their own setup when they get back to the office.
Some of the highlights of what students will learn include:
- How SIEM, threat intelligence platforms, incident management systems, and automation should connect and work together to provide a painless workflow for analysts
- Analysis of common alert types including HTTP(S), DNS, and email-based attacks
- Identification of post-exploitation attacker activity
- Mental models for understanding alerts and attack patterns that can help to effectively prioritize alerts
- How to perform high-quality, bias-free alert analysis and investigation
- How to identify the most high-risk alerts, and quick ways to verify them
- How logs are collected throughout the environment and the importance of parsing, enrichment, and correlation capability of the SIEM
- How to create and tune threat detection analytics to eliminate false positives
What You Will Receive
- Custom distribution of the Linux Virtual Machine containing a pre-built simulated SOC environment
- MP3 audio files of the complete course lecture
- Introduction and walk-through videos of labs
- Digital Download Package that includes the above and more
Syllabus (36 CPEs)
SEC450.1: Blue Team Tools and Operations
SEC450.2: Understanding Your Network
SEC450.3: Understanding Endpoints, Logs, and Files
SEC450.4: Triage and Analysis
SEC450.5: Continuous Improvement, Analytics, and Automation
SEC450.6: Capstone: Defend the Flag
A basic understanding of TCP/IP and general operating system fundamentals is needed for this course. Being accustomed to the Linux command-line, network security monitoring, and SIEM solutions is a bonus. Some basic entry-level security concepts are assumed.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the VM to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.
Download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at its website.
MANDATORY SEC450 SYSTEM REQUIREMENTS:
CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
Disk: 25 gigabytes of free disk space
Wireless Ethernet 802.11 B/G/N/AC
USB-A ports or an adapter to use a USB-A thumb drive (version 3.0 compatibility highly recommended)
VMware Workstation, Workstation Player, or Fusion.
The Linux virtual machine will be provided in class via USB thumb drive.
Please verify before coming to class that you have the administrative permissions required to transfer a virtual machine from a USB drive to your hard disk and start it. Also verify that Windows Device Guard, DLP, or other host-based protections will not interfere with the USB transfer or VM startup. (This is a common issue with company-built PCs, so if you intend to bring a corporate laptop, please test this before the event.)
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"As someone who has held every position from entry-level analyst to SOC manager at a 100,000-employee company, I thoroughly understand the struggle of starting your first position in cyber defense. While there is a seemingly infinite amount of information to learn, there are certain central concepts that, when explained systematically, can greatly shorten the time required to become a productive member of the team. This course was written to pass this knowledge on to you, giving you both the high- and low-level concepts required to propel your career in cyber defense. It's packed with the concepts that I expected new employees to understand, as well the thought process we tried to cultivate throughout analysts' careers to ensure the success of the individual and the organization. I have also worked hard to distill the lessons I've learned through the years on staying excited and engaged in cyber defense work. While some believe SOC positions can feel like a grind, they do not need to be that way! This course goes beyond technical knowledge to also teach the concepts that, if implemented in your SOC, will keep you and your colleagues challenged, happy, and constantly growing in your day-to-day work, leading to a successful, life-long career on the blue team!"
"John has a great presentation style and it really helps drive the lesson home when there are brief anecdotal stories that come with the information." - Erick Sugimura, Mammoth Hospital
Ways to Learn
Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.
Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.
In Person (6 days)
Training events and topical summits feature presentations and courses in classrooms around the world.
Who Should Attend SEC450?
This course is intended for those who are early in their career or new to working in a SOC environment, including:
- Security Analysts
- Incident Investigators
- Security Engineers and Architects
- Technical Security Managers
- SOC Managers looking to gain additional technical perspective on how to improve analysis quality, reduce turnover, and run an efficient SOC
- Anyone looking to start their career on the blue team
"I have been waiting a few months to take this training and it is far exceeding my expectations. For a SOC analyst, SEC450 is a must." - Yuri Cannavacciuolo, University of Miami