About the course
Certification: GCDA GIAC Certified Detection Analyst
Many organizations have logging capabilities but lack the people and processes to analyse them. In addition, logging systems collect vast amounts of data from a variety of data sources which require an understanding of the sources for proper analysis. This class is designed to provide training, methods, and processes for enhancing existing logging solutions. This class will also provide the understanding of the when, what, and why behind the logs. This is a lab-heavy course that utilizes SOF-ELK, a SANS-sponsored free SIEM solution, to train hands-on experience and provide the mindset for large-scale data analysis.
What You Will Learn
Many organizations have logging capabilities but lack the people and processes to analyze it. In addition, logging systems collect vast amounts of data from a variety of data sources which require an understanding of the sources for proper analysis. This class is designed to provide individuals training, methods, and processes for enhancing existing logging solutions. This class will also provide the understanding of the when, what, and why behind the logs. This is a lab heavy course that utilizes SOF-ELK, a SANS sponsored free SIEM solution, to train hands on experience and provide the mindset for large scale data analysis.
Today, security operations do not suffer from a "Big Data" problem but rather a "Data Analysis" problem. Let's face it, there are multiple ways to store and process large amounts of data without any real emphasis on gaining insight into the information collected. Added to that is the daunting idea of an infinite list of systems from which one could collect logs. It is easy to get lost in the perils of data saturation. This class is the switch from the typical churn and burn log systems, to achieving actionable intelligence and developing a tactical Security Operations Center (SOC).
This course is designed to demystify the Security Information and Event Management (SIEM) architecture and process, by navigating the student through the steps of tailoring and deploying a SIEM to full Security Operations Center (SOC) integration. The material will cover many bases in the "appropriate" use of a SIEM platform to enrich readily available log data in enterprise environments and extract actionable intelligence. Once collected, the student will be shown how to present the gathered input into useable formats to aid in eventual correlation. Students will then iterate through the log data and events to analyze key components that will allow them to learn how rich this information is, how to correlate the data, start investigating based on the aggregate data, and finally, how to go hunting with this newly gained knowledge. They will also learn how to deploy internal post-exploitation tripwires and breach canaries to nimbly detect sophisticated intrusions. Throughout the course, the text and labs will not only show how to manually perform these actions, but how to automate many of the processes mentioned so students may employ these tasks the day they return to the office.
The underlying theme is to actively apply Continuous Monitoring and analysis techniques by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data to provide real world results and visualizations.
This Course Will Prepare You To:
- Deploy the SANS SOF-ELK VM in production environments
- Demonstrate ways most SIEMs commonly lag current open source solutions (e.g. SOF-ELK)
- Bring students up to speed on SIEM use, architecture, and best practices
- Know what type of data sources to collect logs from
- Deploy a scalable logs solution with multiple ways to retrieve logs
- Operationalize ordinary logs into tactical data
- Develop methods to handle billions of logs from many disparate data sources
- Understand best practice methods for collecting logs
- Dig into log manipulation techniques challenging many SIEM solutions
- Build out graphs and tables that can be used to detect adversary activities and abnormalities
- Combine data into active dashboards that make analyst review more tactical
- Utilize adversary techniques against them by using frequency analysis in large data sets
- Develop baselines of network activity based on users and devices
- Develop baselines of Windows systems with the ability to detect changes from the baseline
- Apply multiple forms of analysis such as long tail analysis to find abnormalities
- Correlate and combine multiple data sources to achieve more complete understanding
- Provide context to standard alerts to help understand and prioritize them
- Use log data to establish security control effectiveness
- Implement log alerts that create virtual tripwires for early breach detection
- Understand how to handle container monitoring and log collection
- Baseline and find unauthorized changes in cloud environments
- Integrate and write custom scripts against a SIEM
SEC555 reinforces knowledge transfer by having many hands-on labs. This goes well beyond the traditional lecture and delves into literal application of techniques. Labs are wide ranging such as:
- Log collection labs
- Log augmentation labs
- Log correlation labs
- Windows log analysis labs
- System and network baseline labs
- Daily Immersive Cyber Challenges (NetWars game engine)
NetWars-based Final Capstone
The SEC555 Workbook provides a step by step guide to learning and applying hands on techniques but also provides a "challenge yourself" approach for those who want to stretch their skills and see how far they can get without following the guide. This allows students of varying backgrounds to pick a difficulty and always have a frustration free fallback path.
To make learning go from great to awesome days one through five include a SEC555 custom NetWars experience. This game engine provides a fun and entertaining way to reinforce skills and learn concepts. It also provides a fun excuse to give students more hands on experience, a key component often missing in organizations.
What You Will Receive
Custom distribution of the Linux SANS SOF-ELK Virtual Machine containing pre-built logging filters, visualizations, and active dashboards
Realistic log data and packet captures from multiple data sources including:
Windows event logs
x509 certificate logs from Bro
Packet captures to replay through IDS as well as captured logs
MP3 audio files of the complete course lecture
Intro and walkthrough videos of labs
Documentation to implement SOF-ELK in your environment
A Digital Download Package that includes the above and more
Syllabus (46 CPEs)
SEC555.1: SIEM Architecture
SEC555.2: Service Profiling with SIEM
SEC555.3: Advanced Endpoint Analytics
SEC555.4: Baselining and User Behavior Monitoring
SEC555.5: Tactical SIEM Detection and Post-Mortem Analysis
SEC555.6: Capstone: Design, Detect, Defend
GIAC Certified Detection Analyst
"The GIAC Certified Detection Analyst (GCDA) is an industry certification that proves an individual knows how to collect, analyze, and tactically use modern network and endpoint data sources to detect malicious or unauthorized activity. This certification shows individuals not only know how to wield tools such as Security Information and Event Management (SIEM) but that they know how to use tools to turn attacker strengths into attacker weaknesses." - Justin Henderson, SANS SEC555 Course Author
- SIEM Architecture and SOF-ELK
- Service Profiling, Advanced Endpoint Analytics, Baselining and User Behavior Monitoring
- Tactical SIEM Detection and Post-Mortem Analysis
A basic understanding of TCP/IP, logging methods and techniques, and general operating system fundamentals. Moderate familiarization with logging systems (both network and host), messaging queues, be accustomed to command-line activity, and commercial/open source SIEM solutions is a bonus.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
You can use the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the VM to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.
Download and install either VMware Workstation 15.5.x, Fusion 11.5.x or Workstation Player 15.5 or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
MANDATORY SEC555 SYSTEM REQUIREMENTS:
CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
RAM: 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
Wired Ethernet port (or adapter)
Wireless Ethernet 802.11 B/G/N/AC
USB 3.0 Ports Highly Recommended
Disk: 25 Gigabytes of free disk space
VMware Workstation 15.5, Workstation Player 11.5, or Fusion 15.5 (or newer)
A Linux virtual machine will be provided in class
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
Who Should Attend SEC555?
Senior Security Engineers
Technical Security Managers
Cyber Threat Investigators
Individuals working to implement Continuous Security Monitoring or Network
Individuals working in a hunt team capacity