About the course
SEC501: Advanced Security Essentials - Enterprise Defender
Cert: GCED GIAC Certified Enterprise Defender
Advanced Security Essentials - Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise. The course focuses on the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.
What You Will Learn
Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials - Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.
It has been said of security that "prevention is ideal, but detection is a must." However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and appropriately respond to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.
Of course, despite an organization's best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.
Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more preventive and detective measures, completing the security lifecycle.
You Will Learn
- How to build a comprehensive security program focused on preventing, detecting, and responding to attacks
- Core components of building a defensible network infrastructure and how to properly secure routers, switches, and network infrastructure
- Methods to detect advanced attacks on systems that are currently compromised
- Formal methods for performing a penetration test to find weaknesses in an organization's security apparatus
- How to respond to an incident using the six-step process of incident response: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
- Approaches to analyzing malware, ranging from fully automated analysis to static properties analysis, behavioral analysis, and code analysis
You Will Be Able To
- Identify network security threats against infrastructure and build defensible networks that minimize the impact of attacks
- Access tools that can be used to analyze a network to prevent attacks and detect the adversary
- Decode and analyze packets using various tools to identify anomalies and improve network defenses
- Understand how the adversary compromises systems and how to respond to attacks
- Perform penetration testing against an organization to determine vulnerabilities and points of compromise
- Apply the six-step incident handling process
- Use various tools to identify and remediate malware across your organization
- Create a data classification program and deploy data-loss-prevention solutions at both a host and network level
In SEC501 course labs, students will:
- Analyze network configurations for routers and build a defensible network architecture
- Perform detailed analysis of traffic using various sniffers and protocol analyzers
- Identify and track attacks and anomalies in network packets
- Use various tools to perform vulnerability scanning, penetration testing, and network discovery
- Analyze both Windows and Unix systems during an incident to identify signs of a compromise
- Find, identify, and clean up various types of malware, such as Ransomware
In this course, you will receive the following:
- MP3 audio files of the complete course lecture
- Digital Download Package with the following virtual machines:
- 64-bit Kali Linux
- 64-bit Windows 10 Enterprise
- Security Onion
- Cisco CSR 1000V
Syllabus (38 CPEs)
SEC501.1: Defensible Network Architecture
SEC501.2: Penetration Testing
SEC501.3: Security Operations Foundations
SEC501.4: Digital Forensics and Incident Response
SEC501.5: Malware Analysis
SEC501.6: Enterprise Defender Capstone
GIAC Certified Enterprise Defender
The GIAC Certified Enterprise Defender (GCED) certification builds on the security skills measured by the GIAC Security Essentials certification. It assesses more advanced, technical skills that are needed to defend the enterprise environment and protect an organization as a whole. GCED certification holders have validated knowledge and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling and malware removal.
- Incident handling and computer crime investigation
- Computer and network hacker exploits
- Hacker tools (Nmap, Nessus, Metasploit and Netcat)
While not required, it is recommended that students take SANS's SEC401: Security Essentials course or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
A properly configured laptop is required to participate in SEC501: Advanced Security Essentials - Enterprise Defender. Students must have Administrator privileges . Antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed with data on it that you do not want to lose, it is recommended that you replace it with a clean hard drive.
For this course, SANS will provide you with the following virtual machines:
- Custom 64-bit Kali Linux
- Custom Windows 10 64-bit
- Security Onion
- Cisco CSR 1000V
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machines can run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Prior to the start of class, you must install the necessary software as described below. The following are minimal hardware requirements for your laptop:
CPU: 64-bit Intel i5 x 64 2.0+ GHz processor or higher-based system is mandatory for this class
16 GB RAM (32GB of memory is strongly recommended)
80 GB of available disk space (more space is recommended)
Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
VMware Workstation Pro 15.5.X+ or Fusion 11.5+
Please note: VMware Workstation or Fusion are mandatory. You must have the ability to take virtual machine snapshots, and you cannot do this with VMware Player.
You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation installed on your system. If you do not own VMware, you can download a free 30-day trial copy from the VMware website (see above). If taking advantage of the trial offer, please make sure that the license will not expire before you complete the course. Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
While the labs will run fine for Mac/Fusion students, the lab workbook was written from a Windows host and VMware Workstation perspective. Students opting to bring Mac OS or Linux as their host OS are expected to manage any OS or virtualization software issues that might arise.
We suggest going over the following checklist to make sure that your laptop is prepared for SEC501: Advanced Security Essentials - Enterprise Defender:
The laptop meets hardware requirements outlined in this section.
If you use a trial copy of VMware Workstation, make sure that the VMware license will not expire before the class ends.
The Windows VMware machine runs using host-only networking mode.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
Who Should Attend SEC501?
- Incident responders and penetration testers
- Security Operations Center engineers and analysts
- Network security professionals
- Anyone who seeks technical in-depth knowledge about implementing comprehensive security solutions
"The disciplines/skills taught in SEC501 were exactly what my career and team needed to mature our SOC. Bryce Galbraith was an amazing, extremely knowledgeable instructor who kept all of the material interesting and fun, and he provided great insight through his relatable experience to all of the course material." - John Barrow, Caesars Entertainment Corporation