SEC511: SANS London February 2025

Provided by

Enquire about this course

What You Will Learn
Attackers Evolve; Technology Shifts; Defenses Must Continuously Adapt to Thrive

Cloud (AWS/Azure/Microsoft 365/Serverless), DevOps, Hybrid, Zero Trust, XDR, Blockchain, AI + ML… The pace of technological change continues to increase. Defending your organization as you did 5 years ago is a recipe for failure. However, chasing the latest trend or shiny new tool rarely leads to successful protection. Successfully defending a modern enterprise requires nimble pragmatism.

Defending an enterprise has never been easy. SANS SEC511 provides defenders with the necessary knowledge, skills, and abilities to protect and monitor a modern hybrid enterprise successfully. The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this course will best position your organization or Security Operations Center (SOC) to analyze threats and detect anomalies that could indicate cybercriminal behavior. SEC511 applies these core protection practices to AWS, Azure, and on-premises environments. Achieving the accompanying GIAC GMON certification demonstrates your understanding and application of modern defensive techniques.

Protecting and continuously monitoring a modern enterprise requires accounting for multiple public cloud providers, continued on-premises infrastructure, and possibly a substantial number of remote workers who are not behind a traditional security perimeter.

Security teams failing to adapt to and evolve with the new realities facing our increasingly hybridized organizations risk employing outmoded mental models and inadequate tactics. Continuous monitoring requires security teams to continuously evolve. Many organizations make the key mistake of focusing on cloud security while letting on-premises security lag (or vice-versa). Both needs must be properly balanced. Adversaries constantly evolve techniques to ensure their continued success; we must adapt our defenses to this changing threat landscape.
Business Takeaways

This course will help your organization:
  • Enable effective cloud, network, and endpoint protection and detection strategies
  • Design defensible security architecture and operations for modern hybrid enterprises
  • Materially improve your organization's security operations capabilities
  • Identify protection and detection gaps across hybrid infrastructure
  • Maximize the capabilities of current infrastructure and assets
  • Make sense of data to enable the detection of potential intrusions or unauthorized actions rapidly
This course will prepare you to
  • Analyze modern hybrid enterprises for deficient protection/detection strategies
  • Apply the principles learned in the course to design a defensible cloud, network, and endpoint security architecture and operations
  • Understand the importance of detection-dominant security architecture and Security Operations Centers (SOC) for hybrid enterprises
  • Identify the key components of cloud, network, and endpoint protection and monitoring across hybrid infrastructure
  • Determine appropriate security monitoring needs for organizations of all sizes
While the above list briefly outlines the knowledge and skills you will learn, it barely scratches the surface of what this course has to offer. Hands-on elements incorporated throughout the course will reinforce key concepts and principles.

SEC511 employs several different hands-on tactics that go well beyond simple lecture and instructor-led discussions; here is a sampling:
  • Egress Analysis with Elastic Stack
  • Passively decrypting TLS
  • DNS over HTTPS (DoH)
  • PCAP carving with Zeek
  • Suspicious TLS analysis with Suricata
  • Honey Tokens for breach detection
  • Application Control via AppLocker
  • Detecting WMI-based attacks, including Impacket
  • Sysmon Merlin C2 Analysis
  • Cobalt Strike detection and analysis
  • Analyzing the deadliest Windows events
  • Daily Immersive Cyber Challenges (NetWars game engine)
  • NetWars-based Final Capstone
The meticulously crafted SEC511 Electronic Workbook serves as the starting point for hands-on elements in the course. It includes Security Onion 2, the Elastic Stack, and a lot more. The workbook-driven labs include multiple paths to complete each exercise. This multifaceted approach allows the labs to better accommodate diverse student backgrounds and technical exposure.
Shall we play a game?

The NetWars game engine now permeates every single day of the course! Since the launch of SEC511, students have consistently found the NetWars-based Final Capstone to be great fun. Who would have guessed that a game would be fun, right? Students' praise did not stop at "fun" - they also found the game to be a tremendously successful way to further their learning. Taking this cue, we now incorporate a game-style environment into every day, not just day six.
What Will You Receive
  • Access to custom cloud-hosted challenges to further understanding
  • MP3 audio files of the complete course lecture
  • Licensed Windows 10 virtual machine
  • A Linux VM loaded with tons of extra logs, PCAPs, and other resources
  • A Digital Download Package that includes the above and more
What Comes Next?
  • Security Analyst
    • SEC503: Network Monitoring and Threat Detection In-Depth
  • Security Engineer
    • SEC505: Securing Windows and PowerShell Automation
    • SEC573: Automating Information Security with Python
    • SEC586: Security Automation with PowerShell
  • Security Architect
    • SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
  • Security Lead or Manager
    • SEC547: Defending Product Supply Chains
    • LDR551: Building and Leading Security Operations Centers


Start date Location / delivery
03 Feb 2025 London Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...