SEC511: SANS Tokyo Autumn 2024

Provided by

Enquire about this course

What You Will Learn
Monitor, Detect, Protect: Master Advanced Threat Detection for Cloud, Network, and Endpoints

Cloud (AWS/Azure/Microsoft 365/Serverless), DevOps, Hybrid, Zero Trust, XDR, Blockchain, AI + ML... The pace of technological change continues to increase. Defending your organization as you did five years ago is a recipe for failure. However, chasing the latest trend or shiny new tool rarely leads to successful protection. Successfully defending a modern enterprise requires nimble pragmatism.

Defending an enterprise has never been easy. SANS SEC511 equips defenders with the necessary knowledge, skills, and abilities to protect and monitor a modern hybrid enterprise successfully. Leveraging the cybersecurity engineering and threat detection techniques taught in this course will best position your organization or Security Operations Center (SOC) to analyze, detect, and respond to modern threats across cloud, network, and endpoint environments. Threat-informed defense of a modern enterprise requires accounting for multiple public cloud providers, continued on-premises infrastructure, AI-empowered adversaries, and possibly a substantial number of remote workers who are not behind a traditional security perimeter.

SEC511 features 18+ hands-on labs, a final capstone challenge, and immersive gamified bootcamp challenges, providing defenders a comprehensive, real-world training experience. The course explores cybersecurity engineering topics and techniques such as cloud monitoring, network detection and response (NDR), endpoint detection and response (EDR), security information and event management (SIEM), endpoint protection platform (EPP), secure access service edge (SASE), Zero Trust, generative artificial intelligence (GenAI), and large language model (LLM) application defense, and more to evolve organizations' threat detection and hunting capabilities. Achieving the accompanying GIAC GMON certification demonstrates your understanding and application of these modern defensive techniques.

Adversaries constantly evolve techniques to ensure their continued success; we must vigilantly adapt our defenses to this changing threat landscape.

"I would recommend this course. It hits many core aspects of secure design. Additionally, lack of cloud security architecture and strategy and insecure design have been highlighted as a top risk by organizations like Cloud Security Alliance and OWASP. Cloud security architecture topics need to have more attention and focus in general." - Greg Lewis, SAP
What Is Cybersecurity Engineering?

Cybersecurity engineering involves designing, implementing, and managing advanced defense mechanisms to protect modern enterprise environments, including cloud, network, and endpoint systems. It encompasses threat-informed defense frameworks, advanced threat detection techniques, and the application of tools such as NDR, EDR, and the MITRE ATT&CK framework to build a robust SOC. This discipline ensures comprehensive protection and monitoring against evolving cyber threats.
Business Takeaways

This course will help your organization:
  • Enable effective cloud, network, and endpoint protection and detection strategies
  • Engineer protection and threat detection capabilities
  • Leverage threat informed defense practices to ensure properly refined security countermeasures
  • Materially improve your organization's security operations capabilities
  • Identify protection and detection gaps across hybrid infrastructure
  • Defend GenAI and LLM applications to ensure trustworthy usage
  • Maximize the capabilities of current infrastructure and assets
  • Make sense of data to enable the detection of potential intrusions or unauthorized actions rapidly
Skills Learned
  • Conduct comprehensive current state assessments to engineer and prioritize modern defenses.
  • Apply threat-informed defense frameworks such as MITRE ATT&CK and Zero Trust.
  • Perform threat hunting using advanced techniques and tools.
  • Engineer visibility across modern, hybrid, decentralized infrastructure.
  • Navigate modern domain name system (DNS) and transport layer security (TLS) encryption landscape to balance protection, detection, and privacy considerations.
  • Understand the cloud security stack and tools like cloud-native application protection platform (CNAPP), cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), and cloud workload protection platform (CWPP) for robust cloud protection.
  • Leverage NDR tools and techniques to enhance network visibility and detect threats.
  • Conduct effective network threat hunting to identify post-exploitation communications, like command and control (C2) traffic.
  • Analyze network data using tools like Suricata, Zeek, Tshark, and Wireshark for threat detection.
  • Deploy and manage EDR solutions like Microsoft Defender.
  • Implement application control and EPP for endpoint security.
  • Monitor and defend identity and access through advanced authentication and user and entity behavior analytics (UEBA).
  • Defend AI/LLM applications and secure the AI/software supply chain.
  • Perform threat hunting and adversary emulation to assess and evolve detection capabilities.
  • Automate security operations and enhance SOC capabilities with security orchestration, automation, and response (SOAR).
Shall We Play A Game?

NetWars gamification now permeates every single section of the course! Since the launch of SEC511, students have consistently found the NetWars-based Capstone to be great fun. Who would have guessed that a game would be fun, right? Students' praise extended beyond just "fun," they also found the game to be a tremendously effective way to further their learning. Inspired by this feedback, we have now incorporated a game-style environment into every section, not just section six.
Hands-On Threat Detection Training

SEC511 employs several different hands-on tactics that go well beyond simple lecture and instructor-led discussions. Here is a sample:
  • Intrusion Analysis with Elastic Stack and Security Onion
  • TLS Inspection and Monitoring
  • Detecting Windows Post-Exploitation Techniques (e.g. PowerShell, Impacket, Windows Management Infrastructure (WMI), Silver)
  • DNS over HTTPS (DoH) Analysis
  • Entropy and NLP Analysis with freq.py
  • Payload Carving with Zeek
  • Suspicious TLS Analysis with Suricata
  • Sysmon for Intrusion and C2 Analysis
  • Intrusion Detection Honeypots for Breach Detection
  • Application Control for Protection and Detection
  • Cobalt Strike Detection and Analysis
  • Windows Event Log Threat Hunting
  • Gamified Bootcamps: Immersive Cyber Challenges
  • NetWars Final Capstone: Design, Detect, Defend
The meticulously crafted SEC511 Electronic Workbook serves as the starting point for hands-on elements in the course. It includes Security Onion 2, the Elastic Stack, and a lot more. The workbook-driven labs include multiple paths to complete each exercise. This multifaceted approach allows the labs to better accommodate diverse student backgrounds and technical exposure.

"I've done a lot of labs over the years, These are likely one of the best ways to present them I've ever used." - Daniel Russell, BCBSLA

"The labs and exercises were excellent and provided additional supplementary, hands-on learning that helped solidify the course content." - Tyler Piller, British Columbia Lottery Corporation

"All three of today's labs were helpful in cementing the concepts. The "See It In Action" portions were particularly useful." - Oritse Uku

"I really liked that architecture diagrams were incorporated in each." - Greg Lewis, SAP
Syllabus Summary
  • Section 1: Threat Informed Defense Principles
  • Section 2: Cloud, Edge, and Network Visibility and Protection
  • Section 3: NDR and Network Threat Hunting
  • Section 4: User and Endpoint Protection and Detection
  • Section 5: SOC, Automation, Emulation, and GenAI Defense
  • Section 6: NetWars Final Capstone: Design, Detect, Defend
Additional Free Resources

Videos/Webcasts
  • Defining and Defending the GenAI Supply Chain
  • Detecting Command and Control Frameworks via Sysmon and Windows Event Logging
  • Hunting for Suspicious HTTPS and TLS Connections
  • Threat Hunting via DeepBlueCLI v3
  • Threat Detection Trends 2023
Tools
  • DeepBlueCLI
  • Digestive
What You Will Receive
  • Access to custom cloud-hosted challenges to further understanding
  • MP3 audio files of the complete course lecture
  • Licensed Windows 10 virtual machine (VM)
  • A Linux VM loaded with tons of extra logs, pcap files, and other resources
  • A Digital Download Package that includes the above and more
What Comes Next?
  • Security Analyst
    • SEC503: Network Monitoring and Threat Detection In-Depth
  • Security Engineer
    • SEC573: Automating Information Security with Python
  • Security Architect
    • SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
  • Security Lead or Manager
    • SEC547: Defending Product Supply Chains
    • LDR551: Building and Leading Security Operations Centers

Enquire

Start date Location / delivery
21 Oct 2024 Tokyo Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...