SANS SEC511 – Continuous Monitoring and Security Operations

دفاع از شرکت و سازمان هرگز آسان نبوده است. دوره SANS SEC511 دانش، مهارت ها و توانایی های لازم را برای محافظت و نظارت موفقیت آمیز یک شرکت هیبریدی مدرن به مدافعان ارائه می دهد. معماری امنیتی دفاعی، نظارت بر امنیت شبکه (NSM)/تشخیص و کاهش مستمر (CDM)/نظارت مستمر امنیت (CSM) که در این دوره آموزش داده شده است، به بهترین وجه سازمان شما یا مرکز عملیات امنیتی (SOC) را برای تجزیه و تحلیل تهدیدها و شناسایی ناهنجاری‌هایی که می‌توانند نشان دهنده رفتار مجرمانه سایبری است. دوره SEC511 این شیوه‌های حفاظتی هسته‌ای را در محیط‌های AWS، Azure و داخل محل اعمال می‌کند. دستیابی به گواهینامه GIAC GMON نشان دهنده درک و استفاده شما از تکنیک های دفاعی مدرن است.

حفاظت و نظارت مستمر یک شرکت مدرن مستلزم بررسی چندین ارائه‌دهنده ابر عمومی، زیرساخت‌های مستمر در محل، و احتمالاً تعداد قابل‌توجهی از سرویس های راه دور است که پشت یک محیط امنیتی سنتی نیستند. تیم‌های امنیتی که نمی‌توانند با واقعیت‌های جدیدی که سازمان‌های ترکیبی فزاینده ما با آن مواجه هستند سازگار شوند و با آن‌ها تکامل پیدا نکنند، در خطر استفاده از مدل‌های ذهنی منسوخ و تاکتیک‌های ناکافی هستند. نظارت مستمر مستلزم تکامل مداوم تیم های امنیتی است. بسیاری از سازمان‌ها اشتباه کلیدی تمرکز بر امنیت ابری را مرتکب می‌شوند و در عین حال اجازه می‌دهند امنیت درون محل تأخیر داشته باشد (یا برعکس). هر دو نیاز باید به درستی متعادل شوند. دشمنان به طور مداوم تکنیک هایی را برای اطمینان از موفقیت مستمر خود توسعه می دهند. ما باید دفاع خود را با این چشم انداز تهدید در حال تغییر تطبیق دهیم.

Date: 2020
Price: $8,525 USD
Publisher: SANS
Format: eBook PDF + Audio + Virtual Machine
By: Eric Conrad, Seth Misenar

This course assesses the current state of security architecture and continuous monitoring, and provides a new approach to security architecture that can be easily understood and defended. When students finish, they have a list of action items in hand for making their organization one of the most effective vehicles for frustrating adversaries. Students are able to assess deficiencies in their own organization’s security architectures and affect meaningful changes that are continuously monitored for deviations from their expected security posture. 21 Hands-On Labs + Capstone

Cloud (AWS/Azure/Microsoft 365/Serverless), DevOps, Hybrid, Zero Trust, XDR, Blockchain, AI + ML… The pace of technological change continues to increase. Defending your organization as you did 5 years ago is a recipe for failure. However, chasing the latest trend or shiny new tool rarely leads to successful protection. Successfully defending a modern enterprise requires nimble pragmatism.

Defending an enterprise has never been easy. SANS SEC511 provides defenders with the necessary knowledge, skills, and abilities to protect and monitor a modern hybrid enterprise successfully. The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this course will best position your organization or Security Operations Center (SOC) to analyze threats and detect anomalies that could indicate cybercriminal behavior. SEC511 applies these core protection practices to AWS, Azure, and on-premises environments. Achieving the accompanying GIAC GMON certification demonstrates your understanding and application of modern defensive techniques.

Protecting and continuously monitoring a modern enterprise requires accounting for multiple public cloud providers, continued on-premises infrastructure, and possibly a substantial number of remote workers who are not behind a traditional security perimeter.

Security teams failing to adapt to and evolve with the new realities facing our increasingly hybridized organizations risk employing outmoded mental models and inadequate tactics. Continuous monitoring requires security teams to continuously evolve. Many organizations make the key mistake of focusing on cloud security while letting on-premises security lag (or vice-versa). Both needs must be properly balanced. Adversaries constantly evolve techniques to ensure their continued success; we must adapt our defenses to this changing threat landscape.

Syllabus

SEC511.1: Current State Assessment and Security Architecture
SEC511.2: Network Security Architecture
SEC511.3: Network Security Monitoring
SEC511.4: Endpoint Security Architecture
SEC511.5: Automation and Continuous Security Monitoring
SEC511.6: Capstone: Design, Detect, Defend

Business Takeaways

This course will help your organization:

• Enable effective cloud, network, and endpoint protection and detection strategies
• Design defensible security architecture and operations for modern hybrid enterprises
• Materially improve your organization’s security operations capabilities
• Identify protection and detection gaps across hybrid infrastructure
• Maximize the capabilities of current infrastructure and assets
• Make sense of data to enable the detection of potential intrusions or unauthorized actions rapidly

This course will prepare you to

• Analyze modern hybrid enterprises for deficient protection/detection strategies
• Apply the principles learned in the course to design a defensible cloud, network, and endpoint security architecture and operations
• Understand the importance of detection-dominant security architecture and Security Operations Centers (SOC) for hybrid enterprises
• Identify the key components of cloud, network, and endpoint protection and monitoring across hybrid infrastructure
• Determine appropriate security monitoring needs for organizations of all sizes

While the above list briefly outlines the knowledge and skills you will learn, it barely scratches the surface of what this course has to offer. Hands-on elements incorporated throughout the course will reinforce key concepts and principles.

SEC511 employs several different hands-on tactics that go well beyond simple lecture and instructor-led discussions; here is a sampling:

• Egress Analysis with Elastic Stack
• Passively decrypting TLS
• DNS over HTTPS (DoH)
• PCAP carving with Zeek
• Suspicious TLS analysis with Suricata
• Honey Tokens for breach detection
• Application Control via AppLocker
• Detecting WMI-based attacks, including Impacket
• Sysmon Merlin C2 Analysis
• Cobalt Strike detection and analysis
• Analyzing the deadliest Windows events
• Daily Immersive Cyber Challenges (NetWars game engine)
• NetWars-based Final Capstone

The meticulously crafted SEC511 Electronic Workbook serves as the starting point for hands-on elements in the course. It includes Security Onion 2, the Elastic Stack, and a lot more. The workbook-driven labs include multiple paths to complete each exercise. This multifaceted approach allows the labs to better accommodate diverse student backgrounds and technical exposure.

Shall we play a game?

The NetWars game engine now permeates every single day of the course! Since the launch of SEC511, students have consistently found the NetWars-based Final Capstone to be great fun. Who would have guessed that a game would be fun, right? Students’ praise did not stop at “fun” – they also found the game to be a tremendously successful way to further their learning. Taking this cue, we now incorporate a game-style environment into every day, not just day six.

What Will You Receive

• Access to custom cloud-hosted challenges to further understanding
• MP3 audio files of the complete course lecture
• Licensed Windows 10 virtual machine
• A Linux VM loaded with tons of extra logs, PCAPs, and other resources
• A Digital Download Package that includes the above and more