homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Frequently Asked Questions – MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
No Headshot Available
SANS Institute

Frequently Asked Questions – MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

March 12, 2020

Blog_-_FAQ.MGT516.HAZAR.png



      Question #1: What are the goals of this course?

      A: This course will help you to:

      • Identify and understand the severity level of existing vulnerabilities
      • Prioritize which vulnerabilities to remediate
      • Identify potential controls to help avoid and mitigate vulnerabilities in the enterprise and the cloud
      • Determine relevant treatment techniques and controls in the enterprise and the cloud
      • Develop a framework for continuous improvement
      • Develop effective vulnerability reporting for management

      Question #2: Who should take the class?

      A: This course is ideal for:

      • CISOs
      • Information security managers, officers, and directors
      • Information security architects, analysts, and consultants
      • Aspiring information security leaders
      • Risk management professionals
      • Business continuity and disaster recovery planners and staff members
      • IT managers and auditors
      • IT project managers
      • IT/system administration/network administration professionals
      • Operations managers
      • Cloud service managers and administrators
      • Cloud service security and risk managers
      • Cloud service integrators, developers, and brokers
      • IT security professionals managing vulnerabilities in the enterprise or cloud
      • Government IT professional who manage vulnerabilities in the enterprise or cloud (FedRAMP)
      • Security or IT professionals who have team-lead or management responsibilities
      • Security or IT professionals who use or are planning to use cloud services

      Question #3: What is the class layout?

      A: This is a 5-day lecture and lab course - View the upcoming course runs

      • There are over 22 labs in the class (Day 1 = 7, Day 2 = 4, Day 3 = 6, Day 4 = 5, Day 5 = ALL DAY CAPSTONE) 
      • Day 1 features information on asset management, finding vulnerabilities, and how to make vulnerability management fun. 
      • Day 2 continues instruction on finding vulnerabilities, looking at application problems, scanner configurations, and bug bounty programs. We then move into analyzing vulnerabilities and how to deal with all the results. We’ll look at prioritizing vulnerabilities, exclusions, and threat intelligence.
      • Day 3 moves into communicating the problems we have found. We’ll discuss metrics, reporting, and how to handle various meetings we need to schedule, conduct, or participate in. The day concludes with an introduction to how to treat vulnerabilities with a discussion of change and patch management. 
      • Day 4 wraps up the treatment section with configuration management, application management, and treatment alternatives. Switching from the more technical to the software skills, the course looks at how to gain buy-in for your programs and efforts as well as how to create, set up, and effectively operate a vulnerability management program. We also provide a maturity model for each of the course sections to summarize and wrap-up the main portion of the class. 
      • Day 5, the final course day, begins with a review of a business scenario that triggers a group capstone exercise. The exercise allows students to analyze and discuss how best to implement and maintain a vulnerability management program and leverage some of the information they have learned throughout the course.

      Question: #4: I've been doing work in vulnerability management for a while. Will the course be valuable to me or is it going to be too basic?

      • A: The course offers valuable information and cover relevant topics for practitioners across all skill levels. The class is structured into sections according to topics that are aimed at answering questions relevant to all vulnerability management programs. For example, one of the course sections deals with understanding how to prioritize vulnerabilities. Within this section, we detail where most organizations start – with vulnerability-centric prioritization – and the various ways that this approach can be leveraged. From there, we detail an alternative approach -- asset-centric prioritization -- and the different methods of utilization. Finally, we look at a more advanced technique – threat-centric prioritization – and outline methods for performing it. In this way, the course covers the topic end to end and allows students to see where they fit into the spectrum of methods as well as ways, they can advance their program.

      Question #5: My organization is moving to the cloud. Will this class help me transition my program to this new paradigm?

      • A: No matter where you are on your cloud journey, MGT516 will be valuable for you. This class will help you set up or continue to mature your vulnerability management program with your cloud assets. The class with look at the options and the differences between the various providers (Amazon, Microsoft, Google) and how we can include these within our programs, as well as the different types of cloud services (IaaS (e.g. EC2, Azure), PaaS (e.g. Elastic Beanstal, Kubernetes) or SaaS (e.g. Adobe Creative Cloud or Salesforce). The class takes an integrated approach to all of the topics covered, providing a cohesive look at how the topic applies across our traditional enterprises as well as in cloud environments.

      Question #6: What will the class prepare you to do?

      • Create, implement, or improve your vulnerability management program
      • Establish a secure and defensible enterprise and cloud computing environment
      • Build an accurate and useful inventory of IT assets in the enterprise and cloud
      • Identify existing vulnerabilities and understand the severity level of each
      • Prioritize vulnerabilities for treatment
      • Effectively report and communicate vulnerability data within your organization
      • Engage treatment teams and make vulnerability management fun
      • Understand what motivates our partners and how to gain their buy-in to ensure program success

      Question #7: Who is the MGT516 course author(s)?

      A: David Hazar and Jonathan Risto

      David Hazar

      David is a security consultant based in Salt Lake City, Utah focused on vulnerability management, application security, cloud security, and DevOps. David has 20+ years of broad, deep technical experience gained from a variety of hands-on roles serving the financial, healthcare, and technology industries. In his many roles, including 3 years with top security consulting firm, he has focused on helping integrate and automate security testing and other important security controls into both on-premise and cloud environments. He has also developed and led technical security training initiatives at many of the companies he has worked for, is an instructor for and contributor to SEC540: Cloud Security and DevOps Automation, and a co-author and instructor for MGT516: Managing Security Vulnerabilities: Enterprise and Cloud. David holds a BS in information systems and a Master of Information Systems Management from Brigham Young University along with numerous other technical and security certifications. @HazarDSec

      Jonathan Risto

      Jonathan is a SANS Instructor teaching a wide variety of SANS classes including SEC440, SEC504, SEC560, SEC566, and SEC580. He is also the co-author of the SANS MGT516: Managing Security Vulnerabilities: Enterprise and Cloud.

      With a career spanning over 20 years that has included working in network design, IP telephony, service development, security, and project management, he has a deep technical background that provides a wealth of information he draws upon when teaching. His leadership of direct reports and matrix teams in industries including telecom, government and charity environments. When not teaching for SANS, he primarily works for the Canadian Government performing cybersecurity research work, in the areas of vulnerability management and automated remediation. He also performs consulting work.

      He holds a Bachelor of Electrical Engineering and is a licensed professional engineer (P.Eng.). He also holds a Master's Degree in Information Security Management from STI. In his spare time, he sits on the board of directors for charities and his 3 daughters keep him very busy. When possible, he enjoys the outdoors, astronomy, and photography. @jonathanristo

      Share:
      TwitterLinkedInFacebook
      Copy url Url was copied to clipboard
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kingdom of Saudi Arabia
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia (Slovak Republic)
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe

      Tags:
      • Security Management, Legal, and Audit

      Related Content

      Blog
      SSA_Blog_Thumbnails_&_Social_Posts_May_22_PasswordDay_thumbnail.jpg
      Security Awareness, Security Management, Legal, and Audit
      May 5, 2022
      World Password Day – Readying Your Workforce for MFA
      Today is the perfect opportunity to talk about strong passwords.
      370x370_Lance-Spitzner.jpg
      Lance Spitzner
      read more
      Blog
      SSA_Blog_Thumbnails_&_Social_Posts_May_22_SSASummit_Thumbnail.jpg
      Security Awareness, Security Management, Legal, and Audit
      May 3, 2022
      6 Reasons SANS 2022 Security Awareness Summit is a Must-Attend
      The agenda for the SANS 2022 Security Awareness Summit, Aug. 3-4, is live and the event is epic!
      370x370_Lance-Spitzner.jpg
      Lance Spitzner
      read more
      Blog
      Untitled_design-43.png
      Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Ethical Hacking, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
      December 8, 2021
      Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
      They’re virtual. They’re global. They’re free.
      Emily Blades
      read more
      • Register to Learn
      • Courses
      • Certifications
      • Degree Programs
      • Cyber Ranges
      • Job Tools
      • Security Policy Project
      • Posters & Cheat Sheets
      • White Papers
      • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Cyber Security Leadership
      • Digital Forensics
      • Industrial Control Systems
      • Offensive Operations
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kingdom of Saudi Arabia
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia (Slovak Republic)
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe
      • © 2022 SANS™ Institute
      • Privacy Policy
      • Contact
      • Careers
      • Twitter
      • Facebook
      • Youtube
      • LinkedIn