homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Frequently Asked Questions – MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
SANS_Filler_Avatar.jpg
SANS Institute

Frequently Asked Questions – MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

March 12, 2020

Blog_-_FAQ.MGT516.HAZAR.png



      Question #1: What are the goals of this course?

      A: This course will help you to:

      • Identify and understand the severity level of existing vulnerabilities
      • Prioritize which vulnerabilities to remediate
      • Identify potential controls to help avoid and mitigate vulnerabilities in the enterprise and the cloud
      • Determine relevant treatment techniques and controls in the enterprise and the cloud
      • Develop a framework for continuous improvement
      • Develop effective vulnerability reporting for management

      Question #2: Who should take the class?

      A: This course is ideal for:

      • CISOs
      • Information security managers, officers, and directors
      • Information security architects, analysts, and consultants
      • Aspiring information security leaders
      • Risk management professionals
      • Business continuity and disaster recovery planners and staff members
      • IT managers and auditors
      • IT project managers
      • IT/system administration/network administration professionals
      • Operations managers
      • Cloud service managers and administrators
      • Cloud service security and risk managers
      • Cloud service integrators, developers, and brokers
      • IT security professionals managing vulnerabilities in the enterprise or cloud
      • Government IT professional who manage vulnerabilities in the enterprise or cloud (FedRAMP)
      • Security or IT professionals who have team-lead or management responsibilities
      • Security or IT professionals who use or are planning to use cloud services

      Question #3: What is the class layout?

      A: This is a 5-day lecture and lab course - View the upcoming course runs

      • There are over 22 labs in the class (Day 1 = 7, Day 2 = 4, Day 3 = 6, Day 4 = 5, Day 5 = ALL DAY CAPSTONE) 
      • Day 1 features information on asset management, finding vulnerabilities, and how to make vulnerability management fun. 
      • Day 2 continues instruction on finding vulnerabilities, looking at application problems, scanner configurations, and bug bounty programs. We then move into analyzing vulnerabilities and how to deal with all the results. We’ll look at prioritizing vulnerabilities, exclusions, and threat intelligence.
      • Day 3 moves into communicating the problems we have found. We’ll discuss metrics, reporting, and how to handle various meetings we need to schedule, conduct, or participate in. The day concludes with an introduction to how to treat vulnerabilities with a discussion of change and patch management. 
      • Day 4 wraps up the treatment section with configuration management, application management, and treatment alternatives. Switching from the more technical to the software skills, the course looks at how to gain buy-in for your programs and efforts as well as how to create, set up, and effectively operate a vulnerability management program. We also provide a maturity model for each of the course sections to summarize and wrap-up the main portion of the class. 
      • Day 5, the final course day, begins with a review of a business scenario that triggers a group capstone exercise. The exercise allows students to analyze and discuss how best to implement and maintain a vulnerability management program and leverage some of the information they have learned throughout the course.

      Question: #4: I've been doing work in vulnerability management for a while. Will the course be valuable to me or is it going to be too basic?

      • A: The course offers valuable information and cover relevant topics for practitioners across all skill levels. The class is structured into sections according to topics that are aimed at answering questions relevant to all vulnerability management programs. For example, one of the course sections deals with understanding how to prioritize vulnerabilities. Within this section, we detail where most organizations start – with vulnerability-centric prioritization – and the various ways that this approach can be leveraged. From there, we detail an alternative approach -- asset-centric prioritization -- and the different methods of utilization. Finally, we look at a more advanced technique – threat-centric prioritization – and outline methods for performing it. In this way, the course covers the topic end to end and allows students to see where they fit into the spectrum of methods as well as ways, they can advance their program.

      Question #5: My organization is moving to the cloud. Will this class help me transition my program to this new paradigm?

      • A: No matter where you are on your cloud journey, MGT516 will be valuable for you. This class will help you set up or continue to mature your vulnerability management program with your cloud assets. The class with look at the options and the differences between the various providers (Amazon, Microsoft, Google) and how we can include these within our programs, as well as the different types of cloud services (IaaS (e.g. EC2, Azure), PaaS (e.g. Elastic Beanstal, Kubernetes) or SaaS (e.g. Adobe Creative Cloud or Salesforce). The class takes an integrated approach to all of the topics covered, providing a cohesive look at how the topic applies across our traditional enterprises as well as in cloud environments.

      Question #6: What will the class prepare you to do?

      • Create, implement, or improve your vulnerability management program
      • Establish a secure and defensible enterprise and cloud computing environment
      • Build an accurate and useful inventory of IT assets in the enterprise and cloud
      • Identify existing vulnerabilities and understand the severity level of each
      • Prioritize vulnerabilities for treatment
      • Effectively report and communicate vulnerability data within your organization
      • Engage treatment teams and make vulnerability management fun
      • Understand what motivates our partners and how to gain their buy-in to ensure program success

      Question #7: Who is the MGT516 course author(s)?

      A: David Hazar and Jonathan Risto

      David Hazar

      David is a security consultant based in Salt Lake City, Utah focused on vulnerability management, application security, cloud security, and DevOps. David has 20+ years of broad, deep technical experience gained from a variety of hands-on roles serving the financial, healthcare, and technology industries. In his many roles, including 3 years with top security consulting firm, he has focused on helping integrate and automate security testing and other important security controls into both on-premise and cloud environments. He has also developed and led technical security training initiatives at many of the companies he has worked for, is an instructor for and contributor to SEC540: Cloud Security and DevOps Automation, and a co-author and instructor for MGT516: Managing Security Vulnerabilities: Enterprise and Cloud. David holds a BS in information systems and a Master of Information Systems Management from Brigham Young University along with numerous other technical and security certifications. @HazarDSec

      Jonathan Risto

      Jonathan is a SANS Instructor teaching a wide variety of SANS classes including SEC440, SEC504, SEC560, SEC566, and SEC580. He is also the co-author of the SANS MGT516: Managing Security Vulnerabilities: Enterprise and Cloud.

      With a career spanning over 20 years that has included working in network design, IP telephony, service development, security, and project management, he has a deep technical background that provides a wealth of information he draws upon when teaching. His leadership of direct reports and matrix teams in industries including telecom, government and charity environments. When not teaching for SANS, he primarily works for the Canadian Government performing cybersecurity research work, in the areas of vulnerability management and automated remediation. He also performs consulting work.

      He holds a Bachelor of Electrical Engineering and is a licensed professional engineer (P.Eng.). He also holds a Master's Degree in Information Security Management from STI. In his spare time, he sits on the board of directors for charities and his 3 daughters keep him very busy. When possible, he enjoys the outdoors, astronomy, and photography. @jonathanristo

      Share:
      TwitterLinkedInFacebook
      Copy url Url was copied to clipboard
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Saudi Arabia
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe

      By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

      Tags:
      • Security Management, Legal, and Audit

      Related Content

      Blog
      The_What_&_How_of_Role-Based_Training_-_Blog_Post_-_1.23.jpg
      Security Management, Legal, and Audit
      January 26, 2023
      The What & How of Role Role-Based Training
      Role-based training is playing a bigger and bigger role in the world of security awareness and managing human risk.
      370x370_Lance-Spitzner.jpg
      Lance Spitzner
      read more
      Blog
      340x340_MGT-Triads.jpg
      Security Management, Legal, and Audit
      January 18, 2022
      SANS Leadership Triads
      Go Beyond Good Enough. Become A Transformational Leader or an Operational Cybersecurity Executive.
      MGT_Triad_370x370_Headshot.jpg
      SANS Cybersecurity Leadership
      read more
      Blog
      Untitled_design-43.png
      Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
      December 8, 2021
      Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
      They’re virtual. They’re global. They’re free.
      370x370-person-placeholder.png
      Emily Blades
      read more
      • Register to Learn
      • Courses
      • Certifications
      • Degree Programs
      • Cyber Ranges
      • Job Tools
      • Security Policy Project
      • Posters & Cheat Sheets
      • White Papers
      • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Cybersecurity Leadership
      • Digital Forensics
      • Industrial Control Systems
      • Offensive Operations
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Saudi Arabia
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe

      By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
      • © 2023 SANS™ Institute
      • Privacy Policy
      • Contact
      • Careers
      • Twitter
      • Facebook
      • Youtube
      • LinkedIn