The "Securing Windows and PowerShell Automation (SEC505)" course at the SANS Institute is updated multiple times per year, with a major update every other year.
In summary, the major new SEC505 changes include:
- New slides and lab on PowerShell Just Enough Admin (JEA).
- New slides and lab on PowerShell Desired State Configuration (DSC).
- More emphasis on automating SecOps, incident response, pre-forensics and threat hunting on an enterprise scale through PowerShell and Group Policy (this indirectly supports those on the "Ops" side of DevOps as well, but the focus is on Windows security, not DevOps in general).
- Expansion of the existing material on Server 2016 and Windows 10, such as for biometrics, Server Nano and Credential Guard (with more to come in the regular quarterly updates this year and next).
- Deletion of the half-day of material on Dynamic Access Control (Microsoft has failed to release new enhancements for DAC and has not provided a roadmap for DAC either, so the future of DAC is a bit of a mystery).
Despite the change in title for SEC505, this new version of the course still supports the CIS Critical Security Controls (CSC) just as much as before; in fact, there is more CSC content than in the prior version. But I removed mention of the CSC from the title of SEC505 because it was causing confusion about whether SEC505 is aimed primarily at auditors or at the security operations (SecOps) people. SEC505 is definitely for the SecOps people (even though this is a somewhat counter-productive distinction: auditors and the SecOps crew should work as an integrated team). Also, SEC505 has included PowerShell since 2007, but every year I add more, so I wanted this to be reflected in the title too.
All the SEC505 PowerShell scripts are free and in the public domain at https://BlueTeamPowerShell.com.
For operating systems covered, almost everything in SEC505 still applies to Windows 7 and Server 2008 R2 too. SEC505 is not just for Windows 10 and Server 2016 (and if you are with the United States Department of Defense, I've got some goodies in there especially for you).
If you wish, please follow me on Twitter (@JasonFossen) for future announcements about PowerShell, Windows security, and SEC505 at SANS.
By constantly updating SEC505, I'm keeping my promise to maintain the value and relevance of the GCWN certification, even as Microsoft and the threat landscape both change more rapidly than ever.
I'm really looking forward to teaching the new SEC505 and I hope to see you at a conference soon!
SANS Institute Fellow