homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Your SIEM Questions Answered
370x370_Justin-Henderson.jpg
Justin Henderson

Your SIEM Questions Answered

October 24, 2018

Tactical-2018

In this post, SANS instructors Justin Henderson, John Hubbard, and Ismael Valenzuela tackle some of the common questions they get from defenders looking to use their Security Information and Event Management (SIEM) platform as a high-impact detection tool.

What are the most common complaints you hear related to the use of SIEM in a Security Operations Center (SOC)?

JUSTIN HENDERSON

I often hear folks state their SIEM is slow and that it cannot find anything useful. This occurs so much that the phrase "coffee break SIEM" has been coined. Searches taking minutes to complete is unacceptable. Careful planning and understanding how the search is happening can help prevent this. The real issue here is too many logs without emphasis on logs that matter. This leads to mountains of alerts, long triage times, and an inability to identify unauthorized activity. This is an issue with multiple causes: 1.) Either collecting too much or not having enough hardware which leads to slow query times (usually the former), 2.) Too much emphasis on log collection vs. detection, 3.) Lack of automation and context

ISMAEL VALENZUELA

The most common complaints have to do with the sheer number of alerts (a Damballa study indicates the average U.S. business has to deal with an average of 10,000 alerts a day); the lack of context (is this really a false positive or not?); and the lack of visibility (not having the logs you need to detect certain attacks, while having too many of the "other logs," that is, the not-so-useful ones).

Why are security professionals so frustrated with their SIEM? Is it a technology problem?

JUSTIN HENDERSON

As much as we all would like to blame vendor technology for SIEM failure, it's almost never a technology issue. In my experience, frustration with SIEM is a result of staff being trained on a specific tool (insert your SIEM tool here) versus having training on what data to collect, how to collect it, how to enrich it with context, and then ultimately how to use it to catch the bad guys. This is why the SANS course SEC555: SIEM with Tactical Analytics was created and has seen tremendous success. We all too often forget SIEM is just a tool. It is not about the tool. It is about how you wield it.

ISMAEL VALENZUELA

As with many other frustrations, it's a matter of misplaced expectations. When you've been told by the vendor that SIEM will meet all your detection needs, or that it is all you need for your SOC, frustration is going to come sooner rather than later. So no, it's not a technology problem, but more of a cultural problem. SIEM is an important element in the SOC, but it's only one of them. As with anything else in security, there's no substitute for having the right vision, processes, and people in place.

JOHN HUBBARD

While teaching, I hear many complaints about SIEMs from the speed of searches, to parsing complication, to difficulty visualizing and reporting information. If you look at recent surveys, this isn't surprising; one found that only 48% of SIEM owners are satisfied with their purchase! That's crazy, considering the lowest score of all airline companies comes in at 63% satisfaction.

What does that say about our SIEMs?? To me, it seems many of these issues can be remedied with one simple solution - training. Many SIEMs are extremely capable, but the features are not always straightforward to use. To make things worse, organizations seem willing to spend the hundreds of thousands of dollars on a SIEM, but then skip the analyst courses required to get the return on investment. This situation leads to a team that either must figure the system as best they can while trying to do their day job or a team that continues to use only the basic features they understand by exploring around on their own.

With a SIEM, you aren't done once you've purchased the hardware. People need to be trained and given the time to actually absorb the training. I think there would be significantly less frustration if this were standard practice.

What are some of the quick wins you recommend to improve the effectiveness of a SIEM?

JUSTIN HENDERSON

Where to start!? Honestly, one of the most effective things an organization can do is to apply a generous portion of filtering or limit the data it collects. Think of this as a hygiene issue. If you do not take a shower you will in an extreme case get sick and die, or at a minimum, you will stink. The same things will happen if you don't filter out the dirt and grime that comes with your logs. Many times, less is more. Also, major quick wins can be achieved by implementing basic detection principals. Monitoring for simple things such as key Windows events can provide high-fidelity detects, low false positives, and minimal logs. This is not limited to Windows. The only reason this task is difficult is it is hard to know what data sources can fall under this category and be easy to implement.

ISMAEL VALENZUELA

My approach might sound a bit boring, but it's highly effective, and I see it yielding positive results repeatedly when applied in a tactical way. It consists of breaking down the DETECTION game into smaller pieces, and focusing on the most critical ones first. On one side, we need to segment the problem into ZONES and determine the most prevalent threats for each of them. This is important because threats vary according to the zone. As an example, when looking at the DMZ, you definitely want to look at sql injection attempts and webshell implants. On the other side, in the LAN, you want to look at client-side threats like phishing or watering hole attacks. Now, for each of these scenarios — DMZ and client-side threats — look at the different PHASES of the attack chain, and your ability to detect activity related to each of them. A consistent approach like this allows you to find blind spots, determine what logs you need to bring to your SIEM (or discard), and document your detection efforts in the form of use cases.

JOHN HUBBARD

My advice is to take a step back and look at the data you are collecting versus your most important and common use cases. Are you even collecting the information sources you need to make high fidelity detections of modern attacks? If not, this is what needs to change. Often it's not that the SIEM can't perform the job required, it's that the data just isn't available to wield the SIEM properly.

Organizationally, we should work on making the config changes required to pick up data sources that have become increasingly important like PowerShell logs, process creation logs, Exploit Guard, or Sysmon. Without some of these newer sources, your SIEM may be stuck collecting data that doesn't have enough fidelity to detect dangerous conditions without frequent false positives and the data it would take to enrich it to improve the situation isn't even available. Ensuring your data collection sources are in line with modern attacks, and using guides like MITRE ATT&CK to understand what you do need can be a huge step in the right direction.

What data sources can give me the best visibility and detection capabilities?

JUSTIN HENDERSON

This is a tough one in that there are many awesome data sources. Let me start with my favorite: plain old DNS logs. Add a little bit of log enrichment and you have one of the most powerful ways to catch things like C2, phishing domains, and more. They are also a fantastic way to reduce false positives and limit alert fatigue.

Outside DNS there also is Windows endpoint logs. Not just servers but actual endpoints like laptops and desktops contain Windows events that are amazing at catching adversarial activity. And yet, this task of endpoint log collection does not have to be high volume. Tactical endpoint log collection goes a long way even for things like modern-day PowerShell attacks. Endpoint logs make this possible and fun to detect.

Without getting into writing a full blog about this, I want to mention that I also love things like flow data, augmented IDS alerts (enrich, enrich, enrich), and other network service logs like HTTP, DHCP, and ssl/x509 certificate information. Can we all just agree Security Onion/Bro for the win?

ISMAEL VALENZUELA 

I wholeheartedly agree with Justin (always do), so nothing to add. 

JOHN HUBBARD

As Justin said — Bro is an outstanding source of information of all types. If there were a single monitoring tool I could use for network security monitoring, this would be it! Beyond that, I'm a huge fan of proxy logs?if you have them. Justin is correct that DNS is an outstanding source, but proxy logs or next-gen firewall logs that cut layer 7 level transaction data for outward bound traffic like HTTP can be an enormous help and go much further than what DNS alone can provide. DNS is probably the easiest and most bang for the buck you can get as a collection source, but gathering more detail can be even better when the option is available.

Does compliance dictate that I keep ALL logs for a given system?

JUSTIN HENDERSON

No. No. And again, no. If this were true then everyone would be lying through their teeth. For example, most organizations believe they are compliant if they collect all Windows logs from Application, System, and Security event channels on Windows . Yet those are not "all logs" on a Windows system. There are hundreds more Windows event log channels and even more special event tracing logs. Some of these, like the PowerShell event channel, are highly effective at catching malicious and unauthorized activity. Yet this often is not included in your fulfillment of compliance via log collection.

A couple things are worth noting. One, you are not collecting all log sources and there are more things you should collect such as PowerShell logs. Two, a large percentage of organizations trying to fulfill compliance requirements are erring way too much on the side of caution and could benefit from applying filters to remove a generous portion of what they are collecting. Most compliance frameworks are aimed at things such as user-attributable data and focusing on the spirit of compliance. Again, no organization is collecting all logs. This is a data point that can help you get auditors to sign off that you are meeting compliance regulations. The process should be: "This is how I am fulfilling my compliance requirements: I am collecting these logs that help me track user activity and malicious and unauthorized activity. Here is what I am filtering out, as it is high volume and does not help with any of these things."

How much time should people spend maintaining their SIEM?

JUSTIN HENDERSON

This totally varies from organization to organization. But it mostly varies by headcount. I will put this plainly: if you are spending 80 percent of your time within a SIEM tool doing alert review and analysis, then you are on the right track. If you are an organization that is instead focusing heavily on collecting more data sources, applying patches, or running compliance reports, then your SIEM implementation may not be tactical.

Obviously, this percentage varies depending on whether you are not implementing a SIEM at all versus you having had a SIEM tool up and running for a couple of years.

Does scaling a SIEM have to be so costly?

JUSTIN HENDERSON

I wish I had a better answer for this. If you are using a commercial SIEM tool and have a business requirement to only use commercial solutions, then the answer is likely yes. Many solutions are priced in a way that more logs equal higher costs. The discounts tend to not scale with your volume. Some vendors are learning to be more considerate of this, but many of the experiences I have had working with multiple clients has shown otherwise.

If you can augment your commercial solutions with open-source solutions, then the answer may be no. A lot of organizations are switching to what I call "dual stack" SIEM. This means you have one SIEM tool dedicated to compliance-type logs and one dedicated to tactical SIEM implementation. By using open-source solutions for one of these, you can cut costs and may be able to achieve more tactical objectives.

What about the use of Artificial Intelligence/Machine Learning? Is it mostly marketing buzzwords and hype, or is it really something organizations should start considering?

JUSTIN HENDERSON

Please do not hurt me on this one. Let me start with the positive. Machine Learning (ML), user entity, and behavior analytics, Artificial Intelligence (AI), or any other automated anomaly analysis software is a boon to security. It can be extremely powerful when used in conjunction with cybersecurity domain expertise and mapped to the knowledge of an organization.

Now for the bad. The vast majority of these systems are costly and end up generating a tremendous number of false positives. Anomalies are not the same as alerts and should not be treated the same. These solutions sound awesome, but I categorize these types of tools as a maturity item. Consider these later after you have successful and tactical SIEM. Ninety-nine percent of organizations would be better off spending their time focusing on what data sources they can collect and use to catch adversarial activity in their environments instead of trying to purchase something that seems like it can do this automatically.

One of the smartest people I have ever worked with is a data scientist. He teaches folks how to learn and apply Machine Learning and all the other techniques being marketed, but he is honest and openly states that implementing these tools and techniques without domain expertise and applying them against the knowledge of your organization is an exercise in futility.

ISMAEL VALENZUELA      

I was waiting for this question!! It seems as if AI is something brand new, but in reality, we've been looking at it for almost 70 years now, with limited success. It's true, however, that AI has resurfaced strongly with the rise of Machine Learning, and it is widely applied to many of our day-to-day activities thanks to applications in areas of perception (i.e., voice recognition — "Alexa, buy me a dollhouse!") and cognition across many industries. AI is nothing new to security, either. Think about SPAM classifiers. How often do you check your spam inbox these days? Chances are you don't even look at it, although there was a day when this was a big nuisance. The use of Machine Learning techniques like Naïve Bayes classifiers have proven reasonably effective at this job, to the point where we don't even think about it.

Having said all that, there are fundamental limitations that prevent AI and ML from overcoming the challenges faced by the security industry on its own, and this is why we don't yet see many practical applications of these techniques in the SOC other than some algorithms used in certain products that are meant to complement the analyst's job. Some of them are mixed with other not-so-advanced analytics and deterministic methods, and they're all re-packaged and sold as a brand-new AI/ML product.

I still believe this is the area where we'll see more advances in the next few years, and there's no doubt that security will need more data scientists and practitioners working together to keep up with the new evolution of attacks. After all, attackers also have access to AI and ML, and they won't hesitate to use them against us. This is a field that we call "adversarial Machine Learning."

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cyber Defense

Related Content

Blog
Blueprint_Podcast_-_Blog_-_Top_5_Blueprint_Podcast_Episodes_of_2022_-_340x340.jpg
Cyber Defense, Cybersecurity Insights
December 12, 2022
Top 5 Blueprint Podcast Episodes of 2022
This year Blueprint Podcast published 14 episodes with experts from across the cybersecurity industry. Here were the top-rated episodes of the year.
Emily_Neuens_370x370.png
Emily Neuens
read more
Blog
powershell_option_340x340.jpg
Cyber Defense, Penetration Testing and Red Teaming
July 1, 2022
Month of PowerShell: 5 Tips for Getting Started with PowerShell
In this article I'll talk about the 5 tips that helped me get started with PowerShell. I encourage you to follow along!
370x370_Joshua-Wright.jpg
Joshua Wright
read more
Blog
Blue_Team_Summit_Promo_Graphic.jpg
Cyber Defense, Open-Source Intelligence (OSINT)
September 9, 2021
A Visual Summary of SANS Blue Team Summit 2021
SANS Blue Team Summit was a free, global, virtual event for the community. Check out the graphic recordings created in real-time during the event.
370x370-person-placeholder.png
Alison Kim
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn