Get a GIAC Certification Attempt Included or $350 Off with SANS Online Training!

SEC530: Defensible Security Architecture Beta

SEC530: Defensible Security Architecture is designed to help students build and maintain a truly defensible security architecture. "The perimeter is dead" is a favorite saying in this age of mobile, cloud, and the Internet of Things, and we are indeed living in new a world of "de-perimeterization" where the old boundaries of "inside" and "outside" or "trusted" and "untrusted" no longer apply.

This changing landscape requires a change in mindset, as well as a repurposing of many devices. Where does it leave our classic perimeter devices such as firewalls? What are the ramifications of the "encrypt everything" mindset for devices such as Network Intrusion Detection Systems?

In this course, students will learn the fundamentals of up-to-date defensible security architecture. There will be a heavy focus on leveraging current infrastructure (and investment), including switches, routers, and firewalls. Students will learn how to reconfigure these devices to better prevent the threat landscape they face today. The course will also suggest newer technologies that will aid in building a robust security infrastructure.

While this is not a monitoring course, this course will dovetail nicely with continuous security monitoring, ensuring that security architecture not only supports prevention, but also provides the critical logs that can be fed into a Security Information and Event Management (SIEM) system in a Security Operations Center.

Hands-on labs will reinforce key points in the course and provide actionable skills that students will be able to leverage as soon as they return to work.


You Will Learn To:

  • Analyze a security architecture for deficiencies
  • Apply the principles learned in the course to design a defensible security architecture
  • Maximize the current investment by reconfiguring existing equipment to become more defensible
  • Configure computer systems and network components to support proper logging and continuous monitoring
  • Improve both preventive and detective capabilities
  • Improve the security of devices from layer 1 (physical) through layer 7 (application)


Course Syllabus

CPE/CMU Credits: 6

  • Modern Attack Techniques
  • Traditional Security Architecture Deficiencies
    • Emphasis on Perimeter/Exploitation
    • Lack of a True Perimeter ("De-perimeterization" as a Result of the Cloud/Mobile)
    • The Internet of Things
    • Predominantly Network-centric
  • Defensible Security Architecture
    • Mindset
      • Presumption of Compromise
      • De-perimeterization
      • Predominantly Network-centric
    • Models
      • Zero Trust Model (Kindervag - Forrester)
      • Intrusion Kill Chain
      • Diamond Model of Intrusion Analysis
    • Internal Segmentation
    • Automatic Device Change Notification
    • Integrated Endpoint Visibility
  • Threat, Vulnerability, and Data Flow Analysis
    • Threat Vector Analysis
      • Data Ingress Mapping
    • Data Exfiltration Analysis
      • Data Egress Mapping
    • Detection Dominant Design
    • Attack Surface Analysis
    • Visibility Analysis
    • Data Visualization
    • Lateral Movement Analysis

CPE/CMU Credits: 6

  • Layer 1
    • Cabling Best Practices
    • Network Closets
  • Layer 2: Switches
    • Baselines
      • CISecurity
      • Cisco's Best Practices
      • Cisco Autosecure
    • Hardening against Layer 2 Attacks
      • ARP
      • CDP
    • VLANs
      • Hardening
      • Private VLANs
      • MacSec
      • 802.1X
      • NAC
    • NetFlow Introduction
      • Layer 2 NetFlow
  • Layer 3: Routers
    • Software-Defined Networking
      • Openstack
    • Baselines
      • CISecurity
      • Cisco's Best Practices
      • Cisco Autosecure
    • Securing Routing Protocols
    • Securing NTP
    • Bogon Filtering
    • Darknets
    • IPv6
    • Layer 3 NetFlow
  • Layer 3/4 Stateful Firewalls
    • Stateful
    • Layer 3/4 NetFlow

CPE/CMU Credits: 6

  • Proxy
  • NGFW
    • IDS/IPS Rule Writing
    • Snort
    • Suricata
    • Bro
  • Sandboxing
    • Beyond Inline
    • Integration with Endpoint
    • Feeding the Sandbox Potential Specimens
    • Malware Detonation Devices
  • Encryption
    • The "Encrypt Everything" Mindset
      • Internal and External
    • Free SSL/TLS Certificate Providers
      • Many Are Personal Use Only
      • Let's Encrypt
    • SSL/SSH Inspection
    • SSL/SSH Decrypt Dumps
    • Certificate Pinning
      • Malware Pins
    • Strict SSL
    • HSTS
    • Crypto Suite Support
      • Qualys SSL Labs
  • Whole Disk Encryption
    • Bitlocker
    • File Vault
    • Linux Options
  • Secure Remote Access
    • Access Into Organization
    • Dual Factor for All Remote Access (and More)
      • Google Authenticator/TOTP: Open Authentication
    • IPSec VPNs
    • SSH VPNs
    • Jump Boxes
  • Org Remotely Using/Accessing
    • Cloud-hosted Applications (SaaS)
    • Cloud-based storage
  • Virtualized Infrastructure
    • Visibility
    • Segmentation
  • Cloud Services
    • Control
    • Right to Audit/Right to Pen Test
    • Cloud Data Remanence
    • Visibility
  • Mobile Devices/Applications
    • Consumerization/BYOD
      • Control (Remote Wipe, Encryption, PIN/etc., Locking)
      • Visibility
  • Mobile Applications

CPE/CMU Credits: 6

  • Protecting Web/Mobile Applications
    • Web Apps
    • Mobile Apps
    • Application (Reverse) Proxies
    • Full Stack Security Design
      • Web Server
      • App Server
      • DB Server
    • Web Application Firewalls
      • Whitelisting and Blacklisting
      • WAF Bypass
    • Database Firewalls/Database Activity Monitoring
    • Secure DNS
      • Split and Split/split
      • DNSSEC
      • DNS Logging
      • DNS Sinkholes
  • Protecting Endpoints from Malicious/Compromised Applications
    • Dangerous Endpoint Applications
      • Java
      • Adobe Reader
      • Flash
      • Microsoft Office
    • Browser Security
      • Active Scripting
      • IE
      • ActiveX
      • Chrome
      • Firefox
  • Securing the Internet of Things (IoT)
    • The Accelerating Growth Wave of IoT
    • More than Just Video Cameras and DVRs
      • Healthcare: IV Drip Pumps, CAT Scan Machines, etc.
      • Physical Plant: Power, HVAC
      • Televisions and Appliances
    • Shodan

CPE/CMU Credits: 6

  • Rogue Devices
    • Mobile Devices/BYOD
    • Remote Users
    • Business Partners
    • Embedded Contractors/Consultants
  • Compromised Internal Assets
    • Pivoting Adversaries
    • Insider Threat
  • Deceptive Security Ops
  • Building Tripwires for Breach Detection
    • Honeynets, Honeypots, and Honeytokens
  • Deputizing Endpoints as Hardened Security Sensors
    • End-user Privilege Reduction
    • Application Whitelisting
    • Host Hardening
      • EMET
    • Host-based IDS/IPS
      • As Tripwires
    • Endpoint Firewalls
      • Pivot Detection
  • Scaling Endpoint Log Collection/Storage/Analysis

The course culminates in a team-based design-and-secure the flag competition. Powered by NetWars, day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted throughout this course. Teams will assess, design, and secure a variety of computer systems and devices, leveraging all seven layers of the OSI model.

CPE/CMU Credits: 6

  • Capstone - Design/Detect/Defend
    • Defensible Security Architecture
    • Assess Provided Architecture and Identify Weaknesses
    • Use Tools/Scripts to Assess the Initial State
    • Quickly/Thoroughly Find All Changes Made

Additional Information


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Workstation Player 7 or higher versions on your system prior to the beginning of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.


  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
  • Wireless Ethernet 802.11 B/G/N/AC
  • USB 3.0 Ports Highly Recommended
  • Disk: 25 Gigabytes of free disk space
  • Administrative access to disable any host-based firewall
  • VMware Workstation 11, Workstation Player 7, or Fusion 7 (or newer)
  • A Linux virtual machine will be provided in class

If you have additional questions about the laptop specifications, please contact

  • Security Architects
  • Network Engineers
  • Network Architects
  • Security Analysts
  • Senior Security Engineers
  • System Administrators
  • Technical Security Managers
  • CND Analysts
  • Security Monitoring Specialists
  • Cyber Threat Investigators
  • Basic understanding of network protocols and devices.
  • Experience with Linux from the command line.
  • MP3 audio files of the complete course lecture
  • Intro and walkthrough videos of most labs
  • A Linux VM loaded with tons of tools and other resources
  • A 32GB USB 3.0 stick that includes the above and more
  • Analyze a security architecture for deficiencies
  • Apply the principles learned in the course to design a defensible security architecture
  • Determine appropriate security monitoring needs for organizations of all sizes
  • Maximize existing investment in security architecture by reconfiguring existing assets
  • Determine capabilities required to support continuous monitoring of key Critical Security Controls
  • Configure appropriate logging and monitoring to support a Security Operations Center and continuous monitoring program

While the above list briefly outlines the knowledge and skills you will learn, it barely scratches the surface of what this course has to offer. Hands-on labs throughout the course will reinforce key concepts and principles, as well as teach you how to use key scripting tools.

When your SEC530 training journey is complete, and your skills are enhanced and honed, it will be time to go back to work and deliver on the SANS promise that you'll be able to apply what you learned in this course the day you return to the office.

*CPE/CMU credits not offered for the SelfStudy delivery method

6 Training Results
Type Topic Course / Location / Instructor Date Register

Apr 25, 2018 -
Apr 30, 2018

Training Event
Washington, DC
Jul 16, 2018 -
Jul 21, 2018

Training Event
SANS Prague 2018
Prague, Czech Republic
Aug 20, 2018 -
Aug 25, 2018

Training Event
Sep 10, 2018 -
Sep 15, 2018

Training Event
Sep 23, 2018 -
Sep 28, 2018

Training Event
SANS October Singapore 2018
Singapore, Singapore
Oct 22, 2018 -
Oct 27, 2018

*Course contents may vary depending upon location, see specific event description for details.