Last Day to Save $350 on 4-6 Day Cyber Security Courses at SANSFIRE in Washington, DC!

MGT516: Managing Security Vulnerabilities: Enterprise and Cloud Beta

An understanding of vulnerability management and cloud security is becoming not only valuable but a necessity to keep one’s organization secure in this constantly changing and dynamic environment.

Kae David, EY

Great course, great content. MGT516 is essential for both well-established and developing vulnerability management teams.

Robert Adams, CBC

Vulnerabilities are everywhere. There are new reports of problems within our systems and software every time we turn around. Directly related to this is an increase in the quantity and severity of successful attacks that seem to happen daily. Managing vulnerabilities in any size organization is challenging. Enterprise environments add scale and diversity that overwhelms many IT security and operations organizations. Now add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, and security may seem unachievable.

The primary goal of this course is to equip those responsible for managing the infrastructure and application vulnerabilities within their organization with strategies and solutions that overcome the challenges and stumbling blocks they may encounter. In addition, the course provides participants a better understanding of how to manage vulnerabilities in the cloud and leverage new and exciting technologies and development patterns to increase the effectiveness of their program.

By understanding the problem and potential solutions, participants will be better prepared to meet this challenge and determine what might work for their organization. Through course discussions and other exercises participants will also be encouraged to share what is working and not working in their organizations.

The course is based on the Prepare, Identify, Analyze, Communicate, and Treat (PIACT) Model:

  • Prepare: Define, build, and continuously improve the program
  • Identify: Identify vulnerabilities present in our operating environments
  • Analyze: Analyze and prioritize identified vulnerabilities and other program metrics to provide meaningful assistance and guidance to stakeholders and program participants
  • Communicate: Present the findings from analysis appropriately and efficiently for each stakeholder group
  • Treat: Implement, test, and monitor solutions to vulnerabilities, vulnerability groups, and broader issues identified by the program

Knowing that our environments are adopting cloud services and becoming more tightly integrated with them, we look at both cloud and non-cloud environments simultaneously throughout the course, highlighting the tools, processes, and procedures that can be leveraged in each environment and presenting new and emerging trends.

A capstone exercise performed on the final course day of MGT516 features a business scenario that includes both enterprise and cloud-based environments. The exercise allows students to analyze and discuss how best to implement and maintain a vulnerability management program and leverage some of the information they have learned throughout the course. The group solutions are then reviewed in class so participants can learn what others outside their group have determined would best help this organization succeed.

Course Syllabus

Overview

Day 1 focuses on understanding the environments in which we operate and preparing to implement and maintain a successful vulnerability management program.

The prepare phase describes the proactive and ongoing work an enterprise can do to effectively manage vulnerabilities in its operating environments. This includes governance, strategy, security frameworks, asset management and asset classification, to name a few. Without a thorough understanding of where they are, where they would like to be, and the plan to get there, organizations will continue to struggle to keep up with the ever-increasing complexity of vulnerability management.

Exercises
  • Data Classification and Asset Prioritization
  • Vulnerability Management

CPE/CMU Credits: 6

Topics

Course Introduction

  • Goals of the course
  • Cloud services overview
  • Why is vulnerability management important?
  • Introduction to the PIACT model

Vulnerability Management Process: Prepare

  • Design and architecture considerations
  • Cloud strategies and types
  • Policies, processes, and procedures
  • Governance and organizational relationships
  • Legal and regulatory requirements
  • Asset management
  • Data location and classification
  • Cloud support and training
  • Day 1 summary

Overview

Day 2 continues the walk-through of the PIACT process, focusing on the identify phase. The course day starts by looking at where we can find vulnerabilities in the environment, such as user systems, peripherals, cloud services, and mobile devices, and what types of problems we can find in those locations. From there, we take a look at what technology is available to assist in the automated identification of vulnerabilities, and the considerations associated with different operating environments. Manual identification methods, such as penetration testing and manual reviews are discussed next. Finally, other methods of identifying vulnerability are investigated, providing information on topics such as bug bounty programs and threat intelligence. The day wraps up by looking at how to identify vulnerabilities in processes and within our own users.

Exercises

  • Prioritizing Vulnerabilities and Identifying Asset Business Value
  • Risk Exercise
  • Communications Package Exercise
  • Remediation and Effectiveness

CPE/CMU Credits: 6

Topics

Vulnerability Management Process: Identify

Types of vulnerabilities

How to find vulnerabilities - technology

Automated identification

  • Dynamic runtime analysis
  • Static/binary analysis
  • Inventory/configuration analysis
  • Third-party analysis

Manual identification

  • Penetration testing
  • Manual reviews

Other identification methods

  • Bug bounty programs
  • Threat Intelligence
  • Cloud - specific analysis

How to find vulnerabilities - process

How to find vulnerabilities - people

Day 2 summary

Overview

Day 3 begins with an introduction to the analyze phase and its importance in the process. Information is provided to help students understand the impact of false positives and negatives. Prioritization of people, process, and technology vulnerabilities is discussed using vulnerability-centric, asset-centric, and threat-centric lenses. Discussion then turns to controls, with administrative, technical, and physical controls discussed. At the end of the analyze phase, we help students understand how to select controls.

Day 3 continues with coverage of the communicate phase. Communication strategies and audiences are discussed, along with the information these audiences need to participate in the program. The course day then turns to metrics, with contextual, operational, program, and executive metrics all discussed. Recommended metrics are further expanded upon. The day then wraps up with different communication strategies for various audiences.

Exercises
  • Review a Standard Cloud Services Agreement Exercise
  • Developing a Cloud Use Plan - Prepare Phase
  • Business Needs and CSPs Scenario - Prepare Phase
  • Applying the CSA CCM and CAIQ - Prepare Phase
  • Treacherous Twelve - Identify Phase
  • Additional Consumer-side Vulnerabilities - Identify Phase
  • Additional In-between Vulnerabilities - Identify Phase
  • Additional Consumer-side Vulnerabilities - Identify Phase
  • Additional Web Application Vulnerabilities - Identify Phase
  • New Department Scenario - Identify Phase

CPE/CMU Credits: 6

Topics

Analyze Phase

  • Why analyze the vulnerabilities?
  • False positives and negatives
  • Exclusions
  • Risk
  • Prioritizing vulnerabilities
  • Prioritizing technology vulnerabilities
  • CVSS
  • Vulnerability-centric prioritization
  • Asset-centric prioritization
  • Threat-centric prioritization
  • Prioritizing people vulnerabilities
  • Prioritizing process vulnerabilities
  • How to deal with vulnerabilities
  • Technical controls
  • Administrative controls
  • Physical controls
  • How to choose the right control

Communicate Phase

  • The need for communication
  • Communication strategy
  • Metrics maturity model
  • Contextual metrics
  • Operational metrics
  • Program metrics
  • Executive/Board metrics
  • Recommended metrics
  • What to communicate
  • How to communicate the information
  • Different audiences
  • Day 3 summary

Overview

Day 4 discusses the treat phase of the PIACT model. Successful treatment of vulnerabilities should be the primary goal of vulnerability management. Throughout the day we will discuss the common operational processes that are used to treat vulnerabilities. We will also look at some of the technology solutions available to assist with some of these processes, and discuss different and emerging operating models that may impact our treatment methodology.

Exercises
  • The FAIR Approach - Assess Phase
  • Consumer-side Controls - Assess Phase
  • Cloud Services Agreement - Assess Phase
  • Communicate Scenario - Communicate Phase
  • Treat Scenario - Treat Phase

CPE/CMU Credits: 6

Topics

Treat Phase

  • Treat phase overview
  • Change management
  • Treatment frequency vs. treatment deadline
  • Acceptance testing
  • Patch management
  • Patch management tools
  • Best practices in patch management
  • Configuration management
  • Cloud management
  • Application management
  • Alternative treatment
  • Putting it all together
  • Course to date wrap-up
Overview

Day 5 begins with a review of a scenario that triggers the group capstone exercise for the students. The day is broken up into various sections/scenarios that stem from the main case study, which enables the students to delve into various aspects of the PIACT model. A review of findings and conclusions will follow each section of the exercise, allowing each team to present its findings to the other teams and engage in class discussions on the topics covered. The instructor will also present a potential solution for the scenarios discussed.

Exercises
  • Review the Enterprise-based Scenario
  • Review the Cloud-based Aspects of the Scenario
  • Working through the PIACT Model of Vulnerability Management for the Case Study

CPE/CMU Credits: 6

Additional Information

A laptop computer is required to perform the in-class lab exercises in MGT516.

System Requirements

  • Windows, MAC, or Linux operating system
  • At least 8 GB RAM
  • 5 GB of available disk space (more space is recommended)
  • Standard user access to the operating system and all security software installed Administrator access privilege is preferred for configuration and troubleshooting issues
  • A WiFi network adapter
  • A web browser application
  • An available USB port
  • Support for the exFAT file system
  • Application software to open, edit, and save MS Word, MS Excel, and PDF documents
  • Machines should NOT contain any personal or company data.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • CISOs
  • Information security managers, officers, and directors
  • Information security architects, analysts, and consultants
  • Aspiring information security leaders
  • Risk management professionals
  • Business continuity and disaster recovery planners and staff members
  • IT managers and auditors
  • IT project managers
  • IT/system administration/network administration professionals
  • Operations managers
  • Cloud service managers and administrators
  • Cloud service security and risk managers
  • Cloud service integrators, developers, and brokers
  • IT security professionals managing vulnerabilities in the enterprise or cloud
  • Government IT professional who manage vulnerabilities in the enterprise or cloud (FedRAMP)
  • Security or IT professionals who have team lead or management responsibilities
  • Security or IT professionals who use or are planning to use cloud services
  • A basic understanding of risk management objectives and IT systems and operations is recommended.
  • Student manuals containing the entire course content
  • Introduction and walk-through of labs
  • In-class quizzes as a review of recently covered material

  • Implement risk and vulnerability management programs
  • Establish a secure, defendable enterprise, and cloud computing environment
  • Build an accurate inventory of IT assets in the enterprise and cloud
  • Identify existing vulnerabilities and understand the severity level of each
  • Prioritize which vulnerabilities to remediate
  • Identify potential controls to avoid and mitigate vulnerabilities for the enterprise and cloud
  • Perform cost justification for each control to show management a positive return on investment
  • Develop a risk/vulnerability report for management
  • Develop a framework for continuous improvement

MGT516 reinforces the transfer of knowledge through many hands-on lab exercises. The exercises that students will perform in class include:

  • Data Classification and Asset Prioritization
  • Vulnerability Management Exercise
  • Prioritizing Vulnerabilities and Identifying Asset Business Value
  • Risk Exercise
  • Communications Package Exercise
  • Remediation and Effectiveness
  • Review a standard Cloud Services Agreement exercise
  • Developing a Cloud Use Plan - Prepare Phase
  • Business Needs and CSPs Scenario - Prepare Phase
  • Applying the CSA CCM and CAIQ - Prepare Phase
  • Treacherous Twelve - Identify Phase
  • Additional Consumer-side Vulnerabilities - Identify Phase
  • Additional In-between Vulnerabilities - Identify Phase
  • Additional Consumer-side Vulnerabilities - Identify Phase
  • Additional Web Application Vulnerabilities - Identify Phase
  • New Department Scenario - Identify Phase
  • Consumer-side Controls - Assess Phase
  • Cloud Services Agreement - Assess Phase
  • Communicate Scenario - Communicate Phase
  • Treat Scenario - Treat Phase
  • Capstone Lab: Case Study - Enterprise and Cloud

These labs are designed so that students can use the skills learned in the classroom. Students can work independently or in teams for all labs. However, the Capstone lab will be a team-based exercise to complete the vulnerability management process for a business case study based on the enterprise computing and cloud environments. The teams will then present their solutions for review by the other teams.

Authors Statement

"It is easy to be overwhelmed by the amount of information available to us about the risks in our environments. Vulnerabilities are present in just about every device and software that we use, with new reports released daily. Managing this dynamic landscape is a challenge for all organizations.

Our goal with this course is to provide students with a step-by-step overview of the PIACT process and how it provides the framework for a vulnerability management program. This will enable students to effectively identify the key problems within their environment, evaluate potential solutions to those problems, and efficiently communicate within their teams and to the organization on the effectiveness of the vulnerability management."

- Jonathan Risto

"I have spent over a decade helping organizations improve their infrastructure and application vulnerability management capabilities and programs. It surprises me how many organizations are struggling with similar issues. I also frequently hear concerns about how to successfully implement vulnerability management in the cloud when struggles still exist in their more traditional operating environments.

With this course, we would like to provide students with a better understanding of what they can do to improve their current program and extend that program into the cloud. We want them to understand the common roadblocks they will face and provide them options for solving these challenging programs. There is no one-size-fits-all solution to vulnerability management, but there are definitely common themes in mature organizations. The course is also a great opportunity to learn from what peers are doing in their organization to solve some of the same problems you may be facing."

- David Hazar


1 Training Result

*Course contents may vary depending upon location, see specific event description for details.