SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
SEC541: Cloud Security Threat Detection
SEC541Cloud Security
- 5 Days (Instructor-Led)
- 30 Hours (Self-Paced)
Course authored by:
Shaun McCullough & Ryan Nicholson
Course authored by:Shaun McCullough & Ryan Nicholson
- GIAC Cloud Threat Detection (GCTD)
- 30 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 22 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Acquire elite cloud threat detection capabilities to identify, analyze, and respond to sophisticated attacks in AWS and Azure environments.
Featured Quote
I would recommend SEC541 to any cloud security stakeholder that wants to empower all the security tools companies have in order to improve detection, understand protection, and overall increase their security level.
Course Overview
SEC541: Cloud Security Threat Detection immerses students in hands-on labs that focus on detecting threats and investigating attacks across AWS, Azure, and Microsoft 365 environments. Threat-driven curriculum to equips security professionals with practical cloud threat detection techniques through analyses of real-world attacks.
The course begins with an analysis of real-world case studies, followed by implement detection controls and investigate suspicious activities. From there, you’ll build a detection engineering process, and explore cloud-native logging, API monitoring, and effective detection systems tailored to cloud environments. You’ll also gain exposure to cloud threat hunting strategies that enhance proactive detection and reduce response times.
By the end of the course, you’ll have developed practical skills to detect, investigate, and respond to sophisticated cloud threats. Security professionals will gain expertise beyond theory, implementing cloud threat detection strategies that address the critical differences between on-premises and cloud security monitoring.
What You'll Learn
- Learn how to build a detection engineering program
- Analyze cloud API logs to detect unauthorized activity
- Implement effective cloud-native security monitoring
- Utilize Azure and AWS detection services effectively
- Apply threat intelligence and generative AI to cloud security
- Build automation for incident response in the cloud
Business Takeaways
- Reduce cloud breach detection time and impact
- Implement cloud-specific security monitoring strategies
- Establish effective cloud detection engineering program
- Enhance visibility across multi-cloud environments
- Leverage native tooling to minimize security costs
- Align detection capabilities to actual cloud threats
- Accelerate incident response with automation
Meet Your Authors
- Slide 1 of 2
Shaun McCullough
Certified InstructorShaun McCullough spent 20+ years at the NSA working in cyber operations as a software engineer and technical director of Blue, Red, and Hunt teams. He is currently a staff level Cloud Security Engineer at GitHub.
Read more about Shaun McCullough - Slide 2 of 2
Ryan Nicholson
Senior InstructorRyan’s extensive experience, including roles as a cybersecurity engineer for major Department of Defense cloud projects and as a lead auditor, underscores his dedication to enhancing the security posture of critical systems.
Read more about Ryan Nicholson
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC541: Cloud Security Threat Detection.
Section 1Detection of Cloud API and Network Attacks
The course begins with an investigation of a real-world cloud attack, breaking down the tactics and demonstrating how to monitor cloud management APIs. You will analyze API logs, implement network monitoring, and develop detection strategies for unauthorized activities in cloud environments.
Topics covered
- Cloud attack analysis methodology
- Detecting engineering
- JSON log parsing techniques
- Network traffic analysis in cloud
- Detection strategy implementation
Labs
- Investigate attacker evasions with CloudTrail
- Building detections in CloudWatch
- Deploying and operating a decoy honey network
- Network Analysis in the Cloud
Section 2Compute and Application Attacks
Students focus on monitoring compute resources including virtual machines, containers, and serverless functions. You’ll then analyze the Tesla Kubernetes attack, implement logging for compute environments, and develop detection strategies for abnormal behavior patterns in cloud workloads.
Topics covered
- Virtual machine and container logging architecture
- Metadata service risks and exploitation techniques
- Kubernetes and container monitoring and investigation
- Cloud database attack detection and data exfiltration
- eBPF and log agent customization for threat detection
Labs
- Threat intelligence generation
- Enhanced host visibility
- Kubernetes command and control
- Cryptojacking cloud services
- Cloud storage ransomware
Section 3Security Services and Investigations
You’ll learn to implement and leverage cloud-native detection services, discovering the best ways to conduct resource inventory, identify sensitive data in unauthorized locations, and centralize security data for comprehensive threat monitoring across cloud environments.
Topics covered
- Leveraging CSPM and CWP services in Azure and AWS
- Cloud resource inventory techniques
- Detecting cross-account role persistence attacks
- Data exposure and risk evaluation
- Analyzing activities across log types
Labs
- Metadata services and GuardDuty setup
- Detecting command injection in Lambda
- Macie configuration for data discovery
- Inspector deployment for vulnerabilities
- Centralized logging with ElasticSearch
Section 4Microsoft Ecosystem
You’ll examine Microsoft 365 and Azure-specific detection capabilities and incorporating AI into their security program. This section concentrates on techniques to investigate Exchange attacks, utilize Kusto Query Language for log analysis, and implement Microsoft Defender and Sentinel for comprehensive threat detection in Microsoft cloud environments.
Topics covered
- Microsoft 365 attack analysis
- Sentinel strategies and advanced KQL
- Defender XDR
- Storage account monitoring
- Cloud services using AI
Labs
- Baker221b onboarding and active incidents
- Suspicious email investigation
- Authentication attacks and rogue Activities
- Sherlock's Data Breach
- Sherlock’s AI Assistant
Section 5Data Shipping, Automation and CloudWars
You will begin by automating incident response in cloud environments and then culminate the course by participating in the CloudWars Challenge. You’ll walk away with strategies to implement automated forensic workflows and develop skills in a capstone exercise designed to test their ability to detect and respond to cloud-based threats.
Topics covered
- Cloud incident response automation
- Forensic workflow implementation
- Detection engineering principles
- Multi-cloud security integration
- Threat hunting methodologies
Labs
- Automated forensics workflow setup
- Results analysis techniques
- CloudWars Challenge participation
Things You Need To Know
Relevant Job Roles
Cloud Security Analyst
Cloud SecurityUsing cloud security solutions to respond to incidents and enable defenses
Explore learning pathCyber Threat Intelligence Specialist
European Cybersecurity Skills FrameworkCollect, process, analyse data and information to produce actionable intelligence reports and disseminate them to target stakeholders.
Explore learning pathThreat Management
SCyWF: Protection And DefenseThis role collects and analyzes information about threats, searches for undetected threats and provides actionable insights to support cybersecurity decision-making. Find the SANS courses that map to the Threat Management SCyWF Work Role.
Explore learning pathThreat Detection & Response
Cloud SecurityMonitor, test, detect, and investigate threats to cloud environments.
Explore learning pathIncident Response (OPM 531)
NICE: Protection and DefenseResponsible for investigating, analyzing, and responding to network cybersecurity incidents.
Explore learning pathCyber Defense Analyst (DCWF 511)
DoD 8140: CybersecurityMonitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,260 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,375 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price€7,715 EUR*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price€7,715 EUR*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes
Showing 8 of 13
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4Learning what to look for from both sides of the keyboard in one course is refreshing.
- Slide 2 of 4Each day's content is like a well told story. The labs bring the lecture to life.
- Slide 3 of 4I really enjoyed learning more about the AWS data sources and then performing relevant attacks against them to generate events that we could hunt for.
- Slide 4 of 4I liked the labs. They were beefy but they were fun. I really liked the brute force lab because that is 100% legit. I thought it was really cool too how they show you two ways to do almost the same thing with Athena and CloudWatch.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources