NOTE: The term "architecture" is interpreted differently by different organizations and in various regions of the world. This course focuses on strategic and technical application and use cases, including fine-tuning and implementing various infrastructure components and cyber defense techniques. If you are expecting the course to focus exclusively on strategic solution placement, vendor products and use cases, the course is not for you.
Traditional methods of cyber defense, like perimeter-based network security, have always emphasized the need of keeping adversaries out of our networks, building a 'fortress' that would stop attackers while allowing secure access to legitimate users. However, modern client-side attacks have made evident that the old perimeter security model is clearly insufficient, creating the need for new data-centric models like Zero Trust.
But is Zero Trust just a new marketing buzzword, a simple iteration over the well-known 'least privilege' mindset, or a truly innovative strategy? Is Zero Trust really attainable, and if it's not, is it possible to gradually implement 'less trust' as part of a holistic defensible security architecture? How do we get started, and what are some of the tools and technologies that are available to implement it?
SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise, is designed to help students establish and maintain a holistic and layered approach to security, while taking them on a journey towards a realistic 'less trust' implementation, based on Zero Trust principles, pillars and capabilities. Effective security requires a balance between detection, prevention, and response capabilities, but such a balance demands that controls be implemented on the network, directly on endpoints, and within cloud environments. The strengths and weaknesses of one solution complement another solution through strategic placement, implementation, and continuous fine-tuning.
To address these issues, this course focuses on combining strategic concepts of infrastructure and tool placement while also diving into their technical application. We will discuss and identify what solutions are available and how to apply them successfully to reduce attack surface and implement adaptive trust. Most importantly, we'll evaluate the strengths and weaknesses of various solutions and how to layer them cohesively to achieve a defensible security architecture.
SEC530 is a practical class, focused on teaching effective tactics and tools to architect and engineer for disruption, early warning detection, and response to most prevalent attacks, based on the experience of the authors, highly experienced practitioners with an extensive career in cyberdefense. There will be a heavy focus on leveraging current infrastructure (and investment), including switches, routers, next-gen firewalls, IDS, IPS, WAF, SIEM, sandboxes, encryption, PKI and proxies, among others. Students will learn how to assess, re-configure and validate these technologies to significantly improve their organizations' prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. You will come away with recommendations and suggestions that will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.
While this is not a monitoring course, it will dovetail nicely with continuous security monitoring, ensuring that your security architecture not only supports prevention but also provides the critical logs that can be fed into behavioral detection and analytics systems, like UEBA or Security Information and Event Management (SIEM), in a Security Operations Center (SOC).
Multiple hands-on labs conducted daily will reinforce key points in the course and provide actionable skills that students will be able to leverage as soon as they return to work.
You Will Be Able To:
- Analyze a security architecture for deficiencies
- Discover data, applications, assets and services, and assess compliance state
- Implement technologies for enhanced prevention, detection, and response capabilities
- Comprehend deficiencies in security solutions and understand how to tune and operate them
- Understand the impact of 'encrypt all' strategies
- Apply the principles learned in the course to design a defensible security architecture
- Determine appropriate security monitoring needs for organizations of all sizes
- Maximize existing investment in security architecture by reconfiguring existing technologies
- Determine capabilities required to support continuous monitoring of key Critical Security Controls
- Configure appropriate logging and monitoring to support a Security Operations Center and continuous monitoring program
- Design and Implement Zero Trust strategies leveraging current technologies and investment
While the above list briefly outlines the knowledge and skills you will learn, it barely scratches the surface of what this course has to offer.
When your SEC530 training journey is complete, and your skills are enhanced and honed, it will be time to go back to work and deliver on the SANS promise that you'll be able to apply what you learned in this course the day you return to the office.
This Course Will Prepare You To:
- Understand how to implement data-centric security architectures like Zero Trust
- Layer security solutions ranging from network to endpoint and cloud-based technologies
- Understand the implications of proper placement of technical controls
- Tune, adjust, and implement security techniques, technologies, and capabilities
- Think outside the box on using common security solutions in innovative ways
- Balance visibility and detection with prevention while allowing for better response times and capabilities
- Understand where prevention technologies are likely to fail and how to supplement them with specific detection technologies
- Understand how security infrastructure and solutions work at a technical level and how to better implement them
What You Will Receive:
- An electronic workbook with introduction and walk-through videos of most labs
- Bonus labs that are regularly updated
- A Linux VM loaded with tons of tools and other resources
- A Digital Download Package that includes the above and more
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules. You also must have 8 GB of RAM or higher for the VM to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.
MANDATORY SEC530 SYSTEM REQUIREMENTS:
- CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
- Wireless Ethernet 802.11 B/G/N/AC
- USB 3.0 Ports highly recommended
- Disk: 40 Gigabytes of free disk space
- Administrative access to disable any host-based firewall
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
- A Linux virtual machine will be provided in class
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"In our many years of experience assessing the security posture of organizations, responding to incidents, and ramping up security operations, we've seen the futility of trying to monitor and defend against modern adversaries when the architecture in place has not been designed with security in mind. Likewise, we've continually seen that organizations that suffer massive breaches and business disruption often focused their emphasis prior to the breach on perimeter protection and prevention mechanisms but lacked defensible security architecture.
"We've designed this course to address this gap. In six days filled with case studies, winning techniques, instructor-led demos, and plenty of hands-on labs (including a NetWars-based Defend-the-Flag challenge), students will learn how to design, build, and harden networks, infrastructure, and applications that can truly be called 'defensible.'
"As practitioners, we know that theory is not enough, so we've made sure that this class is focused on real-world implementations of network-centric, data-centric, and zero-trust security architecture mapped to best practices and standards, but also based on our many years of experience on what works and what doesn't. You'll find that this makes the content appropriate and relevant for the reality of a wide variety of organizations and roles."
- Justin Henderson and Ismael Valenzuela
"Every security professional should have the knowledge from SEC530. Ismael is very knowledgeable and humorous and conducts the remote lessons very well." - Frank Fu, SCB