SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise

GIAC Defensible Security Architecture (GDSA)
GIAC Defensible Security Architecture (GDSA)
  • In Person (6 days)
  • Online
36 CPEs

This course is designed to help students establish and maintain a holistic and layered approach to security, while taking them on a journey towards a realistic 'less trust' implementation based on Zero Trust principles, pillars and capabilities. Effective security requires a balance between detection, prevention, and response capabilities, but such a balance demands that controls be implemented on the network, directly on endpoints, within cloud environments, and ultimately, around the data we are trying to protect. The strengths and weaknesses of one solution complement another solution through strategic placement, implementation, and continuous fine-tuning. To address this need, this course focuses on combining strategic concepts of infrastructure and tool placement while also diving into their technical application.

What You Will Learn

Secure by Design: Zero Trust for Modern Hybrid Networks

SEC530 is a practical class, focused on teaching effective tactics and tools to architect and engineer for disruption, early warning detection, and response to most prevalent attacks, based on the experience of the authors, highly experienced practitioners with an extensive career in cyber defense. There will be a heavy focus on leveraging current infrastructure (and investment), including switches, routers, next-gen firewalls, IDS, IPS, WAF, SIEM, sandboxes, encryption, PKI and proxies, among others. Students will learn how to assess, re-configure and validate these technologies to significantly improve their organizations' prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. You will come away with recommendations and suggestions that will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.

While this is not a monitoring course, it will dovetail nicely with continuous security monitoring, ensuring that your security architecture not only supports prevention but also provides the critical logs that can be fed into behavioral detection and analytics systems, like UEBA or Security Information and Event Management (SIEM), in a Security Operations Center (SOC).

Multiple hands-on labs conducted daily will reinforce key points in the course and provide actionable skills that students will be able to leverage as soon as they return to work.

SEC530 is a truly unique course created by defenders for defenders, offering:

  • Vendor-Neutral Expertise: Master techniques applicable across various technologies and platforms.
  • Real-World Applications: Leverage your existing infrastructure to enhance your organization's security.
  • Hands-On Labs: Engage in 24+ interactive labs and a capstone challenge to solidify your skills. Labs do not expire so you can revisit them at any time.
  • Zero Trust Implementation: Learn to build a robust, defensible security architecture from the ground up.

"SEC530 teaches you to defend and put mechanisms in place to secure the environment. The real life scenarios and examples were priceless. Hearing the stories from the trenches really made me feel like being able to apply" - Omar Zaman, United Airlines

What Is Zero Trust Implementation?

The practice of Zero Trust Implementation is a comprehensive cybersecurity strategy that assumes no entity, whether inside or outside the network, is inherently trustworthy. Instead, it requires continuous verification and validation of every user, device, and application attempting to access resources.

Business Takeaways

This course will help your organization:

  • Identify and comprehend deficiencies in security solutions
  • Design and Implement Zero Trust strategies leveraging current technologies and investment
  • Maximize existing investment in security architecture by reconfiguring existing technologies
  • Layer defenses to increase protection time while increasing the likelihood of detection
  • Improve prevention, detection, and response capabilities
  • Reduce attack surface
  • Address modern authentication challenges
  • Measure security efficacy using Time Based Security and the Think Red, Act Blue approach

Skills Learned

  • Analyze a security architecture for deficiencies
  • Learn how to anticipate the adversary and build security resiliency in hybrid environments
  • Design and Implement Zero Trust strategies leveraging current technologies and investment
  • Discover data, applications, assets and services, and assess compliance state
  • Implement technologies for enhanced prevention, detection, and response capabilities
  • Comprehend weaknesses in existing security solutions and understand how to tune and operate them
  • Understand the impact of 'encrypt all' strategies
  • Understand identity management and federation
  • Apply the principles learned in the course to design a defensible security architecture
  • Determine appropriate security monitoring needs for organizations of all sizes
  • Maximize existing investment in security architecture by reconfiguring existing technologies
  • Determine capabilities required to support continuous monitoring of key Critical Security Controls
  • Configure appropriate logging and monitoring to support a Security Operations Center and continuous monitoring program
  • Secure virtualized environments
  • Become an All-Around Defender

While the above list briefly outlines the knowledge and skills you will learn, it barely scratches the surface of what this course has to offer.

Hands-On Defensible Security Architecture and Engineering Training

The hands-on portion of SEC530 will impress and please students who want to design and build a defensible security architecture for hybrid environments. All labs are based on realistic scenarios, designed to give students a deep understanding of the technologies that power modern enterprise security solutions. Each lab has multiple ways of completing them, including detailed and visually rich step by step instructions, and an independent study guide with challenges, hints and instructional videos, designed to maximize the learning experience and equip the student to succeed in the GIAC Defensible Security Architecture (GDSA) exam.

Most labs are self-contained within the provided VM and containerized, allowing the student to stand up and work with complex environments with no troubleshoot needed. Other labs are cloud based, making use of automation frameworks like Terraform to replicate enterprise environments. None of the materials expire, including the VM, the detailed electronic workbook and labs, allowing students to revisit them at any time after class.

Throughout 6 days, students will engage in the following hands-on challenges and exercises:

  • Section 1: Practical Threat Modeling with MITRE ATT&CK, Eggress Analysis, Layer 2 Attacks, Architecting for Flow Data
  • Section 2: Auditing Router Security, Router SNMP Security, IPv6, Proxy Power
  • Section 3: Architecting for NSM, Network Security Monitoring, Encryption Considerations
  • Section 4: Securing Web Applications, Discovering Sensitive Data, Secure Virtualization
  • Section 5: Network Isolation and Mututal Authentication, SIEM Analysis and Tactical Detection, SIGMA Generic Signatures, Advanced Defense Strategies
  • Section 6: Capstone: Design/Detect/Defend

In addition, students will enjoy over additional bonus labs, including:

  • Intelligence Driven Architectures with VirusTotal Enterprise
  • Remediating Web Vulnerabilities
  • Cloud Monitoring and Asset Tracking (AWS)
  • Operationalizing JA3
  • Azure Privilege Escalation

"I just have to say, these labs are astonishingly well set up. They demonstrate exactly what's needed in very few steps. There's a lot of moving parts behind some of them but they are robust, and all in a small VM footprint. I've never seen any course lab environment executed so well." - Michael Curran, Austrade

"These containerized labs are magic. Being able to stand up an otherwise labor-intensive environment to do exercises with a single one-liner is amazing." - Ansley Barnes, Cambridge Innovation Center

"The course materials have been consistently challenging and equally clear. I absolutely love the online workbook in the VM. The formatting is perfect and I really like how it doesn't reveal the answers until you open them. Likewise with the step-by-step instructions The video instruction steps in the workbook are unique and very useful for study" - Lawrence Mecca, Mathematica

Syllabus Summary

  • Section 1: Principles of designing and building defensible systems and networks, the fundamentals of security architectures and the journey towards Zero Trust.
  • Section 2: Hardening critical infrastructure that is often found in hybrid environments, including routing devices, firewalls, and application proxies.
  • Section 3: Improving the efficacy of prevention and detection technologies using application-layer security solutions with a Zero Trust mindset.
  • Section 4: Data-centric security, including identifying core data where they reside, classification, labeling and data protection strategies across hybrid environments.
  • Section 5: Culminates our journey towards Zero Trust by focusing on implementing an architecture where trust is no longer implied but must be proven.
  • Section 6: Team-based Design-and-Secure-the-Flag competition.

Additional Free Resources

What You Will Receive

  • Printed and electronic courseware
  • A virtual machine, an open-sourced, linux-based distribution with utilities to start and stop the containerized labs
  • An electronic workbook including detailed and visually rich step by step instructions, and an independent study guide with challenges, hints and instructional videos
  • Bonus labs that are regularly updated
  • MP3 audio files of the complete course lecture
  • On-going access to course authors and instructors via a private Slack channel

What Comes Next?

Depending on your current role or future plans, one of these courses is a great next step in your cybersecurity journey:

Safeguarding Supply Chains and Managing Third-Party Risk

Network Monitoring and Security Operations

Syllabus (36 CPEs)

Download PDF
  • Overview

    This first section of the course describes the principles of designing and building defensible systems and networks. In this section we introduce the fundamentals of security architectures and the journey towards Zero Trust. It presents a vendor neutral and realistic vision of Zero Trust, including references US and international based guidelines, maturity models and design principles. We will cover traditional vs defensible security architectures, security models and winning techniques, and the defensible security architecture life cycle or DARIOM (Discover, Assess, Re-Design, Implement and Monitor) model.

    Main emphasis on section one is on practical threat modeling with models like MITRE ATT&CK and building a good foundation from the bottom up, starting with physical security, and network security at the lower layers, from VLANs and PVLANs, along with understanding what normal looks like by baselining network activity with NetFlow data across hybrid environments, on-prem and in the Cloud. Section 1 will also introduce you to the principle of Time-Based Security and how to implement it in real world.

    Section one includes an overview of traditional network and security architectures and their common weaknesses. The defensible security mindset is "build it once, build it right." All systems must perform their operational functions effectively, and security can complement this goal. It is much more efficient to bake security in at the outset than to retrofit it later. To implement that concept, the class includes many practical tips the authors have successfully deployed in the trenches to harden and monitor infrastructure in order to prevent and detect modern attacks. Examples include the use of private VLANs, which effectively kills the malicious client-to-client pivot, and 802.1X and NAC, which mitigate rogue devices. Specific Cisco IOS syntax examples are provided to harden critical network devices.

    • Practical Threat Modeling with MITRE ATT&CK: In SEC530's first hands-on lab, students will learn practical threat modeling using MITRE ATT&CK. This framework will be used throughout the week, so All-Around-Defenders can use this model to prioritize security countermeasures and to drive efficacy. This class will teach students to be threat-focused, not vulnerability focused, identifying where the most important risks are.
    • Egress Analysis: The focus is on understanding how attackers exfiltrate data with common techniques like DNS tunneling, and how to layer defenses to increase protection time while increasing the likelihood of detection.
    • Identifying Layer 2 Attacks: Network security has increased, yet layer 2 attacks still are possible in a modern organization. The focus of this lab is on identifying relevant layer 2 attacks.
    • Architecting for Flow Data: This lab will help students understand the various forms of flow data and how to properly architect the proper position and use of various flow data sources to identify unauthorized or anomalous activity.
    • Course Overview
      • What is a Security Architecture?
      • What makes a good Security Architect?
      • Learning Through Case Studies from Day 1 to 6 (Tyrell Corp Case Study)
      • Our Journey Towards Zero Trust
    • Defensible Security Architecture
      • Mindset
        • Presumption of Compromise
        • De-perimeterization
        • Think Red, Act Blue
    • Traditional Security Architecture Deficiencies
      • Case Study: Tyrell Corporation - Failed Mindset
    • Winning Defensible-Security Strategies
      • Risk-Driven and Business Outcome-Focused Architecture
      • Cyber Resiliency
      • Ruthless Prioritization and Disrupting Attacker's ROI
      • Identify and Prioritize Critical Assets
      • Practical Threat Modeling: Purple Teaming
      • MITRE ATT&CK Matrix
      • Look for Blue/Red Asymmetries
    • Security Models
      • Time Based Security
      • Cyber Kill Chain
      • TBS + Kill Chain + MITRE ATT&CK
      • Architecting for Visibility & Detection
      • Architecting for Incident Response
      • Zero Trust Model
      • US Government - Embracing a Zero Trust Security Model
      • DISA - Rethinking How We Use Existing Infrastructure
      • CISA - Zero Trust Pillars and Maturity Model
      • Zero Trust Architecture Design Principles
      • Zero Trust Through the 'Stained Glass-Windows of Vendors Marketing'
      • Implementing Less Implicit Trust
      • Zero Trust - A Journey Over Time
    • Threat, Vulnerability, and Data Flow Analysis
      • Defensible Security Architecture Life Cycle (DARIOM Model)
      • Discover and Assess
      • Goal: Identifying the Unknown Unknowns
      • Threat Vector Analysis
        • Data Ingress Mapping
      • Data Exfiltration Analysis
        • Data Egress Mapping
      • Attack Surface Analysis
      • Egress Analysis
      • Visibility Analysis
      • Redesign
      • Implement
      • Operate and Monitor
    • Defensible Security Architecture, Beginning at Layers 1 and 2
      • Red Team Scenario - Replicants vs. Tyrell Corporation
      • Layer 1 - Physical Security Best Practices
        • Penetration Testing Dropboxes
        • USB Keyboard Attacks (Rubber Ducky)
      • Layer 1 Mitigations
      • Layer 2 - Network Security Best Practices
        • Wireless, Zigbee and RFID badges
        • WIPS Containment over the Air
        • WPA3 Enterprise - WPA2 + PMFs + Stronger Ciphers
        • Station Isolation
        • Private 5G Network Architecture
    • Layer 2 Attacks and Mitigation
    • VLANs
      • Hardening
      • Private VLANs
    • NetFlow
      • Layer 2 and 3 NetFlow
      • NetFlow, Sflow, Jflow, VPC Flow, Suricata and Endpoint Flow
      • Cloud Flows
      • Suricata Flows
      • Flow Design
  • Overview

    This section continues the discussion on hardening critical infrastructure that is often found in hybrid environments, and moves on to concepts such as routing devices, firewalls, and application proxies. Actionable examples are provided for hardening routers, with specific Cisco IOS commands to perform each step.

    The section then continues with a deep dive on IPv6, which currently accounts for over 42% percent of Internet backbone traffic, according to Google, while simultaneously being used and ignored by most organizations. We will provide deep background on IPv6, discuss common mistakes (such as applying an IPv4 mindset to IPv6), and provide actionable solutions for securing the protocol. The section continues with a discussion of a key Zero Trust topic: segmentation. A secure network design that implements multiple defensive layers is critical to defend against threats and protect resources within the network. This section includes principles and defensive tactics that cover firewalls and network segmentation but also identity and access segmentation. Section 2 wraps up with a discussion on web application proxies and smtp proxies.

    • Auditing Router Security: The focus of this lab is on identifying and mitigating security issues in routers.
    • Router SNMP Security: In this lab, students will interact with live cloud routers and perform attacks against SNMP to understand them and, ultimately, to remove the threat
    • IPv6: The Next Generation Internet Protocol, also known as IPv6, is often ignored and misunderstood. This lab allows students to interact with IPv4 and IPv6 to be more familiar with some of the differences.
    • Proxy Power: Proxies have immense capabilities in dealing with malware and command and control channels. This lab walks students through what would happen to malware phoning home based on the different ways a proxy can be configured.
    • Layer 3 Attacks and Mitigation
      • IP Source Routing
      • ICMP Attacks
      • Unauthorized Routing Updates
      • Securing Routing Protocols
      • Unauthorized Tunneling (Wormhole Attack)
    • Switch and Router Best Practices
      • Cisco Sigma Analytics
    • Layer 2 and 3 Benchmarks and Auditing Tools
      • Baselines
        • CISecurity
        • Cisco's Best Practices
        • Cisco Autosecure
        • DISA STIGs
        • Nipper-ng
    • Securing SNMP
      • SNMP Community String Guessing
      • Downloading the Cisco IOS Config via SNMP
      • Hardening SNMP
      • SNMPv3
    • Securing NTP
      • NTP Authentication
      • NTP Amplification Attacks
    • Bogon Filtering, Blackholes, and Darknets
      • Bogon Filtering
      • Monitoring Darknet Traffic
      • Building an IP Blackhole Packet Vacuum
    • IPv6
      • Dual-Stack Systems and Happy Eyeballs
      • IPv6 Extension Headers
      • IPv6 Addressing and Address Assignment
    • Securing IPv6
      • IPv6 Firewall Support
      • Scanning IPv6
      • IPv6 Asset Inventory with Rumble Network Discovery
      • IPv6 Tunneling
      • IPv6 Router Advertisement Attacks and Mitigation
    • Segmentation
      • Network vs Access Segmentation
      • Segmentation Principles
      • Firewall Architecture
      • DMZ Design
      • Beyond DMZ: Segmentation is More Than 2 Zones
      • Architecting with Security Operations Monitoring in Mind
      • Login Segmentation
    • Application Proxies
      • Reverse Proxies, ZTNA and SASE
      • Web Proxy
        • Explicit vs. Transparent
        • ICAP
        • Forward vs. Reverse
    • SMTP Proxy
      • Augmenting with Phishing Protection and Detection Mechanisms
      • Bayesian Analysis
      • SPF, DKIM, DMARC
      • Dnstwist
      • Combining Open-Source Intelligence
  • Overview

    Organizations own or have access to many network-based security technologies, ranging from Next-Generation Firewalls to IDS/IPS and VPNs among others. These are often deployed on-prem but also in the Cloud. Yet the effectiveness of these technologies is directly affected by their implementation. Too much reliance on built-in capabilities like application control, antivirus, intrusion prevention, data loss prevention, or other automatic evil-finding deep packet inspection engines leads to a highly preventative-focused implementation, with huge gaps in both prevention and detection. This section focuses on improving the efficacy of prevention and detection technologies using application-layer security solutions with a Zero Trust mindset. By thinking outside the box, and by engineering defenses for modern attacks, both prevention and detection capabilities gain significantly.

    In today's modern world, clients and mobile devices need remote access into an organization. How this is achieved varies dramatically in implementation and, as a result, security. This section continues with a discussion of some of the more common forms of remote access like VPNs and some of the new ones, like ZTNA. Some of these technologies are likely to still be in use for some time to come, while others may be dead, dying or fading. The section concludes with a discussion on modern vs legacy authentication attacks, passwordless, FIDO2, OAUTH and MFA bypass attacks, and the pros and cons of breaking TLS encryption for Layer 7 inspection.

    • NSM Architecture and Engineering: In this lab, students will learn how to place and implement NSM technologies for proper visibility and application/protocol awareness. They will also leverage advanced correlation capabilities on Zeek to detect C2 and tunnels.
    • Network Security Monitoring: Intrusion detection alerts and network metadata provide a holistic approach to knowing thyself and identifying unauthorized activity. This lab focuses on detecting adversaries operating over the network with NSM (Suricata).
    • Encryption Considerations; Network encryption protects data from being observed both by attackers and defenders. This lab focuses on how defenders can interact with TLS connections to gain back visibility for inspection in proxies, NSM, NGFW, and other solutions.
    • NGFW
      • Application Filtering
      • Implementation Strategies
      • External Dynamic Lists (EDLs)
      • DNS Filtering and Sinkholing
      • Infrastructure (and Configuration) As Code
      • Terraform by HashiCorp
      • NGFW on Cloud
      • Scripting & APIs
    • Network Security Monitoring (NSM)
      • Alert-Driven Workflows vs Data-Driven Workflows
      • Architecting for Network Visibility
      • Power of Network Metadata
      • Know Thy Network
      • SPAN ports vs TAPs
      • Sensor Placement
      • The Power of Network Metadata
      • Network Traffic Analysis Architecture
      • Zeek Use Cases
      • Visibility in Kubernetes with Zeek
      • Case Study: Tyrell Corporation - Cloud
      • IDS/IPS Rule Writing
      • Signature vs Anomaly vs Protocol analysis
      • Snort
      • Suricata
      • Zeek
    • Secure Remote Access
      • TLS VPN
      • SSH VPNs
      • Always On VPN
      • Compression and WAN Optimization
      • Rethinking VPN Strategies
      • Remote Access Applications
      • Modern Alternatives to VPN: ZTNA and SDP
      • Remote Desktop on HTML5 with Guacamole
      • Controlled Network Authentication
      • Clean Source Principle (CSP) and AD Management
      • Administrative Workstations
      • Jump Boxes and Bastion hosts on Cloud VPCs
      • Identity Access Management (IAM)
      • Case Study: Tyrell Corporation -- A Hybrid Architecture
    • Defending against Modern Authentication Attacks
      • Modern vs. Legacy Authentication
      • Multifactor Authentication
      • Fast Identity Online (FIDO/FIDO2)
      • Passwordless
      • Adversary-in-the-Middle (AiTM) Phishing
      • MFA Fatigue Attack
      • MFA bypass
      • OAUTH 2.0
      • Defending against the OAUTH Consent Phishing
      • Modern Authentication, Identify Federation and Single Sign On (SSO)
    • Encryption
      • The "Encrypt Everything" Mindset
        • Internal and External
      • Free SSL/TLS Certificate Providers
      • SSL/SSH Inspection
      • SSL/SSH Decrypt Dumps
      • SSL Decrypt Mirroring
      • Certificate Pinning
        • Malware Pins
      • HSTS Preloading
      • Certificate Transparency Monitoring
      • Crypto Suite Support
      • SSL/TLS Passive Decryption
      • TLS 1.2 vs TLS 1.3
      • Risks and Cons of TLS Interception
  • Overview

    Our journey continues with the discussion of a strategy that is central to a Zero Trust Architecture: data-centric security. Organizations cannot protect something they do not know exists. The problem is that critical and sensitive data exist all over. Complicating this even more is that data are often controlled by a full application stack involving multiple services that may be hosted on-premises or in the cloud.

    This section focuses on identifying core data where they reside and how to classify, label and protect those data. Protection includes using data governance solutions and full application stack security measures such as web application firewalls and database activity monitoring, as well as discussions on newer solutions like WAAP and RASP, Microsoft Purview, MDM solutions and Entra ID with conditional access. It also keeps a sharp focus on securing the systems hosting core services such as on-premises hypervisors, cloud computing platforms, and container services such as Docker.

    The data-centric security approach focuses on what is core to an organization and prioritizes security controls around it. Why spend copious amounts of time and money securing everything when controls can be optimized and focused on securing what matters? Let's face it: some systems are more critical than others.

    • Securing Web Applications: In this lab, students will identify the prevention and detection capabilities that web application firewalls provide, and also learn where they can be evaded. Then changes will be applied to block and detect evasion techniques.
    • Discovering Sensitive Data: Identifying where sensitive data reside is difficult but necessary. You cannot control data if you do not know where those data reside. This lab walks students step-by-step through writing a PowerShell script in order to crawl through a file system looking for sensitive data. An additional bonus lab will teach students how to monitor a cloud environment programmatically, how to establish a baseline and how to leverage API calls to Amazon Web Services (AWS) to find out newly deployed cloud assets and other unauthorized events.
    • Secure Virtualization: The focus of this lab is on showing the implication of attackers gaining host access to a hypervisor or container system like Docker, and also on various hardening and incident handling steps that can be taken.
    • Bonus Lab: Azure Privilege Escalation. In this bonus lab the student will have the opportunity to use a SANS provisioned Azure account and terraforms to create Microsoft Entra ID resources, perform security reviews of Microsoft Entra ID resources, testing security vulnerabilities that could allow an attacker to establish a foothold in Microsoft Entra ID and escalate to Global Administrator, and finally tear down the cloud environment.
    • Data-Centric Security
    • Application (Reverse) Proxies
    • Full Stack Security in Monolithic Applications
      • Web Server
      • App Server
      • DB Server
    • Microservices
    • Web Application Firewalls
      • Whitelisting and Blacklisting
      • WAF Bypass
      • Normalization
      • Dynamic Content Routing
      • Traditional Web Security vs. API Security
      • WAAP - Web App and API Security
      • Protecting Web APIs with open-appsec
      • Runtime Application Self-Protection (RASP)
    • Database Firewalls/Database Activity Monitoring
      • Data Masking
      • Advanced Access Controls
      • Exfiltration Monitoring
    • Data Encryption
    • File Classification
      • Data Discovery
        • Scripts vs. Software Solutions
        • Find Sensitive Data in Databases or Files/Folders
        • Advanced Discovery Techniques such as Optical Character Recognition Scanning of Pictures and Saved Scan Files
      • Methods of Classification
      • Purview Information Protection (former Azure Information Protection)
      • Classify and Protect Example
    • Data Loss Prevention (DLP)
      • Network-based
      • Endpoint-based
      • Cloud Application Implementations
    • Data Governance
      • Policy Implementation and Enforcement
      • Access Controls vs. Application Enforcement and Encryption
      • Auditing and Restrictions
      • Entra ID and RBAC - A Primary Source of Truth
      • Time Restrictions
      • Cloud Time Restrictions
    • Mobile Device Management (MDM) and Mobile Application Management (MAM)
      • Security Policies
      • Methods for Enforcement
      • End-user Experience and Impact
      • Intune MAM vs. MDM
      • Conditional Access + Intune
    • Private Cloud Security
      • Securing On-premises Hypervisors (vSphere, Xen, Hyper-V)
      • Network Segmentation (Logical and Physical)
      • Hyper-Converged Storage
      • VM Escape
      • Surface Reduction
      • Visibility Advantages
      • Additional Threat Mitigation Guidance
    • Container Security
      • Impact of Containers on On-premises or Cloud Architectures
      • Security Concerns
      • Protecting against Container Escape
  • Overview

    "Trust but verify" has been a common security mantra. But this is a broken concept. Computers can calculate trust on the fly, so rather than thinking in terms of "trust but verify" organizations should be implementing "verify then trust." By doing so, access can be constrained to appropriate levels and become more fluid.

    This section culminates our journey towards Zero Trust by focusing on implementing an architecture where trust is no longer implied but must be proven. By doing so, a model of variable and adaptive trust can be used to change access levels dynamically. This, in turn, allows for implementing fewer or more security controls as necessary given a user's and a device's trust maintained over time.

    On Section 5, we will review the zero trust principles, model and the latest US Government mandates (DISA, NSA, NIST), while we focus on practical implementations of this new philosophy. The focus will be on practical application of zero trust through existing infrastructure to maximize their value and impact for an organization's security posture: credential rotation, securing traffic on windows networks, host-based firewalls, NAC, segmentation gateways, SIEM, log collection, audit policies, detection engineering, and red herring defenses. We will also explore getting started with identity as a perimeter, helping you assess your current security posture and identify the areas where you need to improve. We will explore some of the most common ways of implementing identity management and federation strategies with a Zero Trust mindset.

    • Network Isolation and Mutual Authentication: Attackers cannot attack what they cannot see or interact with. This lab shows defenders how to implement SPA or mutual TLS so that only authorized assets can connect.
    • SIEM Analysis and Tactical Detection: Logging and inspecting is difficult without the right data and the proper ability to view those data. This lab shows how to use a SIEM system to find an attacker more than 10 different ways. The detection capabilities are important but the logic behind them is also important to implement variable trust conditional access across an enterprise.
    • SIGMA Generic Signatures: In this lab students will understand how to use and implement Sigma generic signature rules, a new community driven project, to convert generic signatures into various formats for operational use. Students will use these signatures to enhance existing detection capabilities, determine coverage with MITRE ATT&CK Navigator and search for adversary activity.
    • Advanced Defense Strategies: Attackers do not play fair and neither should defenders. In this lab, students will configure services to identify attacks in a way that internal systems continue to function but attack tools do not. Also, specialized detection honeytokens will be implemented to identify attackers cloning a public site and using it against your staff or external clients.
    • Zero Trust Architecture
      • Why Perimeter Security Is Insufficient
      • What Zero Trust Architecture Means
      • Zero Trust over Time
      • "Trust but Verify" vs. "Verify then Trust"
      • Variable Trust
      • US Government - Embracing a Zero Trust Security Model
      • DISA - Rethinking How We Use Existing Infrastructure
      • DISA - Zero Trust Pillars and Capabilities
      • Example of Zero Trust Scenario - Remote Exploitation or Insider Threat
      • Zero Trust - A Journey Over Time
      • NIST: ZTA Reference Architecture
      • Federal Zero Trust Strategy
      • What Good Looks Like
      • Implementing and Auditing Zero Trust Strategies
    • Identity Management and Federation
      • Identity as a Perimeter
      • Identity Management
      • EntraID and AAD connect
      • Identity Federation
      • Authentication, SaaS Applications, and Federated SSO
      • MiTM Attacks and EntraID
      • Lessons Learned and Mitigations
    • Credential Rotation
      • Certificates
      • Passwords and Impact of Rotation
      • Password Auditing
      • LAPS
      • gMSA
    • Securing Traffic
      • Authenticating and Encrypting Endpoint Traffic
      • Domain Isolation (Making Endpoint Invisible to Unauthorized Parties)
      • Mutual TLS
      • Single Packet Authorization
      • 802.1x
      • Client Certificates
      • PKI
    • Host-Based Firewalls and ASR
      • End-user Privilege Reduction
      • Leveraging Endpoints as Hardened Security Sensors
    • Compromised Internal Assets
      • Pivoting Adversaries
      • Insider Threat
      • NAC
      • Microsoft Intune and NAC
    • Adaptive Trust and Security Orchestration
      • Electric Fence (Automated Digital Response)
      • Quarantine
      • Device Compliance
    • Segmentation Gateways
      • Network Agent
      • Planes of Authorization
      • Micro Segmentation, Micro Core and Perimeter (MCAP)
      • Dynamic Authorization
      • Dynamic Authorization with Conditional Access and RBAC
    • Scaling Endpoint Log Collection/Storage/Analysis
      • How to Enable Logs that Matter
      • Log Collection Strategies
      • Designing for Analysis Rather than Log Collection
      • Auditing Policies on Windows and Linux
      • Sysmon
      • Auditd
      • SIEM in the Cloud Era
    • MITRE ATT&CK Content Engineering
      • Anomalies vs Signatures
      • SIGMA Generic Signatures
      • How SIGMA Works
      • Conversion of Signatures to Alert Queries
      • Sigma2Attack
      • Anomaly Identification vs Real-Time Alerts
    • Tripwire and Red Herring Defenses
      • MITRE Engage and ATT&CK Mappings
      • Honeynets, Honeypots, and Honeytokens
      • Single Access Detection Techniques
      • Proactive Defenses to Change Attacker Tool Behaviors
      • Increasing Prevention Capabilities while Adding Solid Detection
  • Overview

    The course culminates in a team-based Design-and-Secure-the-Flag competition. Powered by NetWars, day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted throughout this course. Teams will assess, design, and secure a variety of computer systems and devices, leveraging all the knowledge, tools and skills obtained in class, as they defend Tyrell Corporation from the attack of the replicants.

    • Capstone - Design/Detect/Defend
    • Defensible Security Architecture
    • Assess Provided Architecture and Identify Weaknesses
    • Use Tools/Scripts to Assess the Initial State
    • Quickly/Thoroughly Find All Changes Made

GIAC Defensible Security Architecture

The GIAC Defensible Security Architect (GDSA) certification validates a practitioner's ability to design and implement a strategic combination of network-centric and data-centric controls to balance prevention, detection, and response capabilities.

  • Using network-centric and data-centric security strategies to architect a layered defense
  • Assessing existing technology implementations to improve prevention, detection, and response
  • Understanding and applying Zero Trust principles

More Certification Details


  • Foundational understanding of security principles and familiarity with general security technologies used in IT.
  • Knowledge of networking concepts and infrastructure components like switches, routers, and firewalls.
  • Some experience in IT security practices and operating systems (Linux and Windows) from the command line.
  • Experience using VMware and virtual machines.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 60GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Administrative access to disable any AV, endpoint security software or host-based firewall (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Ability to disable your enterprise VPN client temporarily for some exercises. Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"In my many years of experience assessing the security posture of organizations, responding to incidents, and ramping up security operations, I have seen the futility of trying to monitor and defend against modern adversaries when the architecture in place has not been designed with security in mind. Likewise, I have continually seen that organizations that suffer massive breaches and business disruption often focused their emphasis prior to the breach on perimeter protection and prevention mechanisms but lacked defensible security architecture.

We have designed this course to address this gap. In six days filled with case studies, winning techniques, instructor-led demos, and plenty of hands-on labs (including a NetWars-based Defend-the-Flag challenge), students will learn how to design, build, and harden networks, infrastructure, and applications that can truly be called 'defensible.'

As practitioners, we know that theory is not enough, so we have made sure that this class is focused on real-world implementations of network-centric, data-centric, and zero-trust security architecture mapped to best practices and standards, but also based on many years of experience on what works and what doesn't. You will find that this makes the content appropriate and relevant for the reality of a wide variety of organizations and roles."

- Ismael Valenzuela

"I have been taking SANS courses since 2000, and while all of them are excellent, there are just some instructors that stand out and Ismael is one of those. Two thumbs way up for him and SEC530."

-Darich Runyan - Langley Federal Credit Union


I just have to say, these labs are astonishingly well set up. They demonstrate exactly what's needed in very few steps. There's a lot of moving parts behind some of them but they are robust, and all in a small VM footprint. I've never seen any course lab environment executed so well.
Michael Curran
SEC530 teaches you to defend and put mechanisms in place to secure the environment. The real life scenarios and examples were priceless. Hearing the stories from the trenches really made me feel like being able to apply
Omar Zaman
United Airlines
SEC530 is a great course for Blue Teams & Security Engineers. This is an evolution to the significance of good & practical defense approach in enterprises.
Bhupesh Roma
AXA Group
This training showed how overall security posture of an organization can be improved. It helps connect the dots between different areas within security infrastructure.
Farruk Ali

    Register for SEC530

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.