Managing Security Vulnerabilities | SANS MGT516 Enterprise & Cloud Security Training

What You Will Learn

Stop Treating Symptoms. Cure The Disease.

This course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. You will learn how to move past the hype to successfully prioritize the vulnerabilities that are not blocked, then clearly and effectively communicate the risk associated with the rest of the vulnerabilities in your backlog that, for a variety of reasons, cannot currently be remediated. You'll also learn what mature organizations are doing to ease the burden associated with vulnerability management across both infrastructure and applications as well as across both their cloud and non-cloud environments.

This Course Will Prepare You To:

Create, implement, and mature your vulnerability management program
Establish secure and defensible enterprise and cloud computing environments
Build an accurate and useful inventory of IT assets in the enterprise and the cloud
Identify existing vulnerabilities and understand how to meaningfully use this information
Better analyze the output of VM tools and related technology to make the data more actionable
Prioritize vulnerabilities for treatment based on a variety of techniques
Effectively report and communicate vulnerability data within your organization
Understand treatment capabilities and better engage with treatment teams
Make vulnerability management more fun and engaging for all those involved

MGT516 provides you with the information you need to skillfully fight the VM battle. Learning is reinforced through lab exercises, including the Cyber42 game. The game puts students in the driver's seat for the fictional Everything Corporation ("E-Corp"). Students will have to select three major initiatives throughout the course that will mature E-Corp's VM program, and they'll also need to choose how to respond to 13 realistic events that are sure to have an impact on their program. Depending on how students respond, E-Corp's security culture and the maturity of the different components of its VM program will be impacted. These tabletop exercises will enable students to put the skills they are learning into practice when they return to work at their own organizations.

Succeed Where Many Are Failing

Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, security may seem unachievable.

This course highlights why many organizations are still struggling with vulnerability management and shows students how to solve these challenges. How do we manage assets successfully and analyze and prioritize vulnerabilities? What reports are most effective? How do we deal with vulnerabilities in our applications, and how do we treat them? How do we make vulnerability management fun and get everyone to engage in the process? We'll not only answer these questions, but also examine how the answers change as we move to the cloud, implement the private cloud, or roll out DevOps within our organizations.

The primary goal of this course is to help you succeed where many are failing and to present solutions to the problems many organizations are experiencing or will experience as they mature. Whether your vulnerability management program is well established or just starting, this course will help you think differently about vulnerability management.

By understanding common issues and how to solve them, you will be better prepared to meet the challenges ahead and guide your IT teams and the broader organization to successfully treat vulnerabilities. Through discussion-based labs and other exercises in the MGT516 course, you will learn specific analysis and reporting techniques. The Cyber42 game will allow you to experience the issues you may face when building out your own program or responding to events in your environment.

The course is based on the Prepare, Identify, Analyze, Communicate, and Treat (PIACT) Model:

Prepare: Define, build, and continuously improve the program
Identify: Identify vulnerabilities present in our operating environments
Analyze: Analyze and prioritize identified vulnerabilities and other program tasks to provide meaningful assistance and guidance to stakeholders and program participants
Communicate: Present the results of your analysis appropriately and effectively to all stakeholder groups to help them understand the corresponding risks and treatment options
Treat: Implement, test, and monitor solutions to vulnerabilities, vulnerability groups, and broader issues identified by the program

What About The Cloud?

Knowing that many organizations are adopting cloud services in addition to more traditional operating environments, we'll also look at different cloud service types throughout the course and how they impact the program. We will highlight some of the tools and processes that can be leveraged in each of these environments and present new and emerging trends.

WHAT YOU WILL RECEIVE

Student manuals containing the entire course content and lab introductions and debriefs
Access to lab materials and bonus content on the class website

ADDITIONAL RESOURCES

WHAT TO TAKE NEXT

Cloud Security Courses

Management Courses

SANS Video

Syllabus (30 CPEs)

Download PDF

Overview
In this section we look at why vulnerability management is important and introduce the course. We then provide an overview of the cloud and how different cloud service types and architectures can impact the way we manage vulnerabilities. We'll also look at how to choose technologies and tools for our cloud environments. Finally, we'll dig into why asset management is so important and foundational for effective vulnerability management, and the different ways that gaining additional context can help us succeed.
Exercises
Moving to the Cloud
- Scenario-based lab about the impact of moving to the cloud on an organization's vulnerability management program
Critical Attributes
- Scenario-based lab on how to identify critical contextual attributes that need to exist within our asset management database or be tracked in some other way to prioritize and manage vulnerabilities more effectively
Leveraging Asset Context
- Hands-on lab leveraging a spreadsheet that contains both vulnerability and asset data sets to answer questions about the vulnerability of data and the quality of the asset data
Cyber42 Game
- Game introduction and practice event
- Initiative selection for Round 1
- Two Round 1 events
Topics
Course Overview
Cloud and Cloud Vulnerability Management
- Overview
- Tool selection in the cloud
Asset Management
- Overview
- Importance of context
- Attributes and inline context
- Cloud asset management
Overview
Identifying vulnerabilities continues to be a major focus for our security programs, as it can provide insight into the current risks to our organization. It also provides the data for our analysis and for the measures and metrics we use to guide the program and track our maturity. In this section, we will look at common identification pitfalls and discuss identification architecture and design across both infrastructure and applications. We'll also look at where we might require permission to perform identification and how we safely grant permission to third parties to test our systems and applications and responsibly disclose any findings.
Exercises
Scanning
- Scenario-based lab to better understand and identify the types of scanning that are most effective for different asset types
Scan Validation
- Scenario-based lab to better understand and identify the reasons why certain vulnerabilities are showing up in infrastructure scans even though they seem invalid or out of place
Cyber42 Game
- Two Round 1 events and one Round 2 event
- Initiative selection for Round 2
Topics
Identification
- Challenges
- Tools, architecture, and design
- Cloud identification
- Permission
- Validating scan results
- Scanner configuration
- Application vulnerabilities
- Bug bounty programs
Overview
Gone are the days when we can just scan for vulnerabilities and send the raw output to our teams for remediation. We need to help reduce the burden by analyzing the output to reduce inaccuracies and identify root-cause issues that may be preventing remediation. Once we have identified the issues that cannot be resolved, we should prioritize the rest to ensure that we are having the greatest impact and provide targeted reports or dashboards to system and platform owners. In this section, we will look at some common inaccuracies in the output of our identification processes, discuss prioritization, and then look at what metrics are commonly used to measure our program and the related operational capabilities. We will also discuss how to generate meaningful reports, communication strategies, and the different types of meetings that should be held to increase collaboration and participation.
Exercises
Prioritization
- Hands-on lab leveraging a spreadsheet to provide a high-level illustration of basic prioritization based on severity and also a more risk-based approach to prioritization
Solution Groups and Types
- Demo of two different methods (spreadsheet and ServiceNow) to apply solution groups or remediation actions to vulnerability data sets and leverage the groupings for analysis and reporting.
Cyber42 Game
- Three Round 2 events
Topics
Analyze
- Vulnerability-centric prioritization
- Asset-centric prioritization
- Threat-centric prioritization
- Threat intelligence in VM
- Solution and exclusion groups
Communicate
- Metrics
- Reporting
- Strategy
- Meetings
Overview
Treating vulnerabilities and reducing risk is the ultimate goal of all that we do in vulnerability management. It is important for program managers and all participants to understand the typical processes and technologies that exist and how to leverage them to increase positive change within the organization. Most organizations will have some type of change, patch, and configuration management program. In this course section, we will look at how we interface with these processes to streamline change and increase consistency. We'll also examine some unique challenges we face in the cloud, how to better deal with application vulnerabilities, and some alternatives we can look to when traditional treatment methods are not available.
Exercises
Changing Culture
- Discussion and thought-based lab about what organizational cultures are most or least conducive to vulnerability management and how to go about changing or influencing culture
Remediation Effectiveness
- Scenario-based lab to better understand and identify how to gauge the effectiveness of the treatment options selected for various vulnerabilities after implementation and over time
Cyber42 Game
- Initiative selection for Round 3
- Two Round 3 events
Topics
Treatment
- Change management
- Patch management
- Configuration management
- Cloud management
- Application management
- Alternative treatment
- Other treatment considerations
Overview
Vulnerability management is not the easiest job in an organization, and there are many challenges that can hold us back. From split responsibility and accountability to reliance on shared personnel, much of the work done in this space goes unrecognized. In this section, we'll summarize much of what we have learned and discussed throughout the week and look at how we can use this information to improve the program. We'll discuss how we can make VM more fun and successful within the organization, how we can identify and collaborate more effectively with various stakeholders, and how we can build out and mature a robust vulnerability management program.
Exercises
Vulnerability Management Buy-In
- Scenario-based lab to better identify important stakeholders and get or improve buy-in for the program
Cyber42 Game
- Three Round 3 events
- Final scoring and wrap-up
Topics
Buy-In
- Making VM fun
- What are we doing today, and why it isn't working?
- How can we improve?
- Collaboration
Program
- How are we doing things today?
- Creating a VM program
- Common problems
Maturity
- Advancing the program
- The SANS VM Maturity Model

Prerequisites

A basic understanding of risk management objectives and IT systems and operations is recommended for this course.

Laptop Requirements

You must bring a computing device (laptop or tablet) with the latest version of Microsoft Excel. This will be used for multiple exercises throughout the course.

The Cyber42 game used in this course is hosted on Amazon Web Services (AWS). Students must have a computer that does not restrict access to AWS services. Corporate machines may have a VPN, intercepting proxy, or egress firewall filter causes connection issues communicating with AWS. Students must be able to configure or disable these services to be able to access the Cyber42 game.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement

"It is easy to be overwhelmed by the amount of information available to us about the risks in our environments. Vulnerabilities are present in just about every device and software that we use, with new reports released daily. Managing this dynamic landscape is a challenge for all organizations. Our goal with this course is to provide students with a framework for a vulnerability management program. The aim is to enable students to effectively identify the key problems within their environment, evaluate potential solutions to those problems, and efficiently communicate within their teams and to the organization on the effectiveness of vulnerability management."

- Jonathan Risto

"I appreciated Jonathan sharing his personal examples today as he covered the material. Great real world challenges and made the content more relatable. Thank you!" - Bridget Aman

"I have spent over a decade helping organizations improve their infrastructure and application vulnerability management capabilities and programs. It surprises me how many organizations are struggling with similar issues. I'm also concerned when I hear from organizations about how they are going to successfully implement vulnerability management in the cloud, even while they are still struggling to manage vulnerabilities in their more traditional operating environments. With this course, we want to provide students with a better understanding of what they can do to improve their current program and extend that program into the cloud. We want them to understand the common roadblocks they will face and provide solutions to these challenges. There is no one-size-fits-all solution to vulnerability management, but there are definitely common themes in mature organizations. The course is also a great opportunity to learn from what peers are doing in their organizations to solve some of the same problems you may be facing.â€

- David Hazar

"David has vast experiences with numerous different types of organizations in vulnerability management. During the class, this was vital in bring in and discussing real-world challenges." - Vikas Bangia, Bessemer Trust"

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

In Person (5 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend MGT516?

CISOs
Information security managers, officers, and directors
Information security architects, analysts, and consultants
Aspiring information security leaders
Risk management professionals
Business continuity and disaster recovery planners and staff
IT managers and auditors
IT project managers
IT/system administration/network administration professionals
Operations managers
Cloud service managers and administrators
Cloud service security and risk managers
Cloud service integrators, developers, and brokers
IT security professionals managing vulnerabilities in the enterprise or cloud
Government IT professionals who manage vulnerabilities in the enterprise or cloud (FedRAMP)
Security or IT professionals who have team-lead or management responsibilities
Security or IT professionals who use or are planning to use cloud services

"The Capstone Workshop is really helped 'pull it all together' and helped me think through the material presented this week and apply it." - Chris Harrell, NNSA

See prerequisites

Reviews

Real world scenario labs are really great. Thank you!

Abe De Los Reyes

Citrix

An understanding of vulnerability management and cloud security is becoming not only valuable, but a necessity to keep one's organization secure in this constantly changing and dynamic environment.

Kae David

Ernst & Young

The course was excellent throughout the 5 day period. David was very professional in his delivery and the content explained what encompasses a vulnerability management program excellently.

Walleed Aljony

Ernst & Young

An understanding of vulnerability management and cloud security is becoming not only valuable but a necessity to keep ones organization secure in this constantly changing and dynamic environment.

Kae David

This course is essential for both well-established and developing vulnerability management teams.

Robert Adams

CBC

MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

Course Authors:

Jonathan Risto

David Hazar

What You Will Learn

Syllabus (30 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend MGT516?

Reviews

Find ways to take this course