Welcome to SEC541: Cloud Security Monitoring and Threat Detection
Instructor: Ryan Nicholson | 18 CPEs
SEC541 is a cloud security course that examines how attackers are attacking the Amazon Web Services (AWS) and Microsoft Azure environments, the characteristics of those attackers, and how to detect them and investigate suspicious activity in your cloud infrastructure.
What You Will Learn
Attackers Can Run But Not Hide. Our Radar Sees All Threats.
Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly for organizations struggling to make sense of the cloud native logs, keeping ahead of fast-moving development teams, and trying to learn about how threats are adapting to cloud services. Securely operating cloud infrastructure requires new tools and approaches.
SEC541 starts by walking through a real world attack campaign against a cloud infrastructure. We will break down how it happened, what made it successful, and what could have been done to catch the attackers in the act. We spend the first section of the course dissecting the attacks, learning how to leverage cloud native and cloud integrated capabilities to detect, hunt, or investigate similar attacks in a real environment, and building our arsenal of analytics, detections and best practices for you to bring back to work as soon as the course is over.
SEC541: Cloud Monitoring and Threat Detection Will Prepare You To:
- Research attacks and threats to cloud infrastructure and how they could affect you
- Break down a threat into detectable components
- Effectively use AWS and Azure core logging services to detect suspicious behaviors
- Make use of cloud native API logging as the newest defense mechanism in cloud services
- Move beyond the cloud-provided Graphic User Interfaces to perform complex analysis
- Perform network analysis with cloud-provided network logging
- Understand how application logs can be collected and analyzed inside the cloud environment
- Learn about the AWS and Azure security specific services such as AWS Security Hub, Azure Security Center, and AWS GuardDuty
- Integrate container, operating system, and deployed application logging into cloud logging services for more cohesive analysis
- Centralize log data from across your enterprise for better analysis
- Perform inventory of cloud resources and sensitive data using scripts and cloud native tooling
NOTICE TO STUDENTS
This course formerly had only one course section. Two additional course sections have been added that focus on AWS and Azure, with additional labs added as well. All labs will be conducted in the students' AWS accounts.
The labs in this course are hands-on explorations into AWS logging and monitoring services. Each lab will start by researching a particular threat and the data needed to detect it. Then students will conduct the attack against their accounts, generating the logs and data needed to perform analysis. Then the student will use native AWS services and open-source products to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS work, the data they produce, and common ways to analyze the data.
WHAT YOU WILL RECEIVE
- Printed and Electronic courseware
- Online Resources
- MP3 of the course
WHAT TO TAKE NEXT
Depending on your current job role or future plans, any of the following SANS courses could be an excellent follow-on to SEC541:
- SEC588: Cloud Penetration Testing Course
- FOR509: Enterprise Cloud Forensics and Incident Response
- SEC557: Continuous Automatin for Enterprise and Cloud Security
MGT516.1: Overview: Cloud and Asset Management
In this section we look at why vulnerability management is important and introduce the course. We then provide an overview of the cloud and how different cloud service types and architectures can impact the way we manage vulnerabilities. We'll also look at how to choose technologies and tools for our cloud environments. Finally, we'll dig into why asset management is so important and foundational for effective vulnerability management, and the different ways that gaining additional context can help us succeed.
Moving to the Cloud
Leveraging Asset Context
Cloud and Cloud Vulnerability Management
Identifying vulnerabilities continues to be a major focus for our security programs, as it can provide insight into the current risks to our organization. It also provides the data for our analysis and for the measures and metrics we use to guide the program and track our maturity. In this section, we will look at common identification pitfalls and discuss identification architecture and design across both infrastructure and applications. We'll also look at where we might require permission to perform identification and how we safely grant permission to third parties to test our systems and applications and responsibly disclose any findings.
MGT516.3: Analyze and Communicate
Gone are the days when we can just scan for vulnerabilities and send the raw output to our teams for remediation. We need to help reduce the burden by analyzing the output to reduce inaccuracies and identify root-cause issues that may be preventing remediation. Once we have identified the issues that cannot be resolved, we should prioritize the rest to ensure that we are having the greatest impact and provide targeted reports or dashboards to system and platform owners. In this section, we will look at some common inaccuracies in the output of our identification processes, discuss prioritization, and then look at what metrics are commonly used to measure our program and the related operational capabilities. We will also discuss how to generate meaningful reports, communication strategies, and the different types of meetings that should be held to increase collaboration and participation.
Solution Groups and Types
Treating vulnerabilities and reducing risk is the ultimate goal of all that we do in vulnerability management. It is important for program managers and all participants to understand the typical processes and technologies that exist and how to leverage them to increase positive change within the organization. Most organizations will have some type of change, patch, and configuration management program. In this course section, we will look at how we interface with these processes to streamline change and increase consistency. We'll also examine some unique challenges we face in the cloud, how to better deal with application vulnerabilities, and some alternatives we can look to when traditional treatment methods are not available.
MGT516.5: Buy-in, Program, and Maturity
Vulnerability management is not the easiest job in an organization, and there are many challenges that can hold us back. From split responsibility and accountability to reliance on shared personnel, much of the work done in this space goes unrecognized. In this section, we'll summarize much of what we have learned and discussed throughout the week and look at how we can use this information to improve the program. We'll discuss how we can make VM more fun and successful within the organization, how we can identify and collaborate more effectively with various stakeholders, and how we can build out and mature a robust vulnerability management program.
Vulnerability Management Buy-In
Students should be familiar with AWS or Azure and have worked with them hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.
The course assumes that students can understand or do the following without help:
- Understand basic cloud resources such as virtual machines, storage services, and Identity Access Management
- Hands-on experience in the command line, as much of the labs will be leveraging a Linux command line console.
- Understand how identity access roles/policies work in cloud environments
- Understand basic cloud networking capabilities
The natural prerequisite SANS courses for SEC541 are either:
Other SANS Courses SEC541 Students Have Taken
SEC541 students will run the exercises from a virtual machine, in an AWS account, that is configured with all the tools and documentation needed. All exercises will use Amazon Web Services (AWS).
IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the virtual machines to function properly in the classVerify that under BIOS, Virtual Support is ENABLED.
Mandatory System Requirements
- System running Windows, Linux, or Mac OS X 64-bit version
- At least 8 GB of RAM
- 40 GB of available disk space (more space is recommended)
- An available USB port
- Wireless NIC for network connectivity
- Machines should NOT contain any personal or company data
- Verify that under BIOS, Virtual Support is ENABLED
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Mandatory Downloads BEFORE Coming to Class
- A 64-bit host operating system is installed (Windows is recommended)
- A mondern web browser
- Adobe Acrobat or other PDF reader application
Mandatory AWS Account BEFORE Coming to Class:
- An AWS account is required to do the hands-on exercises during this course. The AWS account must be created before the start of class. Your ability to execute the exercises will be delayed if you wait to set up the AWS account in class.
- Estimated additional costs for the AWS account should be less than $20
- You will receive detailed instructions for setting up your AWS account before the start of class in what will be called Lab 0.