Caterpillar MGT516 - February 2022

Online, Virtual Event Mon, Feb 7 - Fri, Feb 11, 2022

Welcome to SEC541: Cloud Security Monitoring and Threat Detection

Instructor: Ryan Nicholson | 18 CPEs

SEC541 is a cloud security course that examines how attackers are attacking the Amazon Web Services (AWS) and Microsoft Azure environments, the characteristics of those attackers, and how to detect them and investigate suspicious activity in your cloud infrastructure.

What You Will Learn

Attackers Can Run But Not Hide. Our Radar Sees All Threats.

Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly for organizations struggling to make sense of the cloud native logs, keeping ahead of fast-moving development teams, and trying to learn about how threats are adapting to cloud services. Securely operating cloud infrastructure requires new tools and approaches.

SEC541 starts by walking through a real world attack campaign against a cloud infrastructure. We will break down how it happened, what made it successful, and what could have been done to catch the attackers in the act. We spend the first section of the course dissecting the attacks, learning how to leverage cloud native and cloud integrated capabilities to detect, hunt, or investigate similar attacks in a real environment, and building our arsenal of analytics, detections and best practices for you to bring back to work as soon as the course is over.

SEC541: Cloud Monitoring and Threat Detection Will Prepare You To:

  • Research attacks and threats to cloud infrastructure and how they could affect you
  • Break down a threat into detectable components
  • Effectively use AWS and Azure core logging services to detect suspicious behaviors
  • Make use of cloud native API logging as the newest defense mechanism in cloud services
  • Move beyond the cloud-provided Graphic User Interfaces to perform complex analysis
  • Perform network analysis with cloud-provided network logging
  • Understand how application logs can be collected and analyzed inside the cloud environment
  • Learn about the AWS and Azure security specific services such as AWS Security Hub, Azure Security Center, and AWS GuardDuty
  • Integrate container, operating system, and deployed application logging into cloud logging services for more cohesive analysis
  • Centralize log data from across your enterprise for better analysis
  • Perform inventory of cloud resources and sensitive data using scripts and cloud native tooling


This course formerly had only one course section. Two additional course sections have been added that focus on AWS and Azure, with additional labs added as well. All labs will be conducted in the students' AWS accounts.


The labs in this course are hands-on explorations into AWS logging and monitoring services. Each lab will start by researching a particular threat and the data needed to detect it. Then students will conduct the attack against their accounts, generating the logs and data needed to perform analysis. Then the student will use native AWS services and open-source products to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS work, the data they produce, and common ways to analyze the data.


  • Printed and Electronic courseware
  • Online Resources
  • MP3 of the course



Depending on your current job role or future plans, any of the following SANS courses could be an excellent follow-on to SEC541:

    Course Syllabus

    MGT516.1: Overview: Cloud and Asset Management


    In this section we look at why vulnerability management is important and introduce the course. We then provide an overview of the cloud and how different cloud service types and architectures can impact the way we manage vulnerabilities. We'll also look at how to choose technologies and tools for our cloud environments. Finally, we'll dig into why asset management is so important and foundational for effective vulnerability management, and the different ways that gaining additional context can help us succeed.


    Moving to the Cloud

    • Scenario-based lab about the impact of moving to the cloud on an organization's vulnerability management program

    Critical Attributes

    • Scenario-based lab on how to identify critical contextual attributes that need to exist within our asset management database or be tracked in some other way to prioritize and manage vulnerabilities more effectively

    Leveraging Asset Context

    • Hands-on lab leveraging a spreadsheet that contains both vulnerability and asset data sets to answer questions about the vulnerability of data and the quality of the asset data

    Cyber42 Game

    • Game introduction and practice event
    • Initiative selection for Round 1
    • Two Round 1 events

    Course Overview

    Cloud and Cloud Vulnerability Management

    • Overview
    • Tool selection in the cloud

    Asset Management

    • Overview
    • Importance of context
    • Attributes and inline context
    • Cloud asset management

    MGT516.2: Identify


    Identifying vulnerabilities continues to be a major focus for our security programs, as it can provide insight into the current risks to our organization. It also provides the data for our analysis and for the measures and metrics we use to guide the program and track our maturity. In this section, we will look at common identification pitfalls and discuss identification architecture and design across both infrastructure and applications. We'll also look at where we might require permission to perform identification and how we safely grant permission to third parties to test our systems and applications and responsibly disclose any findings.



    • Scenario-based lab to better understand and identify the types of scanning that are most effective for different asset types

    Scan Validation

    • Scenario-based lab to better understand and identify the reasons why certain vulnerabilities are showing up in infrastructure scans even though they seem invalid or out of place

    Cyber42 Game

    • Two Round 1 events and one Round 2 event
    • Initiative selection for Round 2


    • Challenges
    • Tools, architecture, and design
    • Cloud identification
    • Permission
    • Validating scan results
    • Scanner configuration
    • Application vulnerabilities
    • Bug bounty programs

    MGT516.3: Analyze and Communicate


    Gone are the days when we can just scan for vulnerabilities and send the raw output to our teams for remediation. We need to help reduce the burden by analyzing the output to reduce inaccuracies and identify root-cause issues that may be preventing remediation. Once we have identified the issues that cannot be resolved, we should prioritize the rest to ensure that we are having the greatest impact and provide targeted reports or dashboards to system and platform owners. In this section, we will look at some common inaccuracies in the output of our identification processes, discuss prioritization, and then look at what metrics are commonly used to measure our program and the related operational capabilities. We will also discuss how to generate meaningful reports, communication strategies, and the different types of meetings that should be held to increase collaboration and participation.



    • Hands-on lab leveraging a spreadsheet to provide a high-level illustration of basic prioritization based on severity and also a more risk-based approach to prioritization

    Solution Groups and Types

    • Demo of two different methods (spreadsheet and ServiceNow) to apply solution groups or remediation actions to vulnerability data sets and leverage the groupings for analysis and reporting.

    Cyber42 Game

    • Three Round 2 events


    • Vulnerability-centric prioritization
    • Asset-centric prioritization
    • Threat-centric prioritization
    • Threat intelligence in VM
    • Solution and exclusion groups


    • Metrics
    • Reporting
    • Strategy
    • Meetings

    MGT516.4: Treat


    Treating vulnerabilities and reducing risk is the ultimate goal of all that we do in vulnerability management. It is important for program managers and all participants to understand the typical processes and technologies that exist and how to leverage them to increase positive change within the organization. Most organizations will have some type of change, patch, and configuration management program. In this course section, we will look at how we interface with these processes to streamline change and increase consistency. We'll also examine some unique challenges we face in the cloud, how to better deal with application vulnerabilities, and some alternatives we can look to when traditional treatment methods are not available.


    Changing Culture

    • Discussion and thought-based lab about what organizational cultures are most or least conducive to vulnerability management and how to go about changing or influencing culture

    Remediation Effectiveness

    • Scenario-based lab to better understand and identify how to gauge the effectiveness of the treatment options selected for various vulnerabilities after implementation and over time

    Cyber42 Game

    • Initiative selection for Round 3
    • Two Round 3 events


    • Change management
    • Patch management
    • Configuration management
    • Cloud management
    • Application management
    • Alternative treatment
    • Other treatment considerations

    MGT516.5: Buy-in, Program, and Maturity


    Vulnerability management is not the easiest job in an organization, and there are many challenges that can hold us back. From split responsibility and accountability to reliance on shared personnel, much of the work done in this space goes unrecognized. In this section, we'll summarize much of what we have learned and discussed throughout the week and look at how we can use this information to improve the program. We'll discuss how we can make VM more fun and successful within the organization, how we can identify and collaborate more effectively with various stakeholders, and how we can build out and mature a robust vulnerability management program.


    Vulnerability Management Buy-In

    • Scenario-based lab to better identify important stakeholders and get or improve buy-in for the program

    Cyber42 Game

    • Three Round 3 events
    • Final scoring and wrap-up


    • Making VM fun
    • What are we doing today, and why it isn't working?
    • How can we improve?
    • Collaboration


    • How are we doing things today?
    • Creating a VM program
    • Common problems


    • Advancing the program
    • The SANS VM Maturity Model


    Students should be familiar with AWS or Azure and have worked with them hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.

    The course assumes that students can understand or do the following without help:

    • Understand basic cloud resources such as virtual machines, storage services, and Identity Access Management
    • Hands-on experience in the command line, as much of the labs will be leveraging a Linux command line console.
    • Understand how identity access roles/policies work in cloud environments
    • Understand basic cloud networking capabilities

    The natural prerequisite SANS courses for SEC541 are either:

    Other SANS Courses SEC541 Students Have Taken

    Laptop Requirements

    SEC541 students will run the exercises from a virtual machine, in an AWS account, that is configured with all the tools and documentation needed. All exercises will use Amazon Web Services (AWS).

    IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the virtual machines to function properly in the classVerify that under BIOS, Virtual Support is ENABLED.

    Mandatory System Requirements

    • System running Windows, Linux, or Mac OS X 64-bit version
    • At least 8 GB of RAM
    • 40 GB of available disk space (more space is recommended)
    • An available USB port
    • Wireless NIC for network connectivity
    • Machines should NOT contain any personal or company data
    • Verify that under BIOS, Virtual Support is ENABLED
    • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

    Mandatory Downloads BEFORE Coming to Class

    • A 64-bit host operating system is installed (Windows is recommended)
    • A mondern web browser
    • Adobe Acrobat or other PDF reader application

    Mandatory AWS Account BEFORE Coming to Class:

    • An AWS account is required to do the hands-on exercises during this course. The AWS account must be created before the start of class. Your ability to execute the exercises will be delayed if you wait to set up the AWS account in class.
    • Estimated additional costs for the AWS account should be less than $20
    • You will receive detailed instructions for setting up your AWS account before the start of class in what will be called Lab 0.