Explore the worlds best online cybersecurity training with OnDemand - view a Demo Today!

London 2016

London, United Kingdom | Sat, Nov 12 - Mon, Nov 21, 2016
This event is over,
but there are more training opportunities.

SEC501: Advanced Security Essentials - Enterprise Defender

Mon, November 14 - Sat, November 19, 2016

A must for cyber security professionals!

Gary Oakley, BMPC

By far, this is the most interesting, informative, and immediately applicable course I've taken.

Ken Ortiz, NOAA Fisheries

Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials - Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.

It has been said of security that "prevention is ideal, but detection is a must." However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and respond appropriately to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.

Of course, despite an organization's best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more effective and robust preventive and detective measures, completing the security lifecycle.


You Will Learn

  • How to build a comprehensive security program focused on preventing, detecting, and responding to attacks
  • Core components of building a defensible network infrastructure and how to properly secure routers, switches, and network infrastructure
  • Methods to detect advanced attacks of systems that are currently compromised
  • Formal methods for performing a penetration test to find weaknesses in an organization's security apparatus
  • Ways to respond to an incident and how to execute the six-step process of incident response: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
  • Approaches to remediating malware and how to clean up a compromised system


Course Syllabus

Paul A. Henry
Mon Nov 14th, 2016
9:00 AM - 5:00 PM


Making your network secure from attack starts with designing, building, and implementing a robust network infrastructure. There are many aspects to implementing a defense-in-depth network that are often overlooked when companies focus only on functionality. Achieving the proper balance between business drivers and core information security requires that an organization build a secure network that is mission-resilient to a variety of potential attacks.

On the first course day students will learn how to design and build a secure network that can both prevent attacks and recover after a compromise. They will also learn how to retrofit an existing network to achieve the level of protection that is required. Building a network is not that complicated, but it takes special skills to integrate all of the components so the network can withstand a variety of attacks and support the organization's mission. Students will learn how to design and implement a functionality-rich, secure network and how to maintain and update it as the threat landscape evolves.

CPE/CMU Credits: 6

  • Introduction to network security infrastructure as the target for attacks
  • Impact of compromised routers and switches
  • Escalating privileges at Layers 2 and 3
  • Weaknesses in Cisco router and switch architecture
  • Integrating and understanding existing network devices to defend against attacks
  • Implementing the Cisco Gold Standard to improve security
  • CISecurity Levels 1 and 2 benchmarks for routers
  • SANS Gold Standard switch configuration
  • Implementing security on an existing network and rolling out new devices
  • Advanced Layer 2 and 3 Controls
  • Filtering with access control lists
  • DHCP, ARP snooping, and port security
  • Introduction to network admission control and 802.1x

Paul A. Henry
Tue Nov 15th, 2016
9:00 AM - 5:00 PM


"Prevention is ideal, but detection is a must" is a critical motto for network security professionals. While organizations always want to prevent as many attacks as possible, some adversaries will still sneak into the network. In cases where an attack cannot be prevented, security professionals must detect the indications that the attack is in progress and stop it before significant harm is caused. Packet analysis and intrusion detection are at the core of such timely detection. Organizations need to not only detect attacks but also to react in a way that ensures those attacks can be prevented in the future.

Because of the changing landscape of attacks, detecting them is an ongoing challenge. Today's attacks are more stealthy and difficult to find than ever before. Only by understanding the core principles of traffic analysis can you become a skilled analyst able to differentiate between normal and attack traffic. New attacks are surfacing all the time, so security professionals must be able to write rules that detect the latest advanced zero-day attacks before they compromise a network.

Traffic analysis and intrusion detection used to be treated as a separate discipline within many organizations. Today, prevention, detection, and reaction must be closely knit so that once an attack is detected, defensive measures can be adapted, proactive forensics implemented, and the organization can to continue to operate.

CPE/CMU Credits: 6

  • Architecture design and preparing filters
  • Building intrusion detection capability into a network
  • Understanding the components currently in place
  • Detection techniques and measures
  • Understanding various types of traffic occurring on a network
  • Knowing how normal traffic works
  • Differentiating between attacks and normal users on a network
  • Advanced IP packet analysis
  • Performing deep packet inspection and understanding usage of key fields
  • Event correlation and analysis
  • Analyzing an entire network instead of a single device
  • Building advanced snort rules
  • Intrusion detection tools
  • Installing and using analysis software
  • Wireshark
  • Building custom filters

Paul A. Henry
Wed Nov 16th, 2016
9:00 AM - 5:00 PM


Security is all about understanding, mitigating, and controlling the risk to an organization's critical assets. An organization must understand the changing threat landscape and have the capacity to compare it against its own vulnerabilities that could be exploited to compromise its network. While this was never an easy task, it is becoming much more difficult because threats are evolving rapidly and organizations are so complex. On day three, students will learn about the variety of tests that can be run against an organization and how to perform effective penetration testing.

Finding basic vulnerabilities is easy but not necessarily effective if these are not the vulnerabilities attackers exploit to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about both external and internal penetration testing and the methods of black, gray, and white box testing.

Penetration testing is critical to identify an organization's exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the organization's overall security.

CPE/CMU Credits: 6

  • Variety of penetration testing methods
  • Frequency and use of vulnerability analysis, penetration testing, and security assessment
  • Vulnerability analysis
  • How to perform vulnerability analysis
  • Key areas to identify and ways to fix potential problems
  • Key tools and techniques
  • Tools, techniques, and methods used in testing
  • Basic penetration testing
  • Methods and means of performing a penetration test
  • Focus, requirements, and outputs of a successful test
  • Prioritizing and remediation of issues
  • Advanced penetration testing
  • Understanding and mapping to an organization's infrastructure
  • Application testing and system analysis

Paul A. Henry
Thu Nov 17th, 2016
9:00 AM - 5:00 PM


Any organization connected to the Internet or that has employees is going to have attacks launched against it. Even with a keen focus on robust network design, preventive security, and identifying vulnerabilities through penetration testing, some attacks will still occur. In these cases, identifying, analyzing, and responding effectively to the attack is critical.

Security professionals need to understand how to perform incident response, analyze what is occurring, and restore their organization back to its normal state as soon as possible. Day four will provide students with a proven six-step process to follow in response to an attack: Prepare, Identify, Contain, Eradicate, Recover, and Learn from previous incidents. Cyber incidents are a lot like a fire-the sooner you detect them, the easier they are to contain, and the less damage they cause. Therefore prompt incident response is a key follow-on to intrusion analysis.

Another key aspect of incident response is forensic analysis and discovery. Students will learn how to perform forensic investigation and identify indications of an attack. This information will be fed into the incident response process to ensure that the attack is prevented from occurring again in the future.

CPE/CMU Credits: 6

  • Incident handling process and analysis
  • Preparing for an incident
  • Identifying and responding
  • Containing a problem to preserve mission resilience
  • Identifying and eradicating the problem
  • Recovery system data, including restoring to normal operation
  • Lessons learned and follow-up reporting
  • Forensics and incident response
  • Windows response skills
  • Windows forensics tool chest
  • Linux/Unix response and analysis
  • Linux/Unix tools and system analysis

Paul A. Henry
Fri Nov 18th, 2016
9:00 AM - 5:00 PM


As security professionals continue to build more proactive security measures, the methods of attackers will continue to evolve. A common way for attackers to target, control, and break into as many systems as possible is through the use of malware. Students must therefore understand what type of malware is currently available to attackers, as well as future trends and methods of exploiting systems. With this knowledge, students can then learn how to analyze, defend, and detect malware on systems and minimize its impact on the organization.

CPE/CMU Credits: 6

  • Malware
  • Types of malware and corresponding behavior
  • Dealing with malware
  • Tying malware into intrusion analysis and incident response
  • Windows malware
  • Using Microsoft Windows basic built-in CLI tools
  • Using Microsoft Windows advanced built-in CLI tools
  • Using Microsoft Windows built-in GUI tools
  • External tools and analysis
  • Using external tools to fight BHO
  • Fighting rootkits with basic and advanced tools
  • Inspecting active processes
  • Using online resources to get help

Paul A. Henry
Sat Nov 19th, 2016
9:00 AM - 5:00 PM


Cybersecurity is all about managing, controlling, and mitigating risk to your critical assets. In almost every organization, critical assets are made up of data or information. Whether it is a customer list, research plans, intellectual property, classified information, or a marketing plan, these data represent your organization's lifeline and must be properly protected. Perimeters are still important and critical, but as our networks become more porous and our data more portable, we are moving away from a fortress model and moving towards a focus on data.

Information no longer solely resides on servers where properly configured access control lists can limit access and protect our information. The same intellectual property that is protected on a server behind a strong perimeter can now be copied to laptops (i.e., portable servers) and plugged into networks (i.e., hotels, airports, and coffee shops). Those venues have no firewalls or security devices in place. This means that you must be able to protect the data no matter where it resides. A compromise of sensitive data will have an impact on your company-no matter how or where it was stolen.

Building a strong perimeter defense is a critical first step, but focusing on protecting and controlling critical data from loss is also critical to building strong preventive measures. Proactive security must be implemented to properly protect critical information and minimize its exposure.

CPE/CMU Credits: 6

  • Risk management
  • Calculating and understanding risk across an organization
  • Building proper risk mitigation plans
  • Applying proactive risk management processes
  • Incorporating risk management into all business processes
  • Understanding insider threats
  • Data classification
  • Building a data classification program
  • Key aspects of deploying and implementing classification of critical information
  • Staged roll-out of classifying new and existing information
  • Managing and maintaining portable data classification
  • Digital rights management
  • Understanding digital rights
  • Balancing digital rights with data classification
  • Managing access across the enterprise
  • Balancing functionality and security
  • Data loss prevention (DLP)
  • Identifying requirements and goals for preventing data loss
  • Identifying practical DLP solutions that work
  • Managing, evaluating, implementing, and deploying DLP

Additional Information

"This is the best technical training course I have ever taken. SEC501 exposed me to many valuable concepts and tools but also gave me a solid introduction to those tools so that I can continue to study and improve on my own." - Curt Smith, Hildago Medical Services

"SEC501 offers a great explanation of Net Defense best practices that often get overlooked." - Kirk G., U.S. Navy

"For an intensive and in-depth course, I found SEC501 to be extremely educational yet fun and entertaining." -Hisham Al-Muhareb, Saudi Aramco

A properly configured laptop is required to participate in SEC501: Advanced Security Essentials - Enterprise Defender. Students must have Administrator privileges. Antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed with data on it that you do not want to lose, it is recommended that you replace it with a clean hard drive.

For this course, SANS will provide you with a 64-bit Kali Linux virtual machine, therefore it is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Prior to the start of class, you must install the necessary software as described below. The following are minimal hardware requirements for your laptop:

  • CPU: 64-bit Intel i5 x64 2.0+ GHz processor or higher-based system is mandatory for this class
  • 4 GB RAM (more memory is strongly recommended)
  • 40GB of available disk space (more space is recommended)
  • 4GB USB memory stick
  • Windows 7 32-bit virtual machine

Please note: A Windows 7 32-bit Virtual Machine and VMware Workstation are explicit requirements for SEC501.

You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation installed on your system. If you do not own VMware, you can download a free 30-day trial copy from the VMware website. If taking advantage of the trial offer, please make sure that the license will not expire before you complete the course. You will also need WinRAR installed.

While most labs will run fine for Mac/Fusion students, this configuration has not been tested and is not supported.

Final Checklist

We suggest going over the following checklist to make sure that your laptop is prepared for SANS SEC501: Advanced Security Essentials - Enterprise Defender:

  • The laptop meets hardware requirements outlined in this note.
  • If you use a trial copy of VMware Workstation, make sure that the VMware license will not expire before the class ends.
  • You created a Windows 7 32-bit virtual machine image (no latest updates from Microsoft needed).
  • The Windows VMware machine runs using host-only networking mode.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Incident response and penetration testers
  • Security Operations Center engineers and analysts
  • Network security professionals
  • Anyone who seeks technical in-depth knowledge about implementing comprehensive security solutions

While not required, it is recommended that students take SEC401: Security Essentials or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.

In this course, you will receive the following:

  • MP3 audio files of the complete course lecture
  • USB with 64-bit Kali Linux virtual machine
  • Identify network security threats against infrastructure and build defensible networks that minimize the impact of attacks
  • Access tools that can be used to analyze a network to prevent attacks and detect the adversary
  • Decode and analyze packets using various tools to identify anomalies and improve network defenses
  • Understand how the adversary compromises systems and how to respond to attacks
  • Perform penetration testing against an organization to determine vulnerabilities and points of compromise
  • Apply the six-step incident handling process
  • Use various tools to identify and remediate malware across your organization
  • Create a data classification program and deploy data-loss-prevention solutions at both a host and network level

The students will participate in labs that:

  • Analyze network configurations for routers
  • Perform detailed analysis of traffic using various sniffers and protocol analyzers
  • Identify and track attacks and anomalies in network packets
  • Use various tools to perform penetration testing and network discovery
  • Analyze both Windows and Unix systems during an incident to identify signs of a compromise
  • Find, identify, and clean up various types of malware

Author Statement

After I finish teaching SEC401-the precursor to the SEC501 course-it is always a thrill to see students leave with fire in their eyes and an excitement about them. They walked into class feeling overwhelmed that security is a lost cause, but now they leave class understanding what they need to do, and they have a focus and drive to do the right thing to secure their organizations.

The next question we receive on a constant basis is, what course should I take next? How do I continue my journey? Well, it depends on your focus area. Do you want to get more into perimeter protection, IDS, operating system security, etc.? The challenge is that many students work in jobs that do not allow them to focus on one area; they need to understand all of the key areas across security.

What students are telling us is that they want a Security Essentials Part 2 or a 500-level continuation of Security Essentials covering the next level of technical knowledge. With SEC501, SANS has decided to give students just what they have been asking for. I am beyond thrilled with the results: we have identified core foundation areas that complement SEC401 with no overlap and continue to build a solid security foundation for network practitioners.

After one recent class, a student ran up and gave me a big hug (he was a retired football player, so I did not argue) and said, "SANS is awesome. I have been frustrated in my job for over a year and had lost hope that you really could secure an organization and that anything I did made a difference. Just as my light of hope was burning out, I decided to take the Security Essentials course, figuring it was a lost cause. After this class the fire is burning brighter than it ever was. I feel like a kid again and cannot wait to go back to my company and make a difference. However, I think my boss is scared because I called him eight times throughout the week, telling him all of the great information and practical knowledge I learned!"

Having taught thousands of students, I am confident you will be just as excited and get similar results from SEC501. However, just for reference, hugs are optional.

- Eric Cole