SEC501, SEC503, SEC504, SEC511, SEC599, what are the key differences?
I'm considering a defensive course, however after reading over each syllabus there seems to be some overlap.
Here's a comparison of the "You Will Be Able To" sections of SEC530 and SEC511 (GMON), does that not seem almost identical? Is the SEC511 targeted specifically for people working in a SOC?
The SEC504 (GCIH) appears focused on pre-breach preparation, and the immediate steps taken after a breach, also half forensics?
SEC599 reads similar to the SEC504 except for specifically an APT, and not just an "incident".
I really struggle to understand where SEC503 (GCIA) fits in all this, and the SEC501 (GCED) appears to be a combination of everything previously mentioned.
This is so confusing. Has anyone done multiple of these courses and can speak to the real differences in focus and goals?
Here's a comparison of the "You Will Be Able To" sections of SEC530 and SEC511 (GMON), does that not seem almost identical? Is the SEC511 targeted specifically for people working in a SOC?
The SEC504 (GCIH) appears focused on pre-breach preparation, and the immediate steps taken after a breach, also half forensics?
SEC599 reads similar to the SEC504 except for specifically an APT, and not just an "incident".
I really struggle to understand where SEC503 (GCIA) fits in all this, and the SEC501 (GCED) appears to be a combination of everything previously mentioned.
This is so confusing. Has anyone done multiple of these courses and can speak to the real differences in focus and goals?
Comments
Personally, I enjoyed the course and my instructor (Mike Poor) but I don't spend a lot of time responding to IPS tickets anymore.
sb97 has already summed up 503.
504 is focused on incident handling plus hacker techniques, the tools they use, and methods of prevention.
- 501: This is a catch all class that exposes you to many areas. I usually recommend people to skip this if they know what they want to focus on (pentesting, forensics, IR, etc).
- 503: Network analysis galore. If you need to analyze traffic and dissect packets, this is your class.
- 504: If you want to see common attacks and how to execute and defend against them, start here.
- 511: This is of value to understand and implement continous monitoring; real time monitoring of your infrastucture
- 599: "Somewhat" similar in concept to 504 as it shows attacks and how to detect/defend/deter but covers many things 504 does not.
SANS makes a great effort making sure topics are not duplicated across classes. They may seem similar in essence bu the execution will be very different. The beauty here is that based on your specific role or interests you can line up with one class or another. If you have a particular need those of us that drink the SANS Kool-Aid can help you making a choice. I'm actually sitting in day 3 of my 6th SANS course right now.
Very true! I took 504 a few years ago and on day 4 of 560 which has some tool overlap, but a different approach. 560 focuses on a penstester's point of view while 504 is for an incident handler.
I'm currently a pen tester, however I'm frequently called upon to do general security consulting, reviews, benchmarking, etc. I don't want to do an offensive course at the moment as the syllabus for many appear to have a lot of what would be review for me, and I have a lot of on-the-job resources I haven't yet exhausted.
I see many lost clients who want general security advice and direction. The report thrown over the wall at them of all the things I managed to break is helpful, but not very holistic or comprehensive. When they realise they have problems I want to have more to offer.
The overall course was very good. I had Stephen Sims as my instructor (one of the authors for Gray Hat hacking). We covered many topics at a moderate level (not as deep as courses that would focus on just that one topic) but it was a little more advanced than basic concepts that is for sure.
Topics:
Day 1: Defensive Network Architecture
Day 2: Penetration testing
Day 3: Network Detection and Packet Analysis
Day 4: Digital Forensics and Incident Response
Day 5: Malware Analysis
Day 6: CTF
Covering all those topics is a lot of absorb and obviously these topics are not covered at an expert level. SANS has courses for that lol
In all, it was good to cover and go over those topics that stretch your legs out beyond the basics. It does give you the look and feel of where you might want to go in your career within the security realm.
I found this course more blue team than red team. The pentesting section was light, they did not cover anything I already didn't know. The Malware Analysis day was awesome. We ran a live ransomware malware in a VM and proceeded to dissect it and spoof the btc address response etc.
I picked up a lot of nuggets and I am happy I attended the course. My team won the in class CTF too
2023 Cert Goals: SC-100, eCPTX
I've drawn a line through SEC501, SEC503.
SEC599 I like the look of, but probably not a first course to take. SEC504 sounds very valuable, but probably not immediately useful for myself, the same with SEC511.
Which leaves SEC530 and SEC566. My concern with SEC566 is the sales tactics of CIS, and some reviews saying it wouldn't be worthwhile unless you're specifically implementing those controls. I think if I were to go in that direction I'd take ISACA or ISO training instead. The SEC530 looks daunting and hopefully not too detached from my current work and experience, and it's a new course so there's on reviews on the content or the hands-on day.
Well if you have OSCP, you really shouldn't need to look at things like 504 then anyways. Depending on what you are looking to do and how well your skillset is honed in based on that achievement alone, I would say go take 660 or maybe even 760. If you're looking to branch out, why not take something like FOR508 (Advanced IR Forensics course) or maybe SEC575 and learn mobile hacking type stuff?
SEC530 is a brand spanking new course when I just looked it up. May wanna wait a bit just to ensure the kinks are worked out?