SEC501, SEC503, SEC504, SEC511, SEC599, what are the key differences?

I'm considering a defensive course, however after reading over each syllabus there seems to be some overlap.

Here's a comparison of the "You Will Be Able To" sections of SEC530 and SEC511 (GMON), does that not seem almost identical? Is the SEC511 targeted specifically for people working in a SOC?

The SEC504 (GCIH) appears focused on pre-breach preparation, and the immediate steps taken after a breach, also half forensics?

SEC599 reads similar to the SEC504 except for specifically an APT, and not just an "incident".

I really struggle to understand where SEC503 (GCIA) fits in all this, and the SEC501 (GCED) appears to be a combination of everything previously mentioned.

This is so confusing. Has anyone done multiple of these courses and can speak to the real differences in focus and goals?

Find more posts tagged with

Comments

sb97

From your list, I have only taken Sec503 and the GCIA and that was a long time ago. The SEC503 class is or was exclusively focused on network layer intrusion analysis. The focus was on how to read PCAPs and captured packets. If working with IPS/IDS or other network layer security appliances is the main focus of your job then this class might be beneficial.

Personally, I enjoyed the course and my instructor (Mike Poor) but I don't spend a lot of time responding to IPS tickets anymore.

E Double U

From your list, I only have experience with 503 and 504.

sb97 has already summed up 503.

504 is focused on incident handling plus hacker techniques, the tools they use, and methods of prevention.

cyberguypr

Those "You Will Be Able To" are very high level, so it's no surprise they apply to many courses. Don't use that as your barometer. You need to read every course description carefully and see how they line up with what you are trying to achieve. Here's how I see it:
- 501: This is a catch all class that exposes you to many areas. I usually recommend people to skip this if they know what they want to focus on (pentesting, forensics, IR, etc).
- 503: Network analysis galore. If you need to analyze traffic and dissect packets, this is your class.
- 504: If you want to see common attacks and how to execute and defend against them, start here.
- 511: This is of value to understand and implement continous monitoring; real time monitoring of your infrastucture
- 599: "Somewhat" similar in concept to 504 as it shows attacks and how to detect/defend/deter but covers many things 504 does not.

SANS makes a great effort making sure topics are not duplicated across classes. They may seem similar in essence bu the execution will be very different. The beauty here is that based on your specific role or interests you can line up with one class or another. If you have a particular need those of us that drink the SANS Kool-Aid can help you making a choice. I'm actually sitting in day 3 of my 6th SANS course right now.

E Double U

cyberguypr wrote: »

They may seem similar in essence bu the execution will be very different.

Very true! I took 504 a few years ago and on day 4 of 560 which has some tool overlap, but a different approach. 560 focuses on a penstester's point of view while 504 is for an incident handler.

Sheiko37

cyberguypr wrote: »

The beauty here is that based on your specific role or interests you can line up with one class or another. If you have a particular need those of us that drink the SANS Kool-Aid can help you making a choice.

I'm currently a pen tester, however I'm frequently called upon to do general security consulting, reviews, benchmarking, etc. I don't want to do an offensive course at the moment as the syllabus for many appear to have a lot of what would be review for me, and I have a lot of on-the-job resources I haven't yet exhausted.

I see many lost clients who want general security advice and direction. The report thrown over the wall at them of all the things I managed to break is helpful, but not very holistic or comprehensive. When they realise they have problems I want to have more to offer.

TechGuru80

Either 501 or 566 would be the best choices IMO....with 501 being more in the weeds and 566 being more broad. The other courses you listed are good quality but given your objective they don’t fit as well. Outside of GIAC you might want to look at CISA.

chrisone

I just took 501 three weeks ago at SANS WEST 2018 in San Diego. I was originally trying to get into FOR572 but sold out

The overall course was very good. I had Stephen Sims as my instructor (one of the authors for Gray Hat hacking). We covered many topics at a moderate level (not as deep as courses that would focus on just that one topic) but it was a little more advanced than basic concepts that is for sure.

Topics:
Day 1: Defensive Network Architecture
Day 2: Penetration testing
Day 3: Network Detection and Packet Analysis
Day 4: Digital Forensics and Incident Response
Day 5: Malware Analysis
Day 6: CTF

Covering all those topics is a lot of absorb and obviously these topics are not covered at an expert level. SANS has courses for that lol

In all, it was good to cover and go over those topics that stretch your legs out beyond the basics. It does give you the look and feel of where you might want to go in your career within the security realm.

I found this course more blue team than red team. The pentesting section was light, they did not cover anything I already didn't know. The Malware Analysis day was awesome. We ran a live ransomware malware in a VM and proceeded to dissect it and spoof the btc address response etc.

I picked up a lot of nuggets and I am happy I attended the course. My team won the in class CTF too

I got a SEC501 challenge coin

sb97

Sheiko37 wrote: »

I'm currently a pen tester, however I'm frequently called upon to do general security consulting, reviews, benchmarking, etc. I don't want to do an offensive course at the moment as the syllabus for many appear to have a lot of what would be review for me, and I have a lot of on-the-job resources I haven't yet exhausted.

I see many lost clients who want general security advice and direction. The report thrown over the wall at them of all the things I managed to break is helpful, but not very holistic or comprehensive. When they realise they have problems I want to have more to offer.

I would say that SEC503 is probably NOT the right course for you then.

cyberguypr

Have you looked at SEC530? This covers many areas that should be of great value for a consultant-type person.

Sheiko37

Very much appreciate the replies.

I've drawn a line through SEC501, SEC503.

SEC599 I like the look of, but probably not a first course to take. SEC504 sounds very valuable, but probably not immediately useful for myself, the same with SEC511.

Which leaves SEC530 and SEC566. My concern with SEC566 is the sales tactics of CIS, and some reviews saying it wouldn't be worthwhile unless you're specifically implementing those controls. I think if I were to go in that direction I'd take ISACA or ISO training instead. The SEC530 looks daunting and hopefully not too detached from my current work and experience, and it's a new course so there's on reviews on the content or the hands-on day.

Randy_Randerson

Sheiko37 wrote: »

Very much appreciate the replies.

I've drawn a line through SEC501, SEC503.

SEC599 I like the look of, but probably not a first course to take. SEC504 sounds very valuable, but probably not immediately useful for myself, the same with SEC511.

Which leaves SEC530 and SEC566. My concern with SEC566 is the sales tactics of CIS, and some reviews saying it wouldn't be worthwhile unless you're specifically implementing those controls. I think if I were to go in that direction I'd take ISACA or ISO training instead. The SEC530 looks daunting and hopefully not too detached from my current work and experience, and it's a new course so there's on reviews on the content or the hands-on day.

Well if you have OSCP, you really shouldn't need to look at things like 504 then anyways. Depending on what you are looking to do and how well your skillset is honed in based on that achievement alone, I would say go take 660 or maybe even 760. If you're looking to branch out, why not take something like FOR508 (Advanced IR Forensics course) or maybe SEC575 and learn mobile hacking type stuff?

SEC530 is a brand spanking new course when I just looked it up. May wanna wait a bit just to ensure the kinks are worked out?

E Double U

My colleague took SEC504 after OSCP and he said he did find the incident handling portion of the material valuable. But the rest of the course was a basic review for him.