SANS Course Suggestions

bsjj27

I have some budget to do an online SANS course and am looking for suggestions. As of now I've taken and tested out on SANS 504 and SANS 511 and thought both courses were great. My job role right now is rather interesting. I over see an IT department at a small financial services institution. I also am in charge of security and am the lead security engineer, so I have my hands in all aspects. I have an engineering backgroup but also obtained CISSP and CISM because I'm also involved in the management space. I'm looking to take something that I can get the most out of and use day one when I get through the course. I was thinking either 503 because it seems like a good foundational course. 505 because I work with a lot of microsoft related operating systems, you don't see too much about this course posted on this site. Another I was looking at was FOR500 because I'm on the incident response team and don't have any real good knowledge of forensic analysis except for high level stuff from other cert exams I passed. I know I'm all over the map here, SANS offers such great courses and aren't cheap so just want to make sure I select the best course with which I will get the most out of, I appreciate any input.

supasecuritybro

The FOR572 I hear is great. Also the new SEC599 seems to be a good blend of red/blue team type.

MalwareMike

It sounds like you pretty much do everything security related...so out of your day-to-day duties, what area do you weak on?

sb97

MalwareMike wrote: »

It sounds like you pretty much do everything security related...so out of your day-to-day duties, what area do you weak on?

MalwareMike's question is a good place to start. From my experience:
Sec503 If you want to strong background into Intrusion Analysis
For500 If you want a strong forensics background
For508 If you are looking for a solid foundation in Incident Response
For578 If you are looking at Cyber Threat Intelligence

There were a number of SOC managers/team leads in my For578 class looking to incorporate threat intel into their groups.

MalwareMike

sb97 wrote: »

MalwareMike's question is a good place to start. From my experience:
Sec503 If you want to strong background into Intrusion Analysis
For500 If you want a strong forensics background
For508 If you are looking for a solid foundation in Incident Response
For578 If you are looking at Cyber Threat Intelligence

There were a number of SOC managers/team leads in my For578 class looking to incorporate threat intel into their groups.

Great list and input. FOR578 looks super interesting.

TechGuru80

I think you should look at what kind of services you want to handle internally versus what you will end up outsourcing. Where is your organization weak? Are you solid on OS configurations by using tools like CIS benchmarks? A lot of the pen testing and forensics stuff I assume will get outsourced, and if you are the main security person you probably don't have much time for that anyways.

I would probably focus on courses that will help you catching some of the basic intrusions...SEC505, SEC503 or FOR500 seem like good choices based on immediate usability and what appears to be a small team with limited resources. I probably would lean more towards either SEC505 or SEC503 first unless you are really solid on Windows and packet analysis because those lead well into performing forensics.

sb97

TechGuru80 wrote: »

I think you should look at what kind of services you want to handle internally versus what you will end up outsourcing. Where is your organization weak? Are you solid on OS configurations by using tools like CIS benchmarks? A lot of the pen testing and forensics stuff I assume will get outsourced, and if you are the main security person you probably don't have much time for that anyways.

I would probably focus on courses that will help you catching some of the basic intrusions...SEC505, SEC503 or FOR500 seem like good choices based on immediate usability and what appears to be a small team with limited resources. I probably would lean more towards either SEC505 or SEC503 first unless you are really solid on Windows and packet analysis because those lead well into performing forensics.

I worked for two separate companies that sent new analysts to Sec503 during their first year. In both cases, new analysts started out as ticket monkeys working on IPS/DLP/etc events. It really is a good place to start because it covers how to read network activity and not just respond to individual events.

TechGuru80

sb97 wrote: »

I worked for two separate companies that sent new analysts to Sec503 during their first year. In both cases, new analysts started out as ticket monkeys working on IPS/DLP/etc events. It really is a good place to start because it covers how to read network activity and not just respond to individual events.

Yeah I mean OP has options but he’s already stated he or she is a lead and oversees IT...That kind of role is unlikely to have a ton of time to be a packet ninja and will have a lot on his or her plate....I don’t think in general you can go wrong on SANS training though.

bsjj27

I'm thinking I will go FOR508, been seeing a lot of good stuff on this course and I feel my incident response skills probably need the most work. I'm watching the demo now and they say FOR500 is not required but recommended. Do you think I really need it? I took GCIH and have a long history administering and securing Microsoft based products.

sb97 wrote: »

I worked for two separate companies that sent new analysts to Sec503 during their first year. In both cases, new analysts started out as ticket monkeys working on IPS/DLP/etc events. It really is a good place to start because it covers how to read network activity and not just respond to individual events.

sb97

bsjj27 wrote: »

I'm thinking I will go FOR508, been seeing a lot of good stuff on this course and I feel my incident response skills probably need the most work. I'm watching the demo now and they say FOR500 is not required but recommended. Do you think I really need it? I took GCIH and have a long history administering and securing Microsoft based products.

I don't think you need it but it does help a little. For500 teaches you what the various Windows Artifacts are and where to find them.

You can see the main artifacts in the bottom section (Evidence Of) in this poster:
https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download
You can use some other resources like the Digital Forensics Survival Guide Podcast to learn about those artifacts.
Digital Forensic Survival Podcast – "Sharpen your computer forensic skills!"
This poster would also be helpful for preparing:
https://www.sans.org/security-resources/posters/hunt-evil/165/download

bsjj27

Thanks for all the great info

sb97 wrote: »

I don't think you need it but it does help a little. For500 teaches you what the various Windows Artifacts are and where to find them.

You can see the main artifacts in the bottom section (Evidence Of) in this poster:
https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download
You can use some other resources like the Digital Forensics Survival Guide Podcast to learn about those artifacts.
Digital Forensic Survival Podcast – "Sharpen your computer forensic skills!"
This poster would also be helpful for preparing:
https://www.sans.org/security-resources/posters/hunt-evil/165/download

UnixGuy

Can't go wrong with SANS FOR 508, excellent foundation in Incident Response, and will help you create detections around abnormal behaviour in your environment

jcundiff

MalwareMike wrote: »

Great list and input. FOR578 looks super interesting.

I thoroughly enjoyed it, but I do Threat Intel for a living so I may be just a bit biased