SANS Course Suggestions

bsjj27bsjj27 Member Posts: 24 ■■□□□□□□□□
I have some budget to do an online SANS course and am looking for suggestions. As of now I've taken and tested out on SANS 504 and SANS 511 and thought both courses were great. My job role right now is rather interesting. I over see an IT department at a small financial services institution. I also am in charge of security and am the lead security engineer, so I have my hands in all aspects. I have an engineering backgroup but also obtained CISSP and CISM because I'm also involved in the management space. I'm looking to take something that I can get the most out of and use day one when I get through the course. I was thinking either 503 because it seems like a good foundational course. 505 because I work with a lot of microsoft related operating systems, you don't see too much about this course posted on this site. Another I was looking at was FOR500 because I'm on the incident response team and don't have any real good knowledge of forensic analysis except for high level stuff from other cert exams I passed. I know I'm all over the map here, SANS offers such great courses and aren't cheap so just want to make sure I select the best course with which I will get the most out of, I appreciate any input.

Comments

  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    The FOR572 I hear is great. Also the new SEC599 seems to be a good blend of red/blue team type.
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • MalwareMikeMalwareMike Member Posts: 147 ■■■□□□□□□□
    It sounds like you pretty much do everything security related...so out of your day-to-day duties, what area do you weak on?
    Current: GSEC, GCIH, GCIA, GWAPT, GYPC, RHCSA, WCNA
    2019 Goals: CISSP, Splunk certifications (Certified Core, Power User, Admin, and Architect)
    Twitter: https://twitter.com/Malware_Mike
    Website: https://www.malwaremike.com

  • sb97sb97 Member Posts: 109
    It sounds like you pretty much do everything security related...so out of your day-to-day duties, what area do you weak on?
    MalwareMike's question is a good place to start. From my experience:
    Sec503 If you want to strong background into Intrusion Analysis
    For500 If you want a strong forensics background
    For508 If you are looking for a solid foundation in Incident Response
    For578 If you are looking at Cyber Threat Intelligence

    There were a number of SOC managers/team leads in my For578 class looking to incorporate threat intel into their groups.
  • MalwareMikeMalwareMike Member Posts: 147 ■■■□□□□□□□
    sb97 wrote: »
    MalwareMike's question is a good place to start. From my experience:
    Sec503 If you want to strong background into Intrusion Analysis
    For500 If you want a strong forensics background
    For508 If you are looking for a solid foundation in Incident Response
    For578 If you are looking at Cyber Threat Intelligence

    There were a number of SOC managers/team leads in my For578 class looking to incorporate threat intel into their groups.

    Great list and input. FOR578 looks super interesting.
    Current: GSEC, GCIH, GCIA, GWAPT, GYPC, RHCSA, WCNA
    2019 Goals: CISSP, Splunk certifications (Certified Core, Power User, Admin, and Architect)
    Twitter: https://twitter.com/Malware_Mike
    Website: https://www.malwaremike.com

  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    I think you should look at what kind of services you want to handle internally versus what you will end up outsourcing. Where is your organization weak? Are you solid on OS configurations by using tools like CIS benchmarks? A lot of the pen testing and forensics stuff I assume will get outsourced, and if you are the main security person you probably don't have much time for that anyways.

    I would probably focus on courses that will help you catching some of the basic intrusions...SEC505, SEC503 or FOR500 seem like good choices based on immediate usability and what appears to be a small team with limited resources. I probably would lean more towards either SEC505 or SEC503 first unless you are really solid on Windows and packet analysis because those lead well into performing forensics.
  • sb97sb97 Member Posts: 109
    TechGuru80 wrote: »
    I think you should look at what kind of services you want to handle internally versus what you will end up outsourcing. Where is your organization weak? Are you solid on OS configurations by using tools like CIS benchmarks? A lot of the pen testing and forensics stuff I assume will get outsourced, and if you are the main security person you probably don't have much time for that anyways.

    I would probably focus on courses that will help you catching some of the basic intrusions...SEC505, SEC503 or FOR500 seem like good choices based on immediate usability and what appears to be a small team with limited resources. I probably would lean more towards either SEC505 or SEC503 first unless you are really solid on Windows and packet analysis because those lead well into performing forensics.
    I worked for two separate companies that sent new analysts to Sec503 during their first year. In both cases, new analysts started out as ticket monkeys working on IPS/DLP/etc events. It really is a good place to start because it covers how to read network activity and not just respond to individual events.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    sb97 wrote: »
    I worked for two separate companies that sent new analysts to Sec503 during their first year. In both cases, new analysts started out as ticket monkeys working on IPS/DLP/etc events. It really is a good place to start because it covers how to read network activity and not just respond to individual events.
    Yeah I mean OP has options but he’s already stated he or she is a lead and oversees IT...That kind of role is unlikely to have a ton of time to be a packet ninja and will have a lot on his or her plate....I don’t think in general you can go wrong on SANS training though.
  • bsjj27bsjj27 Member Posts: 24 ■■□□□□□□□□
    I'm thinking I will go FOR508, been seeing a lot of good stuff on this course and I feel my incident response skills probably need the most work. I'm watching the demo now and they say FOR500 is not required but recommended. Do you think I really need it? I took GCIH and have a long history administering and securing Microsoft based products.

    sb97 wrote: »
    I worked for two separate companies that sent new analysts to Sec503 during their first year. In both cases, new analysts started out as ticket monkeys working on IPS/DLP/etc events. It really is a good place to start because it covers how to read network activity and not just respond to individual events.
  • sb97sb97 Member Posts: 109
    bsjj27 wrote: »
    I'm thinking I will go FOR508, been seeing a lot of good stuff on this course and I feel my incident response skills probably need the most work. I'm watching the demo now and they say FOR500 is not required but recommended. Do you think I really need it? I took GCIH and have a long history administering and securing Microsoft based products.
    I don't think you need it but it does help a little. For500 teaches you what the various Windows Artifacts are and where to find them.

    You can see the main artifacts in the bottom section (Evidence Of) in this poster:
    https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download
    You can use some other resources like the Digital Forensics Survival Guide Podcast to learn about those artifacts.
    Digital Forensic Survival Podcast – "Sharpen your computer forensic skills!"
    This poster would also be helpful for preparing:
    https://www.sans.org/security-resources/posters/hunt-evil/165/download
  • bsjj27bsjj27 Member Posts: 24 ■■□□□□□□□□
    Thanks for all the great info

    sb97 wrote: »
    I don't think you need it but it does help a little. For500 teaches you what the various Windows Artifacts are and where to find them.

    You can see the main artifacts in the bottom section (Evidence Of) in this poster:
    https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download
    You can use some other resources like the Digital Forensics Survival Guide Podcast to learn about those artifacts.
    Digital Forensic Survival Podcast – "Sharpen your computer forensic skills!"
    This poster would also be helpful for preparing:
    https://www.sans.org/security-resources/posters/hunt-evil/165/download
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    Can't go wrong with SANS FOR 508, excellent foundation in Incident Response, and will help you create detections around abnormal behaviour in your environment
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    Great list and input. FOR578 looks super interesting.

    I thoroughly enjoyed it, but I do Threat Intel for a living :) so I may be just a bit biased :)
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
Sign In or Register to comment.