Review of SANS MGT551 and GIAC GSOM Certification

Last year I was given an opportunity by my employer to participate in the SANS MGT551: Building and Leading Security Operations Centers course. I have been a SOC analyst and manager for the past ten years in a Fortune 100 enterprise and MGT551 seemed like a great way to improve myself, my team, and the (cyber)security of my organization. I was right!

MGT551 Acquisition and Getting Started

I took the course with the on-demand option so I wouldn't need to take any time off work and could self-study at my leisure. (Somehow it sounds contradictory to refer to SANS training as a leisure time activity.) I attended on-site SANS training for SEC401 (GSEC) many years ago, and would do it again if it were not for the time and extra expense required for travel/hotel/meals.

On-demand SANS course material is purchased and accessed via your account at sans.org. Once your order is confirmed and you activate the course, you have immediate access to the full course materials sans the printed materials (pun intended). The MGT551 course books--six spiral-bound manuals--arrived by FedEx 4-5 days after I ordered the course.

An email from SANS sent after course activation includes instructions for downloading the digital materials from your SANS account. The digital downloads are available online for four months after course activation. Once the course expires, you can no longer log in to the course, although some materials of the course remain available.

Until the printed manuals arrived, I busied myself with noodling through the digital course materials, many of which are PDF files are SANS posters and **** sheets. Also included is a 1070-page (DRM’ed and password-protected) PDF file containing all six course books. This PDF makes waiting for the printed MGT551 books unnecessary to begin studying--but you will eventually need the books for the GSOM exam itself, of course. The books' PDF is also invaluable for searching for terms to include in your exam index. (More on this later.)

There is also a downloadable recording of an MGT551 online course (from August 2021?) distributed as a set of ten MP3 files (1.3GB total). This is basically the same information as presented in the course videos, but in a live setting rather than a scripted presentation. I put these MP3’s on my smartphone and listened to them when I was out of the house.

Learning in a Virtual World

The big boy of the MGT551 digital materials is an 11GB ISO file. Inside is a Xubuntu Linux VM (.vmx). The VM files folder is in a ZIP file in the ISO file. You have several options for extracting the VM files, but burning a copy of the ISO to a USB flash drive as a backup is probably the best. The hash for the ZIP file is included in the ISO. (Yes, it sounds and feels a bit like a hacking challenge.)

The .vmx file is used to create a VM in VMware Workstation Player or Pro or Fusion only. Other virtualization environments, such as Virtualbox Parallels and Hyper-V, are not supported. I already had VMware Workstation Player 16.2.1 installed on my Ubuntu system and, after a quick update of VMware Tools before starting, the MGT551 VM ran well. After logging in to the guest OS, you should apt update/upgrade and make a baseline snapshot if your VM environment supports that capability. (Note: VMware Player and Pro may no longer start if you update the Linux kernel on your host OS. There is much information in other discussion forums on the workarounds for this situation. VMware on Windows does not seem to have this problem.)

Once you've logged into the VM, start Firefox and click "SANS MGT551 Workbook" on the bookmark toolbar. This page is your guide for working the MGT551 course. Read the instructions and update the E-Workbook files from GitHub. (The VM will need Internet access via TCP ports 22 and 443 to do so.

More Sounds than Sights

The bulk of your time in MGT551 is spent viewing the course instruction videos. These are what you get on-demand rather than being in a remote or in-person classroom session. The videos are not downloadable and are only viewable in a Web browser while logged in to your SANS account. The only inconvenience in this arrangement was when I would take an extended break and find that my session had expired and I needed to log back in. Otherwise, the video viewer was adequate and had the typical controls you would expect, including adjusting the playback speed and full-screen viewing.

The presenter in the video, and the instructor on the MP3 files, is a co-author of the course, Mark Orlando. (The other MGT551 co-author is John Hubbard.) Mark is a pleasant, affable, and informed speaker with considerable expertise, and otherwise not particularly dynamic or entertaining--qualities which I can find distracting from actually learning the material being presented--but many high-profile SANS instructors are famous for.

Interestingly enough, there is nothing in the videos that actually needs to be viewed. You may simply listen to each video and follow along in the books or PDF. Other than a few charts and graphs, the course videos contain very little information that needs to be read. This course follows a trend over the past five years in the online training industry to make presentation materials simple, uncreative, and uninteresting, so you may need to find other ways to make this course material interesting to yourself.

After you have viewed 80% of the videos (by time viewed), a certification of completion becomes available to you identifying the course as part of the on demand program and the date of completion. This may be a necessary requirement by your employer, especially if you will not be attempting the companion GIAC certification. The videos section also includes a 20-question quiz for each of the first five books of the course. These are good practice to test your baseline understand, but using them is not necessary to complete the course.

Coulda, woulda, shoulda...

Finally, MGT551 includes an interactive simulation named Cyber42. In Cyber42, you will assume the role of a SOC manager needing to build a team and make critical decisions. Each decision you make will have an impact on multiple factors and deplete limited resources (i.e., morale and money) that you'll have available. Check your Cyber42 PDF for the full simulation instructions. I must admit that I didn’t use Cyber42 much and therefore don't have much to review about it.

I'll post info on MGT551 course content and the GSOM exam in this thread later this week.

Find more posts tagged with

GIAC

SANS

GSOM

MGT551

Comments

SteveLavoie

Thanks @JDMurray for the detailed review. It look like a really great course. I am more interested in your opinion on the course delivery . Does on-demand vs live training a good decision. IMO, there is no real economy (except travel expense) for On-demand. I am from Canada and even it is only a 2-3K$ addition to have 1 week outside house in another city.

Do you think it that the on-demand delivery method better for learning? I feel bad paying 8K$ USD for some online video, books and PDF, that's a "lifetime" of training subscription!

Would you do another On-demand course or you would prefer a in-person or live-online?

JDMurray

A SANS course is the same price regardless of the delivery method because it's the same course materials. The on-demand course gives you access to videos of the instructor that may not be included with the online and in-class training methods. (Someone please correct me on this.) All three delivery methods do give you the downloadable digital materials including the MP3 files. The on-demand courses are much more relaxed and easier going than sitting in a classroom for 40 hours and being forced to ingest the material at the instructor's pace (i.e., brain-melting). However, I think the in-class training is the best deal money-wise because of all the extras you are given at a SANS conference.

UnixGuy

sounds like a good course for SOC work

E Double U

I have taken five SANS courses and only one was on-demand. I would never do that again because although the content is the same, I miss the classroom interactions. There are always questions raised by the students that lead to good discussions. Not to mention I enjoy the networking with other attendees plus the evening activities such as NetWars and the fun night out with all participants.

SteveLavoie

Well, thanks @JDMurray for your answer.

JDMurray

UnixGuy said:

sounds like a good course for SOC work

For SOC analysts, SANS SEC450: Blue Team Fundamentals: Security Operations and Analysis and the GIAC Security Operations Certified (GSOC) certification is what you want.

SANS Blue Team Wiki

E Double U

UnixGuy said:

sounds like a good course for SOC work

Depends on the SOC. This course seems great for a SOC manager, but for analysts/incident responders I would recommend 501, 503, 504, 511, and a few others over 551.

JDMurray

The GIAC GSOM Certification & Exam

The GIAC Security Operations Manager (GSOM) is the certification created for SANS MGT551. This exam only became available to the public in February 2022. I had purchased the MGT551 course several months before and could find no information online about a certification for MGT551 at that time.

I emailed a contact I have at GIAC to inquire about such a cert and discovered that a beta exam program was underway for that very cert. I was lucky enough to get in and was able to take the GSOM beta exam shortly before the exam itself was released to the public.

Previously, I had taken only one GIAC exam (GSEC) and the GSOM beta seemed very similar in format and function, right down to the gold stars displayed at the end of the exam to indicate how well you did in each exam category. The beta exam came with two practice exams, as typical for all GIAC exams but they did not include the gold star report. I assume this was an issue in the beta and the report is included in the production release of the GSOM practice exams.

Exam Day

I prefer to take my cert exams at a testing center about a ten minute drive from my house. It’s very clean, well-run, and very strict on rules about testing and hygiene. I was expecting my usual testing center experience until I was seated in a cubicle next to a long table well-suited to the sprawl of my SANS books. How nice! This was certainly different from my GSEC exam, where I was balancing all of my SANS books on my knee. (Well, not really, but the awkwardness of the confined cubical made it feel like that.) I highly recommend finding out if your testing center has this convenience before you take your next GIAC exam.

The exam itself was uneventful and not hurried. I think I finished with nearly an hour to spare. Having a very incomplete index makes GIAC exams go a lot faster, I guess.

Waiting for the beta results...

So how did I do? Based on the gold stars at the exam’s conclusion, I guess my score was around 75%. Being a beta exam, I had to wait a few weeks to actually find out. As it turned out, my final score was 74% and passing for the GSOM exam is 66%. I crammed the material to get in at the deadline, my index was terrible, and I didn't mark the books with sticky notes as I should do, so I’m not surprised at my low score.

One thing I don't know is why the passing score for the GSOM is so low. I expected a passing score in the high 70’s. Maybe this was a low bar set for the beta exam, or the (soft) subject matter, or because the target market for the GSOM are (wanna-be) SOC managers and that crowd just needs a lower bar. (Just kidding, my peers!)

ADVICE: Start building your exam index NOW!

I’m not gonna bother talking about how or why to build a SANS book index for your GIAC exam. There is already enough of that here on TechExams.Net. My personal advice is to start making your index as soon as you can after gaining access to your SANS course materials. Your index may end up being very large and take much longer to compile than you realize, so you'll need as much time as you can get. The GSOM exam is no exception to this advice.

For my index I used the 3-column format (term, pages/book, description) and it worked well for me. Use the SANS books PDF to search for terms to include, including those scarce acronyms that only appear on one slide on one page. (Yes, I got one of those on my exam.) Use the description column for information that might keep you from needing to look in a book, which just slows you down.

All that being said, I was in a rush to get through the course materials and take the exam, so my index wasn’t really that detailed or very complete. I only had a little over 100 terms listed, and what I didn't have I either knew or spent precious exam time flipping through the books hoping to see the term I needed in a slide’s title. I also didn't check the print-out of my index beforehand and discovered--in the exam room--that the information in the description column was clipped at the edge of the page. I would probably have a much better score if I had started my index much sooner and taken time to proofread the printout. Fortunately, a pass is a pass on Credly.

E Double U

JDMurray said:
This was certainly different from my GSEC exam, where I was balancing all of my SANS books on my knee. (Well, not really, but the awkwardness of the confined cubical made it feel like that.)

Bringing back memories lol. It was always funny when I was the only one in the test center taking a GIAC exam because I would have a pile of books spread around me plus my index on the table. People giving me looks like what is going on. Good times!