It is the first time the Advanced Security Essentials – Enterprise Defender (SEC501) class has been run in Australia and to have the course author, Dr Eric Cole, teaching it was fantastic.
I have had said before, Eric is a fantastic speaker, bring a huge amount of energy and real world experience to the material.
Eric’s overview of how the course came to be and who its intended audience should be drew a couple of students from other classes. There was hardly any bribery, stalking or pleading involved in this at all. The two people at the back of the room bound, gagged and drugged where merely by coincidence. Would I lie to you, dear reader? Anyway….
My poor interpretation is that 501 is the natural extension of 401 for those transitioning in to the role of security professional without picking a specialty. Where the 401 spends an roughly an hour on a myriad of varied security topics, 501 picks 6 critical areas and spend the day on each of them. If you really like the material from one of the days, it is then easy to work out which SANS or security training to take next. This is pretty darn helpful, I a see hundreds of posting for “What should I doing to be come a security professional?” so picking a path that gets you out of bed in the morning with a spring in your step is the way to go.
With a title of enterprise defender, you may think this is just for IT folk in large companies. It isn’t. The course can be applied to companies of any size, from one man do-everything-band IT support to an entire team of dedicated security staff. You need to take the cue from the course title, It’s for those how are defenders and work in a defenses role or for those who aren’t sure what they like to specialise into.
It takes a logical approach to rationalising how to do security in a planned, thoughtful manner. Nothing earth shattering or mind blowing appear in the material; it doesn’t need to do that. It provides the framework to apply good security to any company. This can be easily missed in the rush to get projects completed on time and things working. We get pushed in to just doing “stuff” to get a new system in to place without looking at the bigger picture.Each day proves a solid understand of a critical security skill set and role, at the end of each day you have the tools and knowledge to step in to that role and not stuff it up.
I enjoyed and appreciated the material and content of the course despite having completed a number of other SANS courses. This is a profession where learning never stops, so even re-capping and refreshing the so called basics is never a waste of time.
Before I rattle off my take on each day, I want to mention a number of conversations I had with other students on the flow of the course and how it fitted in with the other SANS 500 level courses. The most discussed point was number of hands on labs, or lack of them on day two and three. I actually liked the two days of talk, mainly due to the content and partially because I’ve used the tools described in those two days fairly heavily over the last few months.
Fortunately, Australians aren’t quiet, shy flowers and mentioned this to Eric. There was plenty of time at breaks and after the day has ended to run through lab work. Most nights five or six people stayed behind to re-do the labs, just so they could get extra practice in with the bonus of having others around to talk over any problems.
SANS courses are the perfect time to play with tools and practice techniques in a calm, non-critical environment. The added bonus is you have a real person to help out if you run in to problems with it. Labs can break up the day and re-focus the brain or labs can disrupt the day as, in real life, thing don’t always work; you spend an hour troubleshooting why your lab isn’t work while the girl next to you has finished the whole lab in ten minutes. Still, both are real, hands on experience.
Day 1 Defensive Network Infrastructure
Switches, Routers, Firewall and other networking gear
The day started off with an illuminating and fascinating attack using routers. The day was pretty Cisco heavy, but the lesson are easily transposed to other vendors technologies.
Know what is on your network how it is configured, understand how it should be configured and use change management to get it there was the theme of the day.
Take a step back think what network needs to do and check that it is doing it. Light labs
Day 2 Packet Analysis
Understand the traffic on your network, what it’s doing and what it should look like. Profiling your normal traffic makes looking the Bad Stuff TM much easier to find.
no labs
Day 3 Penetration Testing
no classroom labs, but the back of the book has a number of self study one
Day 4 First responder
Great stuff. Lots of things to apply and how to do them as a first responder to an incident.
labs
Day 5 Malware
Heavy labs. Got to find and purge Bad Stuff TM , lots of hands on fun!
Day 6 Data Loss Prevention
No classroom labs, but the back of the book has a number of self study ones
This day covers a number of topics and in my mind should possibly be day one, rather than the last day. My reasons are:
Normally covering risk and procedures is like slowly pulling nails from each finger with tweasers, slow and painful. Eric injects passion, direction and relevance, really make it applicable to the real world and the working lives of the student. I slogged through the CISSP domain when I was studying for the exam. Honestly, I feel Eric brought this section to life, I learnt more in those few hours, will remember and apply use this section than I ever could from the long, dark days of my CISSP study.