Axonius gave me the opportunity to take a SANS class. SANS offers a lot of classes. After more than two decades in Infosec, I wasn’t sure which class would offer the most value. Some classes were remedial while other were too niche for my regular work in threat detection incident response (TDIR) and security engineering. To narrow my options I decided to go with an on-demand class, to stay technical, and to develop my weakest skill area: cloud. That led to four primary options:
- SEC488: Cloud Security Essentials
- SEC510 : Cloud Security Controls and Mitigations
- SEC541: Cloud Security Threat Detection
- FOR509: Enterprise Cloud Forensics and Incident Response
I ruled out SEC488 as my last several work experiences had substantial cloud responsibilities and I didn’t expect to get much from an into class. SEC510 was a possibility but not particularly focused on my work area. FOR509 was an interesting option, but I passed for two reasons. First, the syllabus had a little of everything. I do not think the class would have time to go deep enough to add value to any incident I might work. Second, if an incident gets so out of control to require real forensics, external experts are always called. Ultimately, I decided on SEC541.
In SEC541, SANS promises that students will:
- Understand how identities can be abused in cloud environments.
- Monitor threat actors using cloud-native logging tools.
- Define and understand compute resources such as virtual machines (VMs) and containers.
- Detect and address attacker pivots within your cloud infrastructure.
- Implement effective detection strategies using cloud provider tools.
- Investigate and analyze instances in your compute resources for suspicious activities.
- Perform detailed analysis and detection of threats in Microsoft 365 and Azure environments.
- Pivot between different log sources to uncover the full narrative of an attack.
- Build automation workflows to reduce repetitive security tasks.
- Centralize and normalize data from various sources to enhance analysis and threat detection.
SEC541 is taught in 5 Sections:
- Section 1: Detect adversarial activity through management API and network logs.
- Section 2: Dive into logging for compute resources, VMs, and containers.
- Section 3: Master detection services and understand cloud attack surfaces.
- Section 4: Deep dive into threats and detections in Microsoft 365 and Azure.
- Section 5: Automate response actions and test your skills in the CloudWars Challenge.
I don’t know what I think of SEC541, but I’m glad I took the class. Section 1 is incredibly basic and Section 4 (MS Azure) is less applicable to my day to day. Sections 2 & 4 are the core of SEC541. Overall Sections 2&4 cover basic cloud security logging, cloud security attacks, an intro to TDIR + MITRE ATTACK + cloud security operations. If you’re a cloud person new to threat detection, these sections will help you out. If you’re a threat detection person, new to cloud, these sections will cover the basics. I got a few new interesting bits that I didn’t know about. Most importantly, as an old TDIR guy, SEC541 reassured me that I can adequately cover cloud.
Section 5 focuses on exporting cloud logs to a centralized SIEM, normalizing the logs, creating detections, and building automations. Section 5 is where I wanted SEC541 to live. Unfortunately it’s a short section that glosses over the challenges and the available technologies. I would have appreciated a deep dive into:
- Normalizing logs
- Reducing log volume
- How to choose and relate logs in highly ephemeral environments
- Specifics on real world solutions like Panther, Wiz, Swimlane, Tines, etc
tl;dr SEC541 is a good class to onboard cybersecurity engineers into cloud tdir and to provide grizzled infosec veterans more confidence in the cloud
