SEC541: Cloud Security Threat Detection (2024)

Detect, Respond, Secure

It's undeniable that cloud environments offer unparalleled benefits, however, poorly trained personnel can expose your organization to an ever-expanding list of dynamic threats. SEC541: Cloud Security Threat Detection is designed to address these challenges by equipping professionals with the skills to identify, detect, and respond to threats in cloud infrastructures. This comprehensive course delves into cloud-native logging, threat models, intrusion detection, and continuous monitoring, ensuring that your organization can maintain a robust security posture in AWS, Azure, and Microsoft 365 environments.

SEC541 immerses students in real-world scenarios, teaching them to navigate cloud-specific logs, build effective threat detection systems, and understand the unique aspects of cloud architecture. By mastering these skills, your team can significantly reduce detection and response times, enhance visibility into the cloud threat landscape, and effectively defend against sophisticated attacks.

SEC541 boosts the proficiency of cloud security analysts and empowers teams to operate more efficiently and effectively, maximizing your organization's security capabilities. Equip your workforce with the latest knowledge in cloud security threat detection and ensure your organization is prepared to tackle the complexities of modern cloud security challenges.

"I would recommend SEC541 to any cloud security stakeholder that wants to empower all the security tools companies have in order to improve detection, understand protection, and overall increase their security level."

- Veronique Dupont, Cloud Cyber Security Architect, Airbus

What Is Cloud Security Threat Detection?

Cloud security threat detection involves identifying and responding to potential threats within cloud environments by leveraging cloud-native tools and techniques. It encompasses monitoring cloud infrastructure for suspicious activities, analyzing cloud-native logs, and implementing threat detection systems to protect applications, data, and services. Effective cloud security threat detection includes continuous monitoring, intrusion detection, threat hunting, and utilizing frameworks like MITRE ATT&CK to maintain a robust security posture.

Business Takeaways

• Reduce Detection and Response Time: Quickly identify and respond to critical cloud threats.
• Enhance Visibility: Gain comprehensive insights into your cloud environment.
• Improve Security Posture: Implement effective cloud-specific threat detection strategies.
• Proactive Threat Management: Address threats early, aiding in swift incident resolution.
• Efficiency and Automation: Increase efficiency with automated detection and response workflows.
• Cost Savings: Avoid financial fallout by proactively securing your cloud environment.
• Upskill Workforce: Equip your team with the latest cloud security knowledge and techniques to defend against sophisticated cloud threats.

Skills Learned

• Understand how identities can be abused in cloud environments.
• Monitor threat actors using cloud-native logging tools.
• Define and understand compute resources such as virtual machines (VMs) and containers.
• Detect and address attacker pivots within your cloud infrastructure.
• Implement effective detection strategies using cloud provider tools.
• Investigate and analyze instances in your compute resources for suspicious activities.
• Perform detailed analysis and detection of threats in Microsoft 365 and Azure environments.
• Pivot between different log sources to uncover the full narrative of an attack.
• Build automation workflows to reduce repetitive security tasks.
• Centralize and normalize data from various sources to enhance analysis and threat detection.

Hands-On Cloud Security Threat Detection Training

The hands-on portion of SEC541 is designed to provide students with practical, real-world experience in cloud security threat detection. Each student receives access to their own AWS and Azure accounts, where they can explore and interact with live cloud environments. The labs cover a wide range of topics, from analyzing cloud-native logs to detecting and responding to threats in AWS, Azure, and Microsoft 365. Students will perform attacks against their own accounts, generating the data needed for thorough analysis and investigation.

A key component of SEC541 is the 21 interactive labs, making up about 40% of the course time, split evenly between AWS and Azure environments. These labs are essential for applying the lecture's lessons by allowing students to practice and hone their skills in a controlled environment. By engaging in these hands-on activities, students gain a deeper understanding of cloud-specific threats and the tools and techniques needed to detect and respond to them effectively. This immersive approach ensures that participants leave the course with the confidence and capability to secure their own cloud environments.

"Inputting the malicious commands makes the labs much more interesting. Learning what to look for from both sides of the keyboard in one course is refreshing."

- Scott H., US Government

"I liked the labs. They were beefy but they were fun. I really liked the brute force lab because that is 100% legit. I thought it was really cool too how they show you two ways to do almost the same thing with Athena and CloudWatch."

- Samuel Cosentino, Cisco

"I really like the labs and the fact that we play the attacks before watching the logs, that's pretty cool."

- Damien Glomon, ANSSI

Syllabus Summary

• Section 1: Detect adversarial activity through management API and network logs.
• Section 2: Dive into logging for compute resources, VMs, and containers.
• Section 3: Master detection services and understand cloud attack surfaces.
• Section 4: Deep dive into threats and detections in Microsoft 365 and Azure.
• Section 5: Automate response actions and test your skills in the CloudWars Challenge.

Additional Free Resources

Workshops

• Aviata Cloud Chapter 4: Attack and Detect Kubernetes
• Aviata Cloud Chapter 3: Transitioning to Containerization
• Hands-On Workshop: Building Better Detections | AWS Edition
• Hands-On Workshop: Building Better Detections | Azure Edition
• SANS Workshop: Attacking and Defending Serverless Applications

Webcasts

• Evolution of SIEM in the Cloud
• Building Better Cloud Detections... By Hacking? | AWS Edition
• Building Better Cloud Detections... By Hacking? Azure Edition
• The Threat Detection with Cloud API Logs: A Case Study from Capitol One
• Threat Hunting Through Log Analysis in AWS
• The Case of the Cloudy Deception: A Sherlock Holmes Story
• How to Secure a Modern Web Application in AWS

Blogs

• Building a Cloud Security Flywheel: Lessons from the Field
• Cloud Attacks: What's Old is New - Part 1
• Cloud Attacks: What's New is New - Part 2

Posters

• Finding Sherlock: Cloud Attack and Detect

What You Will Receive

• Printed and electronic courseware
• MP3 audio files of the complete course lecture
• Access to virtual machine in the AWS cloud
• SANS provided AWS account
• SANS provided Azure account

What Comes Next?

Depending on your professional goals and direction, SANS offers a number of follow-on courses to SEC541.

• Cloud Security Analyst
  • SEC488: Cloud Security Essentials | GCLD
  • SEC510: Cloud Security Controls and Mitigations | GPCS
• Cloud Detection and Response
  • FOR509: Enterprise Cloud Forensics and Incident Response | GCFR
  • SEC588: Cloud Penetration Testing | GCPN

Laptop Requirements