SEC530: D

 efensible Security Architecture GDSA

Defensible Security

and Engineering Architecture

giac.org/gdsa

6 36 Laptop SEC530: Defensible Security Architecture and Engineering is designed to help students build and
Required
Day Program CPEs maintain a truly defensible security architecture. “The perimeter is dead” is a favorite saying in
this age of mobile, cloud, and the Internet of Things, and we are indeed living in new a world
You Will Be Able To of “de-perimeterization” where the old boundaries of “inside” and “outside” or “trusted” and
• Analyze a security architecture for “untrusted” no longer apply.
deficiencies
This changing landscape requires a change in mindset, as well as a repurposing of many devices.
• Apply the principles learned in the
course to design a defensible security
Where does it leave our classic perimeter devices such as firewalls? What are the ramifications of
architecture the “encrypt everything” mindset for devices such as Network Intrusion Detection Systems?
• Determine appropriate security
monitoring needs for organizations of all
In this course, students will learn the fundamentals of up-to-date defensible security architecture.
sizes There will be a heavy focus on leveraging current infrastructure (and investment), including
• Maximize existing investment in security switches, routers, and firewalls. Students will learn how to reconfigure these devices to better
architecture by reconfiguring existing address the threat landscape they face today. The course will also suggest newer technologies to
assets
aid in building a robust security infrastructure.
• Determine capabilities required to support
continuous monitoring of key Critical While this is not a monitoring course, it will dovetail nicely with continuous security monitoring,
Security Controls
ensuring that security architecture not only supports prevention, but also provides the critical
• Configure appropriate logging and
monitoring to support a Security logs that can be fed into a Security Information and Event Management (SIEM) system in a
Operations Center and continuous Security Operations Center.
monitoring program
Hands-on labs will reinforce key points in the course and provide actionable skills that students
will be able to leverage as soon as they return to work.
Who Should Attend
• Security architects
• Network engineers
• Network architects
• Security analysts
“As a systems programmer working on the development of
• Senior security engineers
• System administrators security tools, the architectural content provided has been
• Technical security managers highly informative and extremely valuable.”
• CND analysts — Merv Hammer, Workday Inc.
• Security monitoring specialists
• Cyber threat investigators

“SEC530 provided an excellent understanding of

application attacks and how to protect against them.”
— Shayne Douglass, AMEWAS Inc.

Available Live Training Online Training

Training Live Events
sans.org/information-security-training/by-location/all
OnDemand
sans.org/ondemand
Formats Summit Events Simulcast
sans.org/cyber-security-summit sans.org/simulcast

Private Training
sans.org/private-training
Section Descriptions

SECTION 1: Defensible Security Architecture and Engineering SECTION 2: Network Security Architecture and Engineering
Section 1 of the course describes hardening systems and networks at every Section 2 continues hardening the infrastructure and moves on to layer three:
layer, from layer one (physical) to layer seven (applications and data). To quote routing. Actionable examples are provided for hardening routers, with specific
Richard Bejtlich’s The Tao of Network Security Monitoring, defensible networks Cisco IOS commands to perform each step. The section then continues with a
“encourage, rather than frustrate, digital self-defense.” The section begins with deep dive on IPv6, which currently accounts for 23% of Internet backbone traffic,
an overview of traditional network and security architectures and their common according to Google, while simultaneously being used and ignored by most
weaknesses. The defensible security mindset is “build it once, build it right.” organizations. This section will provide deep background on IPv6, discuss common
All networks must perform their operational functions effectively, and security mistakes (such as applying an IPv4 mindset to IPv6), and provide actionable
can be complementary to this goal. It is much more efficient to bake security in solutions for securing the protocol. The section wraps up with a discussion of VPN
at the outset than to retrofit it later. The discussion will then turn to layer one and stateful layer three/four firewalls.
(physical) and layer two (data link) best practices, including many “ripped from TOPICS: Layer 3: Router Best Practices; Layer 3 Attacks and Mitigation; Layer
the headlines” tips the course authors have successfully deployed in the trenches 2 and 3 Benchmarks and Auditing Tools; Securing SNMP; Securing NTP; Bogon
to harden infrastructure in order to prevent and detect modern attacks. Examples Filtering, Blackholes, and Darknets; IPv6; Securing IPv6; VPN; Layer 3/4 Stateful
include the use of private VLANs, which effectively kills the malicious client-to- Firewalls; Proxy
client pivot, and 802.1X and NAC, which mitigate rogue devices. Specific Cisco IOS
syntax examples are provided to harden switches.
TOPICS: Traditional Security Architecture Deficiencies; Defensible Security
Architecture; Threat, Vulnerability, and Data Flow Analysis; Layer 1 Best Practices;
Layer 2 Best Practices; Netflow

SECTION 3: Network-Centric Security SECTION 4: Data-Centric Security

Organizations own or have access to many network-based security technologies Organizations cannot protect something they do not know exists. The problem is
ranging from next-generation firewalls to web proxies and malware sandboxes. that critical and sensitive data exist all over. Complicating this even more is that
Yet the effectiveness of these technologies is directly affected by their data are often controlled by a full application stack involving multiple services that
implementation. Too much reliance on built-in capabilities like application may be hosted on-premise or in the cloud. Section 4 focuses on identifying core
control, antivirus, intrusion prevention, data loss prevention, or other automatic data where they reside and how to protect those data. Protection includes the use
evil-finding deep packet inspection engines leads to a highly preventative-focused of data governance solutions and full application stack security measures such
implementation, with huge gaps in both prevention and detection. Section 3 as web application firewalls and database activity monitoring, as well as keeping
focuses on using application layer security solutions that an organization already a sharp focus on securing the systems hosting core services such as on-premise
owns with a modern mindset. By thinking outside the box, even old controls like a hypervisors, cloud computing platforms, and container services such as Docker.
spam appliance can be used to catch modern attacks such as phishing via cousin The data-centric security approach focuses on what is core to an organization
domains and other spoofing techniques. And again, by engineering defenses for and prioritizes security controls around it. Why spend copious amounts of time
modern attacks, both prevention and detection capabilities gain significantly. and money securing everything when controls can be optimized and focused on
TOPICS: NGFW; NIDS/NIPS; Network Security Monitoring; Sandboxing; Encryption; securing what matters? Let’s face it: Some systems are more critical than others.
Secure Remote Access; Distributed Denial-of-Service (DDOS) TOPICS: Application (Reverse) Proxies; Full Stack Security Design; Web Application
Firewalls; Database Firewalls/Database Activity Monitoring; File Classification;
Data Loss Prevention (DLP); Data Governance; Mobile Device Management (MDM)
and Mobile Application Management (MAM); Private Cloud Security; Public Cloud
Security; Container Security

SECTION 5: Zero-Trust Architecture: Addressing the Adversaries SECTION 6: Hands-On Secure-the-Flag Challenge
Already in Our Networks The course culminates in a team-based Design-and-Secure-the-Flag competition.
Today, a common security mantra is “trust but verify.” But this is a broken Powered by NetWars, day six provides a full day of hands-on work applying the
concept. Computers are capable of calculating trust on the fly, so rather than principles taught throughout the week. Your team will progress through multiple
thinking in terms of “trust but verify” organizations should be implementing levels and missions designed to ensure mastery of the modern cyber defense
“verify then trust.” By doing so, access can be constrained to appropriate levels techniques promoted throughout this course. Teams will assess, design, and
at the same time that access can become more fluid. This section focuses on secure a variety of computer systems and devices, leveraging all seven layers of
implementing a zero-trust architecture where trust is no longer implied but must the OSI model.
be proven. By doing so, a model of variable trust can be used to change access TOPICS: Capstone – Design/Detect/Defend
levels dynamically. This, in turn, allows for implementing fewer or more security
controls as necessary given a user’s and a device’s trust maintained over time.
The focus is on implementing zero trust with existing security technologies to
maximize their value and impact for an organization’s security posture. During
this section encryption and authentication will be used to create a hardened
network, whether external or internal. Also, advanced defensive techniques will
be implemented to stop modern attack tools in their tracks while leaving services
fully functional for authorized assets.
TOPICS: Zero-Trust Architecture; Credential Rotation; Compromised Internal
Assets; Securing the Network; Tripwire and Red Herring Defenses; Patching;
Deputizing Endpoints as Hardened Security Sensors; Scaling Endpoint Log Course Preview
Collection/Storage/Analysis available at: sans.org/demo