The Most Trusted Source for Information Security Training,Certification, and Research

Protect Your Business | Advance Your CareerNine hands-on, immersion-style courses taught by real-world practitioners

Cyber DefenseEthical Hacking Digital Forensics SIEM

Monitoring & DetectionCritical Security Controls Secure Development

See inside for courses offered in:

SAVE $400 Register and pay by Jan 24th Use code EarlyBird18

www.sans.org/tysons-corner-spring

INFORMATION SECURITYTRAINING Tysons 2018

McLean, VA | March 17-24

Northern Virginia Spring

“ Be prepared to learn! Course content is spot-on, very relevant, and has useful topics which I will put to use immediately.”-Stefan Winter, Costco Wholesale

Evening Bonus Sessions Take advantage of these extra evening presentations

and add more value to your training. Learn more on page 10.

KEYNOTE: Everything You Ever Learned About Passwords Is Wrong Keith Palmgren

The Most Dangerous Game: Hunting Post-Exploitation with Elasticsearch and the MITRE ATT&CK Framework

John Hubbard

Register today for SANS Northern VA Spring – Tysons 2018! www.sans.org/tyson-corner-spring

@SANSInstitute Join the conversation: #SANSTysons

Northern VA Spring – Tysons 2018 MARCH 17-24

SANS Instructors SANS instructors are real-world practitioners who specialize in the subjects they teach. All instructors undergo rigorous training and testing in order to teach SANS courses, which guarantees what you learn in class will be up to date and relevant to your job. The SANS Northern VA Spring – Tysons 2018 lineup of instructors includes:

SAT 3-17

SUN 3-18

MON 3-19

TUE 3-20

WED 3-21

THU 2-22

FRI 3-23

SAT 3-24

SEC301 Intro to Information SecuritySEC401 Security Essentials Bootcamp StyleSEC440 Critical Security Controls: Planning, Implementing,

and AuditingSEC501 Advanced Security Essentials – Enterprise DefenderSEC503 Intrusion Detection In-DepthSEC504 Hacker Tools, Techniques, Exploits, and Incident HandlingSEC555 SIEM with Tactical AnalyticsFOR572 Advanced Network Forensics and AnalysisDEV540 Secure DevOps and Cloud Application Security Page 9 NEW!

Page 3

Page 4

Page 5

Page 6

Page 7 NEW!

Page 8

Page 10

Page 2

Courses at a Glance

Save $400 when you register and pay by January 24th using code EarlyBird18

Chris Christianson Certified Instructor @cchristianson

John Hubbard Instructor @SecHubb

Philip Hagen Certified Instructor @PhilHagen

Eric Johnson Certified Instructor @emjohn20

Matt Bromiley Instructor @mbromileyDFIR

Bryce Galbraith Principal Instructor @brycegalbraith

Paul A. Henry Senior Instructor @phenrycissp

Keith Palmgren Senior Instructor @kpalmgren

Donald Williams Certified Instructor @donaldjwilliam5

1

Register at www.sans.org/tysons-corner-spring | 301-654-SANS (7267) 2

“I feel that this class should be taught to anyone who uses the Internet. This should be a course that SANS teaches to companies with executives and end users who like to click on stuff or complain about being secure.” -Chante Walston, Markel Corporation

“The instructor is phenomenal, engaging, articulate, a master of the material, and made day-one information very easy to follow.” -Kevin Flaherty, DARPA

SEC301Intro to Information Security

GISF CertificationInformation Security Fundamentals

www.giac.org/gisf

Five-Day Program Mon, Mar 19 - Fri, Mar 23 9:00am - 5:00pm 30 CPEs Laptop Required Instructor: Keith Palmgren

To determine if the SANS SEC301 course is right for you, ask yourself five simple questions:

▐ Do you have basic computer knowledge, but are new to information security and in need of an introduction to the fundamentals?

▐ Are you bombarded with complex technical security terms that you don’t understand? ▐ Are you a non-IT security manager (with some technical knowledge) who lays awake at

night worrying that your company will be the next mega-breach headline story on the 6 o’clock news?

▐ Do you need to be conversant in basic security concepts, principles, and terms, even if you don’t need “deep in the weeds” detail?

▐ Have you decided to make a career change to take advantage of the job opportunities in information security and need formal training/certification?

If you answer yes to any of these questions, the SEC301: Intro to Information Security training course is for you. Jump-start your security knowledge by receiving insight and instruction from real-world security experts on critical introductory topics that are fundamental to information security. This completely revised five-day, comprehensive course covers everything from core terminology to the basics of computer networks, security policies, incident response, passwords, and even an introduction to cryptographic principles.

This course is designed for students who have a basic knowledge of computers and technology but no prior knowledge of cybersecurity. The hands-on, step-by-step teaching approach will enable you to grasp all of the information presented, even if some of the topics are new to you. You’ll learn the fundamentals of information security that will serve as the foundation of your InfoSec skills and knowledge for years to come.

Written by a security professional with over 30 years of experience in both the public and private sectors, SEC301 provides uncompromising real-world insight from start to finish. The course prepares you for the Global Information Security Fundamentals (GISF) certification test, as well as for the next course up the line, SEC401: Security Essentials Bootcamp Style. It also delivers on the SANS promise: You will be able to use the knowledge and skills you learn in SEC301 as soon as you return to work.

“The course fills in all my gaps about understanding information security and has provided me the skills to engage SMEs in my

InfoSec organization. The instructor and material were great, and students walked away with considerable knowledge.”

-Ira Hubert, FedEx Corporation

WITH THIS COURSE www.sans.org/ondemand

Keith Palmgren SANS Senior InstructorKeith Palmgren is an IT security professional with 26 years of experience in the field. He began his career with the U.S. Air Force working with cryptographic keys and codes management. He also worked in what was at the time the newly-formed computer security department. Following the Air Force, Keith worked as an MIS director for a small company before joining AT&T/Lucent as a senior security architect working on engagements with the DoD and the National Security Agency. As security practice manager for both Sprint and Netigy, Keith built and ran the security consulting practice, responsible for all security consulting

world-wide and for leading dozens of security professionals on many consulting engagements across all business spectrums. For the last several years, Keith has run his own company, NetIP, Inc. He divides his time between consulting, training, and freelance writing projects. As a trainer, Keith has satisfied the needs of nearly 5,000 IT professionals and authored 17 training courses. Keith currently holds the CISSP, GSEC, CEH, Security+, Network+, A+, and CTT+ certifications. @kpalmgren

world-wide and for leading dozens of security professionals on many consulting engagements across all business spectrums. For

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-spring-tysons-2018/courses 3

“Thank you SANS for a deeply challenging and rewarding week of learning.” -Chris Drews, 3M

Chris Christianson SANS Certified InstructorChris Christianson is an information security consultant based in Northern California with 20 years of experience and many technical certifications, including: GSEC, GCIH, GCIA, GREM, GPEN, GWAPT, GCCC, GISF, GCED, CISSP, CCSE, CCDP, CCNP, IAM, CEH, and IEM. He holds a Bachelor of Science in Management Information Systems from University of Atlanta. Before starting his own information security consultant services, he worked at Travis Credit Union for 21 years. His last role there was the Assistant Vice President of the Information Technology department at Travis Credit Union (December 2012 - January 2016). Chris

has also been an expert speaker at conferences and a contributor to numerous industry articles. @cchristiansonhas also been an expert speaker at conferences and a contributor to numerous industry articles.

SEC401Security Essentials Bootcamp Style

GSEC CertificationSecurity Essentials

www.giac.org/gsec

Six-Day Program Mon, Mar 19 - Sat, Mar 24 9:00am - 7:00pm (Days 1-5) 9:00am - 5:00pm (Day 6) 46 CPEs Laptop Required Instructor: Chris Christianson

Who Should Attend ▐ Security professionals

who want to fill the gaps in their understanding of technical information security

▐ Managers who want to understand information security beyond simple terminology and concepts

▐ Operations personnel who do not have security as their primary job function but need an understanding of security to be effective

▐ IT engineers and supervisors who need to know how to build a defensible network against attacks

▐ Administrators responsible for building and maintaining systems that are being targeted by attackers

▐ Forensic specialists, penetration testers, and auditors who need a solid foundation of security principles to be as effective as possible at their jobs

▐ Anyone new to information security with some background in information systems and networking

Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work. Learn tips and tricks from the experts so that you can win the battle against the wide range of cyber adversaries that want to harm your environment.Is SEC401: Security Essentials Bootcamp Style the right course for you? STOP and ask yourself the following questions:

▐ Do you fully understand why some organizations get compromised and others do not?

▐ If there were compromised systems on your network, are you confident that you would be able to find them?

▐ Do you know the effectiveness of each security device and are you certain that they are all configured correctly?

▐ Are proper security metrics set up and communicated to your executives to drive security decisions?

If you do not know the answers to these questions, SEC401 course will provide the information security training you need in a bootcamp-style format that is reinforced with hands-on labs.Learn to build a security roadmap that can scale today and into the future.SEC401: Security Essentials Bootcamp Style is focused on teaching you the essential information security skills and techniques you need to protect and secure your organization’s critical information assets and business systems. Our course will show you how to prevent your organization’s security problems from being headline news in the Wall Street Journal!Prevention is ideal but detection is a must.With the rise in advanced persistent threats, it is almost inevitable that organizations will be targeted. Whether the attacker is successful in penetrating an organization’s network depends on the effectiveness of the organization’s defense. Defending against attacks is an ongoing challenge, with new threats emerging all of the time, including the next generation of threats. Organizations need to understand what really works in cybersecurity. What has worked, and will always work, is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:

▐ What is the risk? ▐ Is it the highest priority risk? ▐ What is the most cost-effective way to reduce the risk?

Security is all about making sure you focus on the right areas of defense. In SEC401 you will learn the language and underlying theory of computer and information security. You will gain the essential and effective security knowledge you will need if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills you can put into practice immediately upon returning to work; and (2) You will be taught by the best security instructors in the industry.

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/8140

Register at www.sans.org/tysons-corner-spring | 301-654-SANS (7267) 4

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/8140

“SEC501 is the perfect course to immerse enterprise security staff into essential skills. Failing to attend this course is done at the peril of your organization.” -John N. Johnson, Houston Police Department

SEC501Advanced Security Essentials – Enterprise Defender

GCED CertificationCertified Enterprise Defender

www.giac.org/gced

Six-Day Program Mon, Mar 19 - Sat, Mar 24 9:00am - 7:00pm (Day 1) 9:00am - 5:00pm (Days 2-6) 38 CPEs Laptop Required Instructor: Paul A. Henry

Who Should Attend ▐ Incident responders and

penetration testers ▐ Security Operations

Center engineers and analysts

▐ Network security professionals

▐ Anyone who seeks technical in-depth knowledge about implementing comprehensive security solutions

Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials – Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.

It has been said of security that “prevention is ideal, but detection is a must.” However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and respond appropriately to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.

“Nearly 100% of the material covered in SEC501 is immediately applicable to the daily role of an analyst, regardless of industry.”

-TERRY BOEDEKER, FIREEYE

Despite an organization’s best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more effective and robust preventive and detective measures, completing the security lifecycle.

Paul A. Henry SANS Senior InstructorPaul is one of the world’s foremost global information security and computer forensic experts, with more than 20 years’ experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security. Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. He also advises and consults on some of the world’s most challenging and high-risk information

security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the U.S. Department of Defense’s Satellite Data Project, and both government and telecommunications projects throughout Southeast Asia. Paul is frequently cited by major publications as an expert on perimeter security, incident response, computer forensics, and general security trends, and serves as an expert commentator for network broadcast outlets such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications such as the Information Security Management Handbook, to which he is a consistent contributor. Paul is a featured speaker at seminars and conferences worldwide, delivering presentations on diverse topics such as anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response. @phenrycissp

security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the U.S. Department of

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-spring-tysons-2018/courses 5

SEC503Intrusion Detection In-Depth

GCIA CertificationCertified Intrusion Analyst

www.giac.org/gcia

Six-Day Program Mon, Mar 19 - Sat, Mar 24 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Donald Williams

Who Should Attend ▐ Intrusion detection (all

levels), system, and security analysts

▐ Network engineers and administrators

▐ Hands-on security managers

Reports of prominent organizations being hacked and suffering irreparable reputational damage have become all too common. How can you prevent your company from becoming the next victim of a major cyber attack?

Preserving the security of your site in today’s threat environment is more challenging than ever before. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable. Security-savvy employees who can help detect and prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your networks with insight and awareness. The training will prepare you to put your new skills and knowledge to work immediately upon returning to a live environment.

Mark Twain said, “It is easier to fool people than to convince them that they’ve been fooled.” Too many IDS/IPS solutions provide a simplistic red/green, good/bad assessment of traffic and too many untrained analysts accept that feedback as the absolute truth. This course emphasizes the theory that a properly trained analyst uses an IDS alert as a starting point for examination of traffic, not as a final assessment. SEC503 imparts the philosophy that the analyst must have access to alerts and the ability to examine them in order to give them meaning and context. You will learn to investigate and reconstruct activity to determine if it is noteworthy or a false indication.

SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master different open-source tools like tcpdump, Wireshark, Snort, Bro, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.

www.sans.edu www.sans.org/8140WITH THIS COURSE

www.sans.org/ondemandwww.sans.org/cyber-guardian

“This course provides the valuable ‘building block’ concepts of most other SANS courses and IT security that are way too often skipped or ignored. This should be a requisite for the field.” -Rebel Powell, DOE-OSTI

“The concepts learned in SEC503 helped me bridge a gap in knowledge of what we need to better protect our organization.” -Greg Thys, Mary Greeley Medical Center

Donald Williams SANS Certified InstructorDonald retired from active duty in 2014 after over 20 years of service in the U.S. Army. He has extensive experience in incident handling, intrusion analysis, and network auditing. During his Army career, Donald served as the Defensive Cyber Operations Chief for the Army’s Regional Computer Emergency Response Team in South West Asia (RCERT-SWA), directly overseeing the intrusion analysis and incident response teams for one of the Army’s largest networks spanning over 10 countries. Donald holds several GIAC certifications, including the GIAC Security Expert (GSE), GCIH, GCIA, and GSNA certifications, as well as

numerous other industry certifications. @donaldjwilliam5numerous other industry certifications.

Register at www.sans.org/tysons-corner-spring | 301-654-SANS (7267) 6

“Excellent, real-world examples and demos, with step-by-step examples of how to respond to an attack. SEC504 is a must for everyone on the team.” -Mike Pyke, VyStar Credit Union

SEC504Hacker Tools, Techniques, Exploits, and Incident Handling

GCIH CertificationIncident Handler

www.giac.org/gcih

Six-Day Program Mon, Mar 19 - Sat, Mar 24 9:00am - 7:15pm (Day 1) 9:00am - 5:00pm (Days 2-6) 37 CPEs Laptop Required (If your laptop supports only wireless, please bring a USB Ethernet adapter.) Instructor: Bryce Galbraith

Who Should Attend ▐ Incident handlers ▐ Leaders of incident

handling teams ▐ System administrators

who are on the front lines defending their systems and responding to attacks

▐ Other security personnel who are first responders when systems come under attack

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection and one or two disgruntled employees (and whose does not!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

“As someone who works in information security but has never had to do a full incident report, SEC504 taught me all the proper processes and steps.” -Todd Choryan, Motorola Solutions

This course enables you to turn the tables on computer attackers by helping you understand their tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge, insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents and a detailed description of how attackers undermine systems so you can prepare for, detect, and respond to those attacks. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. This course will enable you to discover the holes in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

WITH THIS COURSE www.sans.org/ondemandwww.sans.org/cyber-guardian www.sans.org/8140www.sans.edu

Bryce Galbraith SANS Principal InstructorAs a contributing author to the internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 companies, was a member of Foundstone’s renowned penetration testing team, and served as a senior instructor and co-author of Foundstone’s Ultimate Hacking: Hands-On course series. Bryce is currently the owner of Layered Security, where he provides specialized vulnerability assessment and penetration testing services for clients. He

teaches several of the SANS Institute’s most popular courses and develops curriculum around current topics. He has taught the art of ethical hacking and countermeasures to thousands of IT professionals from a “who’s who” of top companies, financial institutions, and government agencies around the globe. Bryce is an active member of several security-related organizations, holds several security certifications, and speaks at conferences around the world. @brycegalbraith

teaches several of the SANS Institute’s most popular courses and develops curriculum around current topics. He has taught the art of

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-spring-tysons-2018/courses 7

John Hubbard SANS InstructorJohn is currently the lead analyst for GlaxoSmithKline’s U.S. Security Operations Center. His daily responsibilities include detecting and defending against targeted attacks, threat hunting, incident response, and malware reverse-engineering. With degrees in electrical and computer engineering, focusing on cybersecurity, his interest and research spans from malware, penetration testing, and security monitoring, to mobile device attacks, car hacking, and the Internet of Things. He is GIAC GMON, GPEN, and GREM certified. John is passionate about information security, loves learning, and is enthusiastic about

helping others succeed in their studies. John is a regular attendee of BlackHat, DEF CON, and any other conference he can get to. In his free time, he studies malware, runs a honeypot network, and enjoys slowly turning his home into a data center. He maintains a web presence with his blog at 909research.com and on twitter @SecHubb, where he writes on current threats, malware, security monitoring, and his growing virtualization lab. @SecHubb

helping others succeed in their studies. John is a regular attendee of BlackHat, DEF CON, and any other conference he can get to. In

SEC555SIEM with Tactical Analytics NEW!

Six-Day Program Mon, Mar 19 - Sat, Mar 24 9:00am - 7:00pm (Days 1-5) 9:00am - 5:00pm (Day 6) 46 CPEs Laptop Required Instructor: John Hubbard

Who Should Attend ▐ Security analysts ▐ Security architects ▐ Senior security

engineers ▐ Technical security

managers ▐ SOC analysts, engineers,

and managers ▐ CND analysts ▐ Security monitoring

personnel ▐ System administrators ▐ Cyber threat

investigators ▐ Individuals working to

implement continuous security monitoring or network security

▐ Individuals working in a hunt team capacity

Many organizations have logging capabilities but lack the people and processes to analyze logging systems. These systems collect vast amounts of data from a variety of sources, so proper analysis requires an understanding of those data sources. This class is designed to provide students with the training, methods, and processes to enhance existing logging solutions. The class will also provide an understanding of the when, what, and why behind the logs. This is a lab-heavy course that utilizes SOF-ELK – a SANS-sponsored free Security Information and Event Management (SIEM) solution – to provide the hands-on experience and mindset needed for large-scale data analysis.

Today, security operations do not suffer from a “big data” problem but rather a “data analysis” problem. Let’s face it, there are multiple ways to store and process large amounts of data without any real emphasis on gaining insight into the information collected. Added to this daunting challenge, there is an infinite list of systems from which one can collect logs. It is easy to get lost in the perils of data saturation. This class is the switch from the typical churn-and-burn log systems to achieving actionable intelligence and developing a tactical Security Operations Center (SOC).

This course is designed to demystify the SIEM architecture and process by navigating the student through the steps of tailoring and deploying a SIEM to full SOC integration. The material will cover many bases in the appropriate use of a SIEM platform to enrich readily available log data in enterprise environments and extract actionable intelligence. Once the data are collected, the student will be shown how to present the gathered input into usable formats to aid in eventual correlation. Students will then iterate through the log data and events to analyze key components that will allow them to learn how rich this information is, how to correlate the data, start investigating based on the aggregate data, and finally, how to go hunting with this newly gained knowledge. They will also learn how to deploy internal post-exploitation tripwires and breach canaries to nimbly detect sophisticated intrusions. Throughout the course, the text and labs will not only show how to manually perform these actions, but also how to automate many of the processes mentioned so students can employ these tasks the day they return to the office.

The underlying theme is to actively apply Continuous Monitoring and analysis techniques by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data to provide real-world results and visualizations.

“This course was uniquely valuable to me because my two companies don’t have SIEMs – we have been proposing implementing them for years. You have saved me and my companies a lot of time and resources with this course! Thank you!” -Dale Seefeldt, Rennes Group

GCDA CertificationComing Soon!

8 Register at www.sans.org/tysons-corner-spring | 301-654-SANS (7267)

Philip Hagen SANS Certified InstructorPhil began his studies at the U.S. Air Force Academy’s Computer Science Department, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the Air Force as a communications o«cer at Beale AFB and the Pentagon. Today, Phil’s career has spanned the full attack life cycle – tool development, deployment, operations, and the investigative aftermath – giving him rare and deep insight into the artifacts left behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He’s supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national

security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. These experiences led Phil to his role today as the DFIR strategist at Red Canary, where he supports the firm’s managed threat detection service. Phil also spends time developing and maintaining the SOF-ELK distribution, a virtual appliance free for the DFIR Community. @PhilHagen

FOR572Advanced Network Forensics and Analysis

GNFA CertificationNetwork Forensic Analyst

www.giac.org/gnfa

Six-Day Program Mon, Mar 19 - Sat, Mar 24 9:00am - 5:00pm 36 CPEs Laptop Required Instructors: Philip Hagen,

Matt Bromiley

Who Should Attend ▐ Incident response

team members and forensicators

▐ Hunt team members ▐ Law enforcement

officers, federal agents, and detectives

▐ Information security managers

▐ Network defenders ▐ IT professionals ▐ Network engineers ▐ Anyone interested in

computer network intrusions and investigations

▐ Security Operations Center personnel and information security practitioners

It is exceedingly rare to work any forensic investigation that doesn’t have a network component. Endpoint forensics will always be a critical and foundational skill for this career, but overlooking network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or even prove useful in definitively proving a crime actually occurred.

FOR572: Advanced Network Forensics and Analysis was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. To put it another way: bad guys are talking – we’ll teach you to listen.

This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is already under way.

“Stellar course! I highly recommend adding this course to the training plan of the new cyber protect teams.” -Tom L., U.S. Air Force

www.sans.edu

WITH THIS COURSE www.sans.org/ondemand

Matt Bromiley SANS InstructorMatt Bromiley is a senior managing consultant at Kroll, a major incident response and forensic analysis firm, where he assists clients with incident response, digital forensics, and litigation support. He also serves as a SANS GIAC Advisory Board member, a subject-matter expert for the SANS Securing The Human Program, and a technical writer for the SANS Analyst Program. Matt has built a wide-ranging career that gives him a broad perspective on digital forensics. He has helped organizations of all types and sizes, from multinational conglomerates to small, regional companies. His skills run the gamut from disk, database and network forensics to malware analysis and classification, incident response/triage and threat intelligence, memory analysis, log analytics, and network

security monitoring. Along with traditional database forensics, Matt has experience deploying such tools as Elasticsearch, Splunk, and Hadoop to assist in large-scale forensic investigations, network security monitoring, and rapid forensic analysis on over 100 systems and over 10TB of logs. He has a particular interest in database and Linux forensics, as well as in building scalable analysis tools using free and open-source software. His extensive experience in digital forensics shines through in his teaching. An energetic, enthusiastic instructor, Matt sees digital forensics as a puzzle that is begging to be solved. Outside of work, Matt loves spending time with his family, cooking Texas BBQ, and making his house as automated as possible in hopes that it will one day do work for him. @mbromileyDFIR

security monitoring. Along with traditional database forensics, Matt has experience deploying such tools as Elasticsearch, Splunk, and

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-spring-tysons-2018/courses 9

Eric Johnson SANS Certified InstructorEric Johnson is a senior security consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. He is the lead author and instructor for DEV544: Secure Coding in .NET, as well as an instructor for DEV541: Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing The Human Developer awareness training program and is a contributing author for the developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and

developing security tools. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications. He is based in West Des Moines, Iowa and enjoys spending time with his wife and daughter, attending Iowa State athletic events, and golfing on the weekends. @emjohn20

developing security tools. Eric completed a bachelor of science in computer engineering and a master of science in information

DEV540Secure DevOps and Cloud Application Security NEW!

Five-Day Program Mon, Mar 19 - Fri, Mar 23 9:00am - 5:00pm 30 CPEs Laptop Required Instructor: Eric Johnson

Who Should Attend ▐ Persons working in the

DevOps environment or transitioning to a DevOps environment

▐ Anyone who wants to understand where to add security checks, testing, and other controls to DevOps and Continuous Delivery

▐ Anyone interested in learning how to migrate DevOps workflows to the cloud, specifically Amazon Web Services (AWS)

▐ Anyone interested in learning how to leverage cloud application security services provided by AWS

▐ Developers ▐ Software architects ▐ Operations engineers ▐ System administrators ▐ Security analysts,

engineers, and consultants

▐ Auditors ▐ Risk managers

DEV540 covers how developers and security professionals can build and deliver secure software using DevOps and cloud services, specifically Amazon Web Services (AWS). It explains how principles, practices, and tools in DevOps and AWS can be leveraged to improve the reliability, integrity, and security of applications.

The first two days of the course cover how Secure DevOps can be implemented using lessons from successful DevOps security programs. Students build a secure DevOps CI/CD toolchain and understand how code is automatically built, tested, and deployed using popular open-source tools such as git, Puppet, Jenkins, and Docker. In a series of labs students learn to inject security into the CI/CD toolchain using various security tools, patterns, and techniques.

The final three days of the course cover how developers and security professionals can utilize AWS services to build secure software in the cloud. Students leverage the CI/CD toolchain to push application code directly to the cloud instead of to local servers on their class virtual machines. Students analyze and fix applications hosted in the cloud using AWS services and features such as API Gateway, IAM, signed cookies, Security Token Service, autoscaling, KMS, encryption, WAF, and Lambda for Serverless computing.

The course makes extensive use of open-source materials and tooling for automated configuration management (“Infrastructure as Code”), Continuous Integration, Continuous Delivery, Continuous Deployment, containerization, micro-segmentation, automated compliance (“Compliance as Code”), and Continuous Monitoring.

This course also makes extensive use of AWS and associated developer tools such as CloudFormation, CodeCommit, CodeBuild, CodePipeline, and other cloud application services so students can experience how these services can be utilized in their applications.

“Valuable information that is presented in an easy-to-understand method. The hands-on activities are also important to drive the points.”

-Brian Calkin, Symantec

“SANS training is solid, useful, and well-rounded. It benefits anyone who attends, regardless of time in the industry.” -D. Turner, Texas Workforce Commission

Bonus SessionsEnrich your SANS training experience! Evening talks led by our instructors and selected subject-matter experts help you broaden your knowledge, hear from the voices that matter in computer security, and get the most for your training dollar.

KEYNOTE: Everything You Ever Learned About Passwords Is WrongKeith PalmgrenPerhaps the worst advice you can give a user is “choose a complex password.” The result is the impossible-to-remember password requiring the infamous sticky note on the monitor. In addition, that password gets used at a dozen sites at home, AND the very same password gets used at work. The final result ends up being the devastating password compromise. In this one-hour talk, we will look at the technical and non-technical (human nature) issues behind passwords. Attendees will gain a more complete understanding of passwords and receive solid advice on creating more easily remembered AND significantly stronger passwords at work and at home for their users, for themselves, and even for their children.

The Most Dangerous Game: Hunting Post-Exploitation with Elasticsearch and the MITRE ATT&CK FrameworkJohn HubbardModern cyber defense requires the mindset of “assume breach.” But with so much data generated by our devices, how can we collect what’s needed to identify attacks in an affordable way, let alone sort through it all? This talk will describe the challenges of finding post-exploitation activity in our mountains of data and will discuss how to identify techniques enumerated in the MITRE ATT&CK framework using the Elastic Stack. The objective will be to arm defenders with industry-validated attack knowledge and demonstrate how late-stage compromises can be identified before significant damage is caused.

SEC440 Critical Security Controls: Planning, Implementing, and Auditing

SEC440 helps you master specific, proven techniques and tools needed to implement and audit the Critical Security Controls as documented by the Center for Internet Security (CIS). These Critical Security Controls are rapidly becoming accepted as the highest priority list of what must be done and proven before anything else at nearly all serious and sensitive organizations. These controls were selected and defined by the U.S. military

and other government agencies (including NSA, DHS, GAO, and many others) and private organizations that are the most respected experts on how attacks actually work and what can be done to stop them. They defined these controls as their consensus for the best way to block known attacks and find and mitigate damage from the attacks that get through. For security professionals, the course enables you to see how to put the controls in place in your existing network through effective and widespread use of cost-effective automation. For auditors, CIOs, and risk officers, the course is the best way to understand how you will measure whether the controls are effectively implemented. SEC440 does not contain any labs. Students looking for hands-on labs involving the Critical Controls should take SEC566. You will find the the Critical Security Controls describing the Critical Security Controls posted at the Center for Internet Security. www.cisecurity.org/controlsOne of the best features of the course is that it uses offense to inform defense. In other words, you will learn about the actual attacks that you’ll be stopping or mitigating. That makes the defenses very real, and it makes you a better security professional.

Two-Day Program Sat, Mar 17 - Sun, Mar 18 9:00am - 5:00pm 12 CPEs Laptop Not Needed Instructor: Chris Christianson (See instructor’s bio on page 3)

Cyber Defense S H O R T C O U R S E

10 Register at www.sans.org/tysons-corner-spring | 301-654-SANS (7267)

11

Future Training Events

Security East New Orleans, LA Jan 8-13, 2018

Northern VA Winter . . . . . . . . . . Reston, VA . . . . . . . . . . . . Jan 15-20Las Vegas . . . . . . . . . . . . . . . . . Las Vegas, NV . . . . . .Jan 28 - Feb 2Miami . . . . . . . . . . . . . . . . . . . . Miami, FL . . . . . . . . .Jan 29 - Feb 3Scottsdale . . . . . . . . . . . . . . . . . Scottsdale, AZ . . . . . . . . . . Feb 5-10Southern California . . . . . . . . . Anaheim, CA . . . . . . . . . . Feb 12-17Dallas . . . . . . . . . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . . Feb 19-24New York City Winter . . . . . . . . New York, NY . . . . . . Feb 26 - Mar 3San Francisco Spring . . . . . . . . San Francisco, CA . . . . . . Mar 12-17Northern VA Spring – Tysons . . McLean, VA . . . . . . . . . . . Mar 17-24 Pen Test Austin . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . .Mar 19-24Boston Spring . . . . . . . . . . . . . . Boston, MA . . . . . . . . . . Mar 25-30

SANS 2018 Orlando, FL Apr 3-10

Baltimore Spring . . . . . . . . . . . . Baltimore, MD . . . . . . . . . Apr 21-28Seattle Spring . . . . . . . . . . . . . . Seattle, WA . . . . . . . . . . . Apr 23-28

Security West San Diego, CA May 11-18

Northern VA Reston Spring . . . . Reston, VA . . . . . . . . . . . May 20-25Atlanta . . . . . . . . . . . . . . . . . . . . Atlanta, GA . . . . . . May 29 - June 3Rocky Mountain . . . . . . . . . . . . Denver, CO . . . . . . . . . . . . June 4-9Crystal City . . . . . . . . . . . . . . . . Arlington, VA . . . . . . . . . June 18-23Minneapolis . . . . . . . . . . . . . . . Minneapolis, MN . . . . . .June 25-30Vancouver . . . . . . . . . . . . . . . . . Vancouver, BC . . . . . . . .June 25-30

Future Summit EventsCyber Threat Intelligence . . . . . Bethesda, MD . . . . . .Jan 29 - Feb 5Cloud Security . . . . . . . . . . . . . . San Diego, CA . . . . . . . . . Feb 19-26ICS Security . . . . . . . . . . . . . . . . Orlando, FL . . . . . . . . . . .Mar 19-26Blue Team . . . . . . . . . . . . . . . . . Louisville, KY . . . . . . . . . . Apr 23-30Automotive Cybersecurity . . . . Chicago, IL . . . . . . . . . . . . May 1-8DFIR . . . . . . . . . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . . June 7-14

Future Community SANS EventsLocal, single-course events are also o°ered throughout the year via SANS Community. Visit www.sans.org/community for up-to-date Community course information.

12

Register online at www.sans.org/tysons-corner-springWe recommend you register early to ensure you get your first choice of courses.Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone with Internet access must complete the online registration form. We do not take registrations by phone.

Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to registration@sans.org. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by February 28, 2018. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply. 13

Pay Early and Save*

DATE DISCOUNT DATE DISCOUNT

Pay & enter code by 1-24-18 $400.00 2-14-18 $200.00

*Some restrictions apply. Early bird discounts do not apply to Hosted courses.

Use code EarlyBird18 when registering early

Hilton McLean Tysons Corner 7920 Jones Branch Drive McLean, VA 22102 703-847-5000 www.sans.org/event/northern-va-spring-tysons-2018/location

Registration Information

Hotel Information

Top 5 reasons to stay at the Hilton McLean Tysons Corner1 All SANS attendees receive

complimentary high-speed Internet when booking in the SANS block.

2 No need to factor in daily cab fees and the time associated with travel to alternate hotels.

3 By staying at the Hilton McLean Tysons Corner, you gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the training event.

4 SANS schedules morning and evening events at the Hilton McLean Tysons Corner that you won’t want to miss!

5 Everything is in one convenient location!

Experience impeccable service at the Hilton McLean Tysons Corner hotel near Washington, DC. This contemporary hotel is located in the center of Tysons Corner technology corridor, between Ronald Reagan National Airport and Washington Dulles International Airport. It is also just minutes from world-class shopping at Tysons Corner Center and the Galleria Mall. Take the Silver Line Metro from the McLean Station into downtown Washington, DC. A complimentary shuttle servicing a one-mile radius of the hotel is also provided.

Special Hotel Rates AvailableA special discounted rate of $189.00 S/D will be honored based on space availability.

The group rate is currently less than the prevailing government per diem. Should the government per diem be less than the group rate, rooms will be available to book. The group rate includes high-speed Internet in your room and is only available through February 23, 2018.

SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.

www.sans.org/vouchers

NewslettersNewsBites Twice-weekly, high-level executive summaries of the most important news relevant to cybersecurity professionals.

OUCH! The world’s leading monthly free security awareness newsletter designed for the common computer user.

@RISK: The Consensus Security Alert A reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) how recent attacks worked, and (4) other valuable data.

WebcastsAsk the Experts Webcasts SANS experts bring current and timely information on relevant topics in IT security.

Analyst Webcasts A follow-on to the SANS Analyst Program, Analyst Webcasts provide key information from our whitepapers and surveys.

WhatWorks Webcasts The SANS WhatWorks webcasts bring powerful customer experiences showing how end users resolved specific IT security issues.

Tool TalksTool Talks are designed to give you a solid understanding of a problem, and how a vendor’s commercial tool can be used to solve or mitigate that problem.

Other Free Resources (No portal account is necessary)• InfoSec Reading Room• Top 25 Software Errors• 20 Critical Controls• Security Policies• Intrusion Detection FAQs• Tip of the Day

• Security Posters• Thought Leaders• 20 Coolest Careers• Security Glossary• SCORE (Security Consensus

Operational Readiness Evaluation)

5705 Salem Run Blvd. Suite 105 Fredericksburg, VA 22407

Save $400 when you pay for any 4-, 5-, or 6-day course and enter the code “EarlyBird18” by December 27th. www.sans.org/dallas

To be removed from future mailings, please contact unsubscribe@sans.org or (301) 654-SANS (7267). Please include name and complete address. NALT-BRO-Dallas-2018

As the leading provider of information defense, security, and intelligence training to military, government, and industry groups, the SANS Institute is proud to be a Corporate Member of the AFCEA community.

Create a SANS Account today to enjoy these free resources at www.sans.org/account