GIAC Certified Enterprise Defender (GCED)

GIAC Certified Enterprise Defender (GCED)

Type: Certification

Course: No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.

Target: The GCED builds on the security skills measured by the GSEC (no overlap). It assesses more advanced, technical skills that are needed to defend the enterprise environment and protect an organization as a whole. Knowledge, skills and abilities assessed are taken from the areas of Defensive Network Infrastructure, Packet Analysis, Penetration Testing, Incident Handling, and Malware Removal.

Requirements: 1 proctored exam – 150 questions – 4-hour time limit – 68.7% (103 of 150 questions) minimum passing score

Renewal: Every 4 years

Delivery: Exams are delivered online through a standard web browser. For exams purchased with SANS training, access to the exam will be available 7-10 days following the end of the conference. Standalone challenge exams are issued within 24 hours upon receipt of payment. You will receive an email from GIAC when your exam has been issued to your portal account. You have 120 days to complete the exam from the time we send notice that it is available. The exams are proctored and should be scheduled using our.

Advanced Security Essentials – Enterprise Defender, Security 501

Course overview

Cyber Security Survival Course – Security Enterprise Defender

Cyber security continues to be a critical area for organizations and will continue to increase in importance as attacks become stealthier, have a greater financial impact on an organization, and cause reputational damage. While Security Essentials lays a solid foundation for the security practitioner, there is only so much that can be packed into a six-day course. Security 501 is a follow up to SEC401: SANS Security Essentials (with no overlap) and continues to focus on more technical areas that are needed to protect an organization. The core focus of the course is on:

• Prevention – configuring a system or network correctly
• Detection – identifying that a breach has occurred at the system or network level
• Reaction – responding to an incident and moving to evidence collection/forensics

A key theme is that prevention is ideal, but detection is a must. We need to be able to ensure that we constantly improve our security to prevent as many attacks as possible. This prevention/protection occurs on two fronts – externally and internally. Attacks will continue to pose a threat to an organization as data becomes more portable and networks continue to be porous. Therefore a key focus needs to be on data protection, securing our critical information no matter whether it resides on a server, in a robust network architecture, or on a portable device.

Despite an organization’s best effort at preventing attacks and protecting their critical data, some attacks will still be successful. Therefore we need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks and looking for indication of an attack. It also includes performing penetration testing and vulnerability analysis against an organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react to it in a timely fashion and perform forensics. By understanding how the attacker broke in, this can be fed back into more effective and robust preventive and detective measures, completing the security lifecycle.

Defensive Network Infrastructure, Security 501- Day 1

Prevention

Protecting a network from attack starts with designing, building, and implementing a robust network infrastructure. There are many aspects to implementing a defense-in-depth network that are often overlooked since companies focus too often only on functionality. Achieving the proper balance between business drivers and core protection of information is very difficult, and an organization must build a network that is mission resilient to a variety of attacks that might occur.

On the first day students will learn not only how to design and build a network that can both prevent attacks and recover after compromise, but also how to retrofit an existing network to achieve the level of protection that is required. Building a network is easy, but integrating all of the components so the network can withstand a variety of attacks and support the mission of the organization takes a special skill. Students will learn how to design and implement a functionality-rich, secure network and also how to maintain and update it as the threat landscape evolves.Topics Covered:

Introducing Network Infrastructure as Targets for Attack

• Impact of compromised routers and switches
• Escalating privileges at layers 2 and 3
• Weaknesses in Cisco router and switch architecture
• Integrating and understanding existing and network devices to defend against attacks

Implementing the Cisco Gold Standard to Improve Security

• CISecurity Level 1 and 2 Benchmarks for Routers
• SANS Gold Standard switch configuration
• Implementing security on an existing network and rolling out new devices

Advanced Layer 2 and 3 Controls

• Routing protocol authentication
• Filtering with access control lists
• DHCP, ARP snooping, and Port Security
• Introduction to Network Admission Control and 802.1x

Packet Analysis, security 501- Day 2

Detection

Prevention is ideal, but detection is a must – this is a critical motto of security professionals. While organizations always like to prevent as many attacks as possible, some will still sneak into the network. In cases where an attack can not be prevented, security professionals must understand the indications and warnings that are indicative of attack and detect them before they cause significant harm. Packet analysis and intrusion detection is at the core of timely detection. Not only should attacks be detected, but organizations should react to make sure that these attacks can be prevented in the future.

Based on the changing landscape of attacks, detecting attacks is becoming more difficult because attacks are now more stealthy and difficult to find. Only by understanding the core principles of traffic analysis can one become a skilled analyst and be able to differ between normal traffic and attack traffic. In addition, new attacks are coming out all the time. So security professionals must be able to write rules that detect new, advanced zero-day attacks before they compromise a network.

In the past, traffic analysis and intrusion detection was treated as a separate discipline within many organizations. Today, prevention, detection, and reaction must all be closely knit so that once an attack is detected, defensive measures can be adapted, proactive forensics can be implemented, and the organization can to continue to operate.Topics Covered:

Architecture Design and Preparing Filters

• Building intrusion detection capability into a network
• Understanding the components currently in place

Detection Techniques and Measures

• Understanding various types of traffic occurring on a network
• Knowing how normal traffic works
• Differentiating between attacks and normal users on a network

Advanced IP Packet Analysis

• Performing deep packet inspection and understanding usage of key fields
• Event correlation and analysis
• Analyzing an entire network instead of a single device
• Building advanced snort rules

Intrusion Detection Tools

• Installing and using analysis software
• Wireshark
• Building custom filters

Pentest, Security 501- Day 3

Detection

Security is all about understanding, mitigating, and controlling risk to an organization’s critical assets. Therefore an organization must understand what the changing threat landscape is and compare that against its own vulnerabilities that could be used to compromise a network. While this was never an easy task, it is becoming much more difficult since the threats are evolving very rapidly and organizations are so complex. On day three students will understand the variety of tests that can be run against an organization and how to perform penetration testing in an effective manner.

Finding basic vulnerabilities is easy, but it is not very effective if these are not the vulnerabilities that attackers will use to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about both external and internal penetration testing and the methods of black, gray, and white box testing.

Penetration testing is critical to identify an organization’s exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the overall security of an organization.

First Responder, Security 501-Day 4

Reaction

Any organizations that are connected to the Internet or that have employees are going to have attacks launched against them. Even with a keen focus on robust network design, preventive security, and finding vulnerabilities through penetration testing, some attacks will still occur. In these cases identifying, analyzing, and responding is critical.

Security professionals need to understand how to perform incident response, analyze what is occurring, and restore their organization back to a normal state as soon as possible. Day four will equip students with a proven six-step process to follow in response to an attack – prepare, identify, contain, eradicate, recover and learn from previous incidents. Cyber incidents are a lot like a fire. The sooner you detect them, the easier they are to deal with and the less damage they cause. Therefore prompt incident response is a key follow-on to intrusion analysis.

Another key aspect of incident response is forensic analysis and discovery. Students will learn how to perform forensic investigation and find indication of an attack. This information will be fed into the incident response process and ensure the attack is prevented from occurring again in the future.

Malware, Security 501- Day 5

Reaction

As security professionals continue to build more proactive security measures, attackers methods will continue to evolve. A common way for attackers to target, control, and break into as many systems as possible is through the use of malware. Therefore it is critical that students understand what type of malware is currently available to attackers and future trends and methods of exploiting systems. With this knowledge students can then learn how to analyze, defend, and detect malware on systems and minimize the impact to the organization.

Data Loss Prevention, Security 501-Day 6

Prevention

Cyber security is all about managing, controlling, and mitigating risk to your critical assets. In almost every organization, your critical assets are composed of data or information. Whether it is a customer list, research plans, intellectual property, classified information, or a marketing plan, this data represents the life line of your organization and must be properly protected. Perimeters are still important and critical, but we are moving away from a fortress model and moving towards a focus on data. This is based primarily on the fact that our networks are becoming more porous, and our data is more portable.

Information no longer solely resides on your servers where properly configured access controls list can limit access and protect our information. The same intellectual property that is protected on a server behind a strong perimeter can now be copied to laptops (i.e. portable servers) and be plugged into networks (i.e. hotels, airports and coffee shops) that have no firewalls or security devices in place. This means the data must be able to be protected no matter where it resides, since a compromise of sensitive data will have an impact to the company, no matter how it was stolen.

Building a strong perimeter defense is a critical first step, but focusing in on protecting and controlling critical data from loss is another key step in building a strong preventive measure. Proactive security must be put in place to make sure critical information is properly protected and exposure is minimized.