SANS SEC555 SIEM with Tactical Analytics GCDA
 
Numerous organizations possess logging capabilities yet lack the necessary personnel and procedures for practical analysis. Moreover, logging systems amass vast volumes of data from diverse sources, demanding comprehension of these sources for accurate analysis. This course will equip individuals with the training, methodologies, and workflows to enhance existing logging solutions. Participants will gain insight into the logs' timing, content, and significance. Featuring extensive lab sessions, the curriculum utilizes the open-source Elasticsearch, Logstash, and Kibana (ELK) Stack alongside other open-source tools to furnish a Security Information and Event Management (SIEM) solution, fostering hands-on experience and cultivating a mindset for large-scale data analysis.

Presently, security operations are plagued not by a "Big Data" dilemma but rather by a "Data Analysis" challenge. The ability to store and process substantial data exists, yet the focus on extracting meaningful insights is lacking. Compounded by the array of systems generating logs, navigating this data deluge can be overwhelming. This course represents a departure from conventional log management approaches, aiming to achieve actionable intelligence and cultivate a strategic Security Operations Center (SOC) ethos.

Designed to demystify SIEM architecture and processes, this course guides students through tailoring and deploying an SIEM for seamless SOC integration. Topics covered encompass the judicious use of SIEM platforms to enrich enterprise log data and extract actionable intelligence. Participants will learn to present gathered insights in user-friendly formats conducive to correlation analysis. Through iterative log data analysis, students will discover the richness of this information, learn correlation techniques, initiate investigations based on aggregated data, and engage in proactive threat hunting. Additionally, they'll gain proficiency in deploying internal post-exploitation tripwires and breach canaries for agile intrusion detection. Throughout the course, emphasis is placed on manual techniques and on automating processes, empowering students to apply acquired skills upon returning to their workplaces.

A recurring theme is the active application of Continuous Monitoring and analysis techniques to combat modern cyber threats. Labs involve replaying captured attack data to yield real-world results and visualizations.

Business Takeaways:
- Utilize log data to assess security control effectiveness.
- Consolidate data into dynamic dashboards for more strategic analyst reviews.
- Streamline handling and filtering of large data volumes from servers and workstations.
- Apply significant data analysis techniques to sift through extensive endpoint data.
- Promptly detect and respond to adversaries.

This Course Will Prepare You To:
- Highlight shortcomings of most SIEMs compared to current open-source solutions (e.g., ELK).
- Familiarize students with SIEM usage, architecture, and best practices.
- Identify appropriate data sources for log collection.
- Deploy scalable log solutions with diverse log retrieval methods.
- Operationalize raw logs into actionable data.
- Develop strategies for handling billions of logs from disparate sources.
- Master best practices for log collection.
- Explore advanced log manipulation techniques that challenge conventional SIEM solutions.
- Create graphs and tables to detect adversary activities and anomalies.
- Merge data into dynamic dashboards for more strategic analyst reviews.
- Turn adversary techniques against them using frequency analysis in large datasets.
- Establish network and system baselines for anomaly detection.
- Employ various analysis methods, such as long-tail analysis, to identify abnormalities.
- Correlate and integrate multiple data sources for comprehensive insights.
- Provide context to standard alerts to aid understanding and prioritization.
- Establish log alerts as virtual tripwires for early breach detection.
- Manage container monitoring and log collection.
- Detect unauthorized changes in cloud environments.
- Integrate and develop custom scripts for SIEM usage.

SEC555 reinforces knowledge transfer through extensive hands-on labs, surpassing traditional lectures by facilitating the practical application of techniques. Lab activities encompass:
- Log collection.
- Log augmentation and enrichment.
- Windows log analysis.
- System and network baselining.
- Daily immersive cyber challenges, utilizing the NetWars-based game engine, to deepen understanding through hands-on labs.
- NetWars-based Final Capstone, named Defend the Flag (DTF), to assess students' comprehension through a team-centric question-and-answer game, demonstrating proficiency in log ingestion, parsing, and threat hunting via the SIEM.

The SEC555 Workbook serves as a comprehensive guide, offering step-by-step instructions for hands-on learning alongside a "challenge yourself" approach for those seeking to expand their skills independently. This ensures an enriching learning experience catering to individuals with varying backgrounds and skill levels.