“The courses at SANS are ALWAYS valuable immediately

upon returning to work.”-WILLIAM STOTT, RAYTHEON

The Most Trusted Source for Information Security Training, Certif ication, and Research

INFORMATION SECURITYTRAINING RESTON 2018

January 15-20

NORTHERN VIRGINIA WINTER

Protect Your Business | Advance Your CareerSeven hands-on, immersion-style courses taught by SANS’s real-world practitioners.

CYBER DEFENSEETHICAL HACKINGDIGITAL FORENSICS

MANAGEMENTPYTHONSECURITY OPERATIONS

See inside for courses offered in:

SAVE $400 Register and pay by Nov 22nd Use code EarlyBird18

www.sans.org/northern-va-winter-reston

Register today for SANS Northern VA Winter – Reston 2018! www.sans.org/northern-va-winter-reston

@SANSInstitute Join the conversation: #SANSReston

Save $400 when you register and pay by November 22nd using code EarlyBird18

SANS Instructors SANS instructors are real-world practitioners who specialize in the subjects they teach. All instructors undergo rigorous training and testing in order to teach SANS courses. This guarantees that what you learn in class will be up to date and relevant to your job. The SANS Northern Virginia Winter – Reston 2018 lineup of instructors includes:

Ismael Valenzuela Certified Instructor @aboutsecurity

MON 1-15

TUE 1-16

WED 1-17

THU 1-18

FRI 1-19

SAT 1-20

SEC401 Security Essentials Bootcamp Style

SEC501 Advanced Security Essentials – Enterprise Defender

SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling

SEC573 Automating Information Security with Python

FOR500 Windows Forensic Analysis

MGT512 SANS Security Leadership Essentials for Managers with Knowledge Compression™

MGT517 Managing Security Operations: Detection, Response, and Intelligence

Page 2

Page 4

Page 5

Page 6

Page 3

Page 7

Page 8

Courses at a Glance

Evening Bonus Sessions Take advantage of these extra evening presentations

and add more value to your training. Learn more on page 9.

KEYNOTE: OBSESSED: How to Be Wildly Successful – Dr. Eric Cole

Blockchain: The New Digital Swiss Army Knife? – G. Mark Hardy

Kill Chain – Paul A. Henry

Monitoring and Incident Response on a Shoestring Budget – Joff Thyer

Reston 2018 JANUARY 15-20NORTHERN VA WINTER

Ovie Carroll Principal Instructor @ovie

Dr. Eric Cole Faculty Fellow @drericcole

Kevin Fiscus Principal Instructor @kevinbfiscus

Jo� Thyer Certified Instructor @jo�_thyer

G. Mark Hardy Principal Instructor @g_mark

Paul A. Henry Senior Instructor @phenrycissp

1

Register at www.sans.org/northern-va-winter-reston | 301-654-SANS (7267) 2

SEC401Security Essentials Bootcamp Style

GSEC CertificationSecurity Essentials

www.giac.org/gsec

“As a security professional, SEC401 gives a great base of security knowledge across many subjects.” -MARK BEAUVOISIN-BROWN, IBM

Six-Day Program Mon, Jan 15 - Sat, Jan 20 9:00am - 7:00pm (Days 1-5) 9:00am - 5:00pm (Day 6) 46 CPEs Laptop Required Instructor: Dr. Eric Cole

Who Should Attend Security professionals who want to fill the gaps in their understanding of technical information security

Managers who want to understand information security beyond simple terminology and concepts

Operations personnel who do not have security as their primary job function but need an understanding of security to be e�ective

IT engineers and supervisors who need to know how to build a defensible network against attacks

Administrators responsible for building and maintaining systems that are being targeted by attackers

Forensic specialists, penetration testers, and auditors who need a solid foundation of security principles to be as e�ective as possible at their jobs

Anyone new to information security with some background in information systems and networking

This course will teach you the most effective steps to prevent attacks and detect adversaries with actionable techniques you can directly apply when you get back to work. You’ll learn tips and tricks from the experts so you can win the battle against the wide range of cyber adversaries who want to harm your environment.STOP and ask yourself the following questions:

Do you fully understand why some organizations get compromised and others do not?

If there were compromised systems on your network, are you confident you would be able to find them?

Do you know the e�ectiveness of each security device and are you certain they are all configured correctly?

Are proper security metrics set up and communicated to your executives to drive security decisions?

If you do not know the answers to these questions, SEC401 will provide the information security training you need in a bootcamp-style format that is reinforced with hands-on labs.SEC401: Security Essentials Bootcamp Style teaches you the essential information security skills and techniques you need to protect and secure your organization’s critical information assets and business systems. Our course will show you how to prevent your organization’s security problems from being headline news in the Wall Street Journal!Prevention Is Ideal but Detection Is a MustWith the rise in advanced persistent threats, it is almost inevitable that organizations will be targeted. Whether the attacker is successful in penetrating an organization’s network depends on the effectiveness of the organization’s defense. Defending against attacks is an ongoing challenge, with new threats emerging all of the time, including the next generation of threats. Organizations need to understand what really works in cybersecurity. What has worked, and will always work, is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:

What is the risk? Is it the highest priority risk? What is the most cost-e�ective way to reduce the risk?

Security is all about making sure you focus on the right areas of defense. In SEC401 you will learn the language and underlying theory of computer and information security. You will gain the essential and effective security knowledge you will need if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills you can put into practice immediately upon returning to work; and (2) You will be taught by the best security instructors in the industry.

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/8140

Dr. Eric Cole SANS Faculty FellowDr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. His work in information security has emphasized helping customers focus on the right areas of security by building out a dynamic defense. Dr. Cole has a master’s degree in computer science from NYIT and a doctorate from Pace University with a concentration in information security. He served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is the author of several books, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat. He is the inventor

of over 20 patents and is a researcher, writer, and speaker. He was also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting, where he provides leading-edge cybersecurity consulting services and expert witness work, and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. Dr. Cole is actively involved with the SANS Technology Institute (STI) and is a SANS Faculty Fellow and course author who works with students, teaches, and develops and maintains courseware. @drericcole

of over 20 patents and is a researcher, writer, and speaker. He was also a member of the Commission on Cyber Security for the

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-winter-reston-2018/courses 3

www.sans.eduWITH THIS COURSE

www.sans.org/ondemandwww.sans.org/8140

“SEC501 is the perfect course to immerse enterprise security sta� into essential skills. Failing to attend this course is done at the peril of your organization.” -JOHN N. JOHNSON, HOUSTON POLICE DEPARTMENT

SEC501Advanced Security Essentials – Enterprise Defender

GCED CertificationCertified Enterprise Defender

www.giac.org/gced

Six-Day Program Mon, Jan 15 - Sat, Jan 20 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Paul A. Henry

Who Should Attend Incident response and penetration testers

Security Operations Center engineers and analysts

Network security professionals

Anyone who seeks technical in-depth knowledge about implementing comprehensive security solutions

Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials – Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.

It has been said of security that “prevention is ideal, but detection is a must.” However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and respond appropriately to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.

“Nearly 100% of the material covered in SEC501 is immediately applicable to the daily role of an analyst, regardless of industry.”

-TERRY BOEDEKER, FIREEYE

Despite an organization’s best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more effective and robust preventive and detective measures, completing the security lifecycle.

Paul A. Henry SANS Senior InstructorPaul is one of the world’s foremost global information security and computer forensic experts, with more than 20 years’ experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security. Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. He also advises and consults on some of the world’s most challenging and high-risk information

security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the U.S. Department of Defense’s Satellite Data Project, and both government and telecommunications projects throughout Southeast Asia. Paul is frequently cited by major publications as an expert on perimeter security, incident response, computer forensics, and general security trends, and serves as an expert commentator for network broadcast outlets such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications such as the Information Security Management Handbook, to which he is a consistent contributor. Paul is a featured speaker at seminars and conferences worldwide, delivering presentations on diverse topics such as anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response. @phenrycissp

security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the U.S. Department of

Register at www.sans.org/northern-va-winter-reston | 301-654-SANS (7267) 4

“SEC504 is the single best technical training course I’ve taken.” -ZI BAXTER, HSBC

“Kevin was a great instructor--high energy and very knowledgeable!” -JEFF SHAFER,

UNIVERSITY OF THE PACIFIC

SEC504Hacker Tools, Techniques, Exploits, and Incident Handling

GCIH CertificationIncident Handler

www.giac.org/gcih

Six-Day Program Mon, Jan 15 - Sat, Jan 20 9:00am - 7:15pm (Day 1) 9:00am - 5:00pm (Days 2-6) 37 CPEs Laptop Required (If your laptop supports only wireless, please bring a USB Ethernet adapter.) Instructor: Kevin Fiscus

Who Should Attend Incident handlers

Leaders of incident handling teams

System administrators who are on the front lines defending their systems and responding to attacks

Other security personnel who are first responders when systems come under attack

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection and one or two disgruntled employees (and whose does not!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

“The training o�ered at SANS is the best in the industry, and the SEC504 course is a must for any IT security professional – highly recommended.”

-MICHAEL HOFFMAN, SHELL OIL PRODUCTS U.S.

This course enables you to turn the tables on computer attackers by helping you understand their tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge, insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents and a detailed description of how attackers undermine systems so you can prepare for, detect, and respond to those attacks. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. This course will enable you to discover the holes in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

Kevin Fiscus SANS Principal InstructorKevin Fiscus is the founder of and lead consultant for Cyber Defense Advisors, where he performs security and risk assessments, vulnerability and penetration testing, security program design, policy development, and security awareness with a focus on serving the needs of small and mid-sized organizations. Kevin has over 20 years of IT experience and has focused exclusively on information security for the past 12. He currently holds the CISA, GPEN, GREM, GMOB, GCED, GCFA-Gold, GCIA-Gold, GCIH, GAWN, GPPA, GCWN, GCSC-Gold, GSEC, SCSA, RCSE, and SnortCP certifications and is proud to have earned the top information

security certification in the industry, the GIAC Security Expert. Kevin has also achieved the distinctive title of SANS Cyber Guardian for both red team and blue team. Kevin has taught many of SANS’s most popular classes including SEC401, SEC464, SEC503, SEC504, SEC542, SEC560, SEC561, SEC575, FOR508, and MGT414. @kevinbfiscus

security certification in the industry, the GIAC Security Expert. Kevin has also achieved the distinctive title of SANS Cyber Guardian for

WITH THIS COURSE www.sans.org/ondemandwww.sans.org/cyber-guardian www.sans.org/8140www.sans.edu

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-winter-reston-2018/courses 5

SEC573Automating Information Security with Python

GPYC CertificationPython Coder

www.giac.org/gpyc

Six-Day Program Mon, Jan 15 - Sat, Jan 20 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Jo� Thyer

Who Should Attend Security professionals who benefit from automating routine tasks so they can focus on what’s most important

Forensics analysts who can no longer wait on someone else to develop a commercial tool to analyze artifacts

Network defenders who sift through mountains of logs and packets to find evil-doers in their networks

Penetration testers who are ready to advance from script kiddie to professional o�ensive computer operations operator

Security professionals who want to evolve from security tool consumer to security solution provider

All security professionals, including Penetration Testers, Forensics Analysts, Network Defenders, Security Administrators, and Incident Responders, have one thing in common: CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don’t evolve with them, we’ll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.

Maybe your chosen Operating System has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold. Or you can write a tool yourself.

Perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn’t be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.

Finally, what do you do when “off-the-shelf” tools and exploits fall short? As a penetration tester you need to evolve as quickly as the threats you are paid to emulate, so the answer is simple, if you have the skills: You write your own tool.

Writing a tool is easier said than done, right? Not really. Python is a simple, user-friendly language that is designed to make automating tasks that security professionals perform quick and easy. Whether you are new to coding or have been coding for years, SEC573: Automating Information Security with Python will have you creating programs to make your job easier and make you more efficient. This self-paced class starts from the very beginning assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the class. The self-paced style of the class will meet you where you are to let you get the most out of the class. Beyond the essentials we discuss file analysis, packet analysis, forensics artifact carving, networking, database access, website access, process execution, exception handling, object-oriented coding, and more.

www.sans.edu

“Jo� does a great job of keeping students engaged throughout a seven-hour class. He also does an outstanding job of breaking down lecture material so all skill levels can understand.” -DANIEL MARTIN, BANK OF AMERICA

Joff Thyer SANS Certified InstructorJo� Thyer is a senior security consultant, researcher, and penetration tester with Black Hills Information Security. Jo� has over 15 years of experience in the IT industry as an enterprise network architect, network security defender, and information security consultant. Jo� has experience with intrusion detection and prevention systems, vulnerability analysis, penetration testing, engineering network infrastructure defense (including Cisco ISE deployment), and software development. Jo� has taught Mastering Packet Analysis and mentored SEC503: Intrusion Detection in Depth and currently teaches SEC573: Python for Penetration

Testers for the SANS Institute. Jo� is also a co-host on the Security Weekly podcast, which features the latest information security news, research, interviews, and technical information. Jo� holds a B.Sc. in mathematics and M.Sc. in computer science. He holds the the GPEN: GIAC Penetration Tester certification. @jo�_thyer

Testers for the SANS Institute. Jo� is also a co-host on the Security Weekly podcast, which features the latest information security

Register at www.sans.org/northern-va-winter-reston | 301-654-SANS (7267) 6

“The course teaches more than how to use tools. I really like all the real-world scenarios and methodology.” -STEVE TRUMPOWER,

DMZSEC, LLC

FOR500Windows Forensic Analysis

GCFE CertificationForensic Examiner

www.giac.org/gcfe

Six-Day Program Mon, Jan 15 - Sat, Jan 20 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Ovie Carroll

Who Should Attend Information security professionals

Incident response team members

Law enforcement o¦cers, federal agents, and detectives

Media exploitation analysts

Anyone interested in a deep understanding of Windows forensics

M A S T E R W I N D O W S F O R E N S I C S – YO U C A N ’ T P R O T E C T W H AT YO U D O N ’ T K N O W A B O U T

All organizations must prepare for cyber-crime occurring on their computer systems and within their networks. Demand has never been greater for analysts who can investigate crimes, such as fraud, insider threats, industrial espionage, employee misuse, and computer intrusions. Government agencies increasingly require trained media exploitation specialists to recover vital intelligence from Windows systems. To help solve these cases, SANS is training a new cadre of the world’s best digital forensic professionals, incident responders, and media exploitation experts capable of piecing together what happened on computer systems second by second.

FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can’t protect what you don’t know about, and understanding forensic capabilities and artifacts is a core component of information security. You’ll learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You’ll be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.

Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new, hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, cloud storage, SharePoint, Exchange, Outlook). Students leave the course armed with the latest tools and techniques, prepared to investigate even the most complicated systems they might encounter. Nothing is left out – attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.

FOR500: Windows Forensic Analysis will teach you to: Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016 Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage Focus your capabilities on analysis instead of on how to use a particular tool Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation

www.sans.edu

WITH THIS COURSE www.sans.org/ondemand

Ovie Carroll SANS Principal InstructorOvie is the Director of the Cybercrime Lab of the Computer Crime and Intellectual Property Section (CCIPS) at the Department of Justice (DOJ). The lab provides advanced computer forensics, cybercrime investigation, and other technical assistance to DOJ prosecutors to support implementation of the department’s national strategies for digital evidence and to combat electronic penetration, data theft, and cyberattacks on critical information systems. He also teaches two classes as an adjunct professor at George Washington University in Washington, DC. Prior to joining the DOJ, Ovie was a special agent in

charge of overseeing the Technical Crimes Unit of the Postal Inspector General’s O¦ce, where he was responsible for all computer intrusion investigations within the postal service network infrastructure and for providing all digital forensic analyses in support of criminal investigations and audits. He also served as a special agent in the Air Force O¦ce of Special Investigations, investigating computer intrusions and working both general crimes and counterintelligence, as well as conducting investigations into o�enses including murder, rape, fraud, bribery, theft, and gangs and narcotics. @ovie

charge of overseeing the Technical Crimes Unit of the Postal Inspector General’s O¦ce, where he was responsible for all computer

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-winter-reston-2018/courses 7

MGT512SANS Security Leadership Essentials for Managers with Knowledge Compression™

GSLC CertificationSecurity Leadership

www.giac.org/gslc

Five-Day Program Mon, Jan 15 - Fri, Jan 19 9:00am - 6:00pm (Days 1-4) 9:00am - 4:00pm (Day 5) 33 CPEs Laptop Recommended Instructor: G. Mark Hardy

Who Should Attend All newly appointed information security o¦cers

Technically skilled administrators who have recently been given leadership responsibilities

Seasoned managers who want to understand what their technical people are telling them

This completely updated course is designed to empower advancing managers who want to get up to speed quickly on information security issues and terminology. You won’t just learn about security, you will learn how to manage security. Lecture sections are intense; the most common student comment is that it’s like drinking from a fire hose. The diligent manager will gain the vital, up-to-date knowledge and skills required to supervise the security component of any information technology project. Additionally, the course has been engineered to incorporate the NIST Special Publication 800 (series) guidance so that it can be particularly useful to U.S. government managers and supporting contractors.

Essential security topics covered in this management track include network fundamentals and applications, power, cooling and safety, architectural approaches to defense in-depth, cyber attacks, vulnerability assessment and management, security policies, contingency and continuity planning, awareness management, risk management analysis, incident handling, web application security, and offensive and defensive information warfare, culminating with our management practicum. The material uses Knowledge Compression,™ special charts, and other proprietary SANS techniques to help convey the key points of critical slides and keep the information flow rate at a pace senior executives demand every teaching hour of the course. The course has been evaluated and approved by CompTIA’s CAQC program for Security+ 2008 to ensure that managers and their direct reports have a common baseline for security terminology and concepts. You will be able to put what you learn into practice the day you get back into the office.

Knowledge Compression™Maximize your learning potential!Knowledge Compression™ is an optional add-on feature to a SANS class that aims to maximize the absorption and long-term retention of large amounts of data over a relatively short period of time. Through the use of specialized training materials, in-class reviews, examinations and test-taking instruction, Knowledge Compression™ ensures students have a solid understanding of the information presented to them. By attending classes that feature this advanced training product, you will experience some of the most intense and rewarding training programs SANS has to o�er, in ways that you never thought possible!

www.sans.edu

“I have some very specific achievable things I can do right away suggested by the course that will benefit my organization and me. That’s valuable training.” -WILLIAM E. WEYANDT,

AMERICAN ORTHODONTICS

www.sans.org/8140

G. Mark Hardy SANS Principal InstructorG. Mark Hardy is founder and president of National Security Corporation. He has been providing cybersecurity expertise to government, military, and commercial clients for over 35 years and is an internationally recognized expert and keynote speaker who has presented at over 250 events world-wide. He provides consulting services as a virtual CISO, expert witness, and domain expert in blockchain and cryptocurrency. G. Mark serves on the Advisory Board of CyberWATCH, an Information Assurance/Information Security Advanced Technology Education Center of the National Science Foundation. He is

a retired U.S. Navy captain and was entrusted with nine command assignments, including responsibility for leadership training for 70,000 sailors. A graduate of Northwestern University, he holds a BS in computer science, a BA in mathematics, a masters in business administration, and a masters in strategic studies, and holds the GSLC, CISSP, CISM and CISA certifications. @g_mark

a retired U.S. Navy captain and was entrusted with nine command assignments, including responsibility for leadership training

WITH THIS COURSE www.sans.org/ondemand

Register at www.sans.org/northern-va-winter-reston | 301-654-SANS (7267) 8

MGT517Managing Security Operations: Detection, Response, and Intelligence

Five-Day Program Mon, Jan 15 - Fri, Jan 19 9:00am - 5:00pm 30 CPEs Laptop Required Instructor: Ismael Valenzuela

Who Should Attend Information security managers

Security Operations Center managers, analysts, and engineers

Information security architects

IT managers

Operations managers

Risk management professionals

IT/system administration/network administration professionals

IT auditors

Business continuity and disaster recovery sta�

This course covers the design, operation, and ongoing growth of all facets of the security operations capabilities in an organization. An effective Security Operations Center (SOC) has many moving parts and must be designed to have the ability to adjust and work within the context and constraints of an organization. To run a successful SOC, managers need to provide tactical and strategic direction and inform staff of the changing threat environment, as well as provide guidance and training for employees. This course covers design, deployment, and operation of the security program to empower leadership through technical excellence.

The course covers the functional areas of Communications, Network Security Monitoring, Threat Intelligence, Incident Response, Forensics, and Self-Assessment. We discuss establishing security operations governance for:

Business alignment and ongoing adjustment of capabilities and objectives

Designing the SOC and the associated objectives of functional areas

Software and hardware technology required for performance of functions

Knowledge, skills, and abilities of sta�, as well as sta� hiring and training

Execution of ongoing operations

You will walk out of this course armed with a roadmap to design and operate an effective SOC tailored to the needs of your organization.

Course Author Statement“The inclusion of all functional areas of security operations is intended to develop a standardized program for an organization and express all necessary capabilities. Admittedly ambitious, the intention of the class is to provide a unified picture of coordination among teams with di�erent skillsets to help the business prevent loss due to poor security practices. I have encountered detrimental compartmentalization in most organizations. There is a tendency for specialists to look only at their piece of the problem, without understanding the larger scope of information security within an organization. Organizations are likely to perceive a Security Operations Center (SOC) as a tool, and not as the unification of people, processes, and technologies.

This course provides a comprehensive picture of a Cybersecurity Operations Center. Discussion on the technology needed to run a SOC is handled in a vendor-agnostic way. In addition, technology is addressed in a way that attempts to address both minimal budgets as well as budgets with global scope. The course outlines sta� roles, addresses sta� training through internal training and information-sharing, and examines the interaction between functional areas and data exchange.

“After attending this class, the participant will have a roadmap for what needs to be done in an organization seeking to implement security operations.”

-Christopher Crowley

“This course is simply outstanding! It pulls together best practice, standards, procedures, and materials [into a] framework to establish and manage a world-class security operational SOC.” -MICHAEL CARTER, LDS CHURCH

Ismael Valenzuela SANS Certified InstructorSince he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous projects across the globe over the past 17 years. As a top cybersecurity expert with a strong technical background and deep knowledge of penetration testing, security architectures, intrusion detection and computer forensics, Ismael has provided security consultancy, advice and guidance to large government and private organizations, including major EU Institutions and U.S. government agencies. Prior to his current role as Principal Engineer at McAfee, where he leads research on threat

hunting using machine-learning and expert-system driven investigations, Ismael led the delivery of SOC, IR & Forensics services for the Foundstone Services team within Intel globally. Previously, Ismael worked as Global IT Security Manager for iSOFT Group Ltd, one of the world’s largest providers of healthcare IT solutions, managing their security operations in more than 40 countries. He holds a bachelor’s degree in computer science from the University of Malaga (Spain), is certified in business administration, and holds many professional certifications. These include the highly regarded GIAC Security Expert (GSE #132) in addition to GREM, GCFA, GCIA, GCIH, GPEN, GCUX, GCWN, GWAPT, GSNA, GMON, CISSP, ITIL, CISM, and IRCA 27001 Lead Auditor from Bureau Veritas UK. @aboutsecurity

hunting using machine-learning and expert-system driven investigations, Ismael led the delivery of SOC, IR & Forensics services for

For course updates, prerequisites, special notes, or laptop requirements, visit www.sans.org/event/northern-va-winter-reston-2018/courses 9

Bonus SessionsEnrich your SANS training experience! Evening talks led by our instructors and selected subject-matter experts help you broaden your knowledge, hear from the voices that matter in computer security, and get the most for your training dollar.

KEYNOTE: OBSESSED: How to Be Wildly SuccessfulDr. Eric ColeMost people want to be successful and achieve their goals, but often struggle getting to the next level. While having technical knowledge in cybersecurity is important, there are other tricks that successful people have learned to truly live the life of their dreams. The cool part is that success leaves clues. Bill Gates and Steve Jobs were not lucky, but they knew about tips and tricks that very few people take advantage of. The good news is that these “secrets” can be learned and used to be able to accomplish anything that you want in life. If you want to accomplish anything, there are essentially two ways of doing it: 1) make all of the mistakes yourself and slowly accelerate, or 2) learn from other people’s mistakes and exponentially propel your life more quickly than you ever imagined. It does not take months or years to change your life; it can be done in less than two hours.

Blockchain: The New Digital Swiss Army Knife?G. Mark HardyNow that the price of a single bitcoin surpasses the price of an ounce of gold, is blockchain becoming a runaway train with businesses scrambling to hop on? If so, how can you take advantage of this opportunity, and will the mistakes be minor or catastrophic? Blockchain as a technology has been proposed as a solution to everything from frictionless currency transfer to tracking cargo on ships. With over $1 billion in venture funds invested and several hundred patents filed, every security professional must know the impact on organizations in terms of risk, volatility, and competitiveness. This talk will explore alternative uses for blockchain technology, other than cryptocurrency, and provide a framework for utilizing and securing a technology considered as disruptive as the Internet was in the 1990s.

Kill ChainPaul A. HenryFor 20 years, we have been installing security products that do little more than stare down the Internet pipe, trying to prevent an inevitable compromise. Suddenly someone drops a Spear Phishing email, or comes in via VPN partner connection or a USB Drop or sends a malicious attachment via Google email direct to the desktop – bypassing your gateway defenses – and it’s GAME OVER. In this presentation, we examine the kill chain from both a defensive and first-responder perspective so you can better direct your efforts:• Initial Recon • Initial Compromise• Establish Foothold • Escalate Privileges• Internal Recon • Move Laterally (Gather PII)• Complete Mission • Maintain Presence (Prepare for Exfiltration)

Monitoring and Incident Response on a Shoestring BudgetJoff ThyerAs pen testers, we are familiar with the techniques used to attack an environment. Knowing these techniques informs us with respect to various methods of potential detection. In fact, we are often asked by our clients what they could have done to detect the methods we used to successfully compromise their environment. There are so many great community projects out there that allow defenders to assemble their own toolkit for tactical and focused environment monitoring. This talk will cover a continuing evolution of how you can use free and open-source tools to help detect potential attackers in your network.

10

SANS Training FormatsWhether you choose to attend a training class live or online, the entire SANS team is dedicated to ensuring your training experience exceeds expectations.

Premier Training EventsOur most recommended format, live SANS training events feature SANS’s top instructors teaching multiple courses at a single time and location. This allows for:• Focused, immersive learning without the distractions of your

office environment• Direct access to SANS Certified Instructors• Interacting with and learning from other professionals• Attending SANS@Night events, NetWars tournaments, vendor

presentations, industry receptions, and many other activitiesOur premier live training events in North America, serving thousands of students, are held in Orlando, Washington DC, Las Vegas, New Orleans, and San Diego. Regional events with hundreds of students are held in most major metropolitan areas during the year. See page 12 for upcoming training events in North America.

SummitsSANS Summits focus one or two days on a single topic of particular interest to the community. Speakers and talks are curated to ensure the greatest applicability to participants.

Community SANS CoursesThe same SANS courses, courseware, and labs are taught by up-and-coming instructors in a regional area. Smaller classes allow for more extensive instructor interaction. No need to travel; commute each day to a nearby location.

Private ClassesBring a SANS Certified Instructor to your location to train a group of your employees in your own environment. Save on travel and address sensitive issues or security concerns in your own environment.

Live Classroom Instruction Online TrainingSANS Online successfully delivers the same measured learning outcomes to students at a distance that we deliver live in classrooms. More than 30 courses are available for you to take whenever or wherever you want. Thousands of students take our courses online and achieve certifications each year.

Top reasons to take SANS courses online:• Learn at your own pace, over four

months• Spend extra time on complex topics • Repeat labs to ensure proficiency

with skills• Save on travel costs• Study at home or in your o©ce

Our SANS OnDemand, vLive, Simulcast, and SelfStudy formats are backed by nearly 100 professionals who ensure we deliver the same quality instruction online (including support) as we do at live training events.

“The decision to take five days away from the o¨ce is never easy, but so rarely have I come to the end of a course and had no regret whatsoever. This was one of the most useful weeks of my professional life.” -Dan Trueman, Novae PLC

“I am thoroughly pleased with the OnDemand modality. From a learning standpoint, I lose nothing. In fact, the advantage of setting my own pace with respect to balancing work, family, and training is significant, not to mention the ability to review anything that I might have missed the first time.” -Kevin E., U.S. Army

11

12

Future Training EventsSan Diego . . . . . . . . . . . . . . . . . San Diego, CA . . . . . . Oct 30 - Nov 4Seattle . . . . . . . . . . . . . . . . . . . . Seattle, WA . . . . . . . . Oct 30 - Nov 4Miami . . . . . . . . . . . . . . . . . . . . Miami, FL . . . . . . . . . . . . . Nov 6-11San Francisco Winter . . . . . . . . San Francisco, CA . . .Nov 27 - Dec 2Austin Winter . . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . . . .Dec 4-9

Cyber Defense Washington, DC Dec 12-19 Initiative

Security East New Orleans, LA Jan 8-13, 2018

Northern VA Winter – Reston . . Reston, VA . . . . . . . . . . . . Jan 15-20Las Vegas . . . . . . . . . . . . . . . . . Las Vegas, NV . . . . . .Jan 28 - Feb 2Miami . . . . . . . . . . . . . . . . . . . . Miami, FL . . . . . . . . .Jan 29 - Feb 3Scottsdale . . . . . . . . . . . . . . . . . Scottsdale, AZ . . . . . . . . . . Feb 5-10Southern CA – Anaheim . . . . . . Anaheim, CA . . . . . . . . . . Feb 12-17Dallas . . . . . . . . . . . . . . . . . . . . Dallas, TX . . . . . . . . . . . . Feb 19-24New York City Winter . . . . . . . . New York, NY . . . . . . Feb 26 - Mar 3San Francisco Spring . . . . . . . . San Francisco, CA . . . . . . Mar 12-17Northern VA Spring – Tysons . . Tysons, VA . . . . . . . . . . . . Mar 17-24 Pen Test Austin . . . . . . . . . . . . . Austin, TX . . . . . . . . . . . .Mar 19-24Boston . . . . . . . . . . . . . . . . . . . . Boston, MA . . . . . . . . . . Mar 25-30

SANS 2018 Orlando, FL Apr 3-10

Baltimore Spring . . . . . . . . . . . . Baltimore, MD . . . . . . . . . Apr 21-28

Security West San Diego, CA May 11-16

Future Summit EventsSIEM & Tactical Analytics . . . . . Scottsdale, AZ . . . . . Nov 28 - Dec 5Cyber Threat Intelligence . . . . . Bethesda, MD . . Jan 29 - Feb 5, 2018Cloud Security . . . . . . . . . . . . . San Diego, CA . . . . . . . . . . Feb 19-26ICS Security . . . . . . . . . . . . . . . . Orlando, FL. . . . . . . . . . . . Mar 19-26Blue Team . . . . . . . . . . . . . . . . . Louisville, KY . . . . . . . . . . Apr 23-30

Future Community SANS EventsLocal, single-course events are also o�ered throughout the year via SANS Community. Visit www.sans.org/community for up-to-date Community course information.

Registration Information

Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to registration@sans.org. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by December 27, 2017. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply.

SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.

www.sans.org/vouchers

Pay Early and Save*

DATE DISCOUNT DATE DISCOUNT

Pay & enter code by 11-22-17 $400.00 12-13-17 $200.00

*Some restrictions apply. Early bird discounts do not apply to Hosted courses.

Use code EarlyBird18 when registering early

REGISTER ONLINE AT www.sans.org/northern-va-winter-restonwww.sans.org/northern-va-winter-reston

WE RECOMMEND YOU REGISTER EARLY TO ENSURE YOU GET WE RECOMMEND YOU REGISTER EARLY TO ENSURE YOU GET YOUR FIRST CHOICE OF COURSES.YOUR FIRST CHOICE OF COURSES.Select your course and indicate whether you plan to test for GIAC certification. Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone with Internet access must complete the online registration form. We do not take registrations by phone.

Top 5 reasons to stay at the Hyatt Regency Reston1 All SANS attendees receive complimentary high-

speed Internet when booking in the SANS block.2 No need to factor in daily cab fees and the time

associated with travel to alternate hotels.3 By staying at the Hyatt Regency Reston, you

gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the training event.

4 SANS schedules morning and evening events at the Hyatt Regency Reston that you won’t want to miss!

5 Everything is in one convenient location!

Located in the thriving heart of Reston Town Center, this hotel is surrounded by more than 50 retail stores, 30 restaurants, a movie theater and businesses. As the only Four-Diamond hotel in Reston, VA, it is the largest, most renowned hotel in the Dulles Airport Corridor, with free shuttle service to and from your terminal. If you have business or sightseeing plans in Washington DC, the METRO Silver Line is just minutes away.

Special Hotel Rates AvailableA special discounted rate of $189.00 for Single/Double occupancy, will be honored based on space availability.Government per diem rooms are available with proper ID; you will need to call reservations and ask for the SANS government rate. These rates include high-speed Internet in your room and are only available through December 22, 2017.

Hyatt Regency Reston 1800 Presidents Street Reston, VA 20190 Phone: 703-709-1234 www.sans.org/event/northern-va-winter-reston-2018/location

Hotel Information

13

5705 Salem Run Blvd. Suite 105 Fredericksburg, VA 22407

Create a SANS Account today to enjoy these free resources at sans.org/account

NewslettersNewsBites Twice-weekly, high-level executive summaries of the most important news relevant to cybersecurity professionals

OUCH! The world’s leading monthly free security awareness newsletter designed for the common computer user.

@RISK: The Consensus Security Alert A reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) how recent attacks worked, and (4) other valuable data.

WebcastsAsk the Experts Webcasts SANS experts bring current and timely information on relevant topics in IT security.

Analyst Webcasts A follow-on to the SANS Analyst Program, Analyst Webcasts provide key information from our whitepapers and surveys.

WhatWorks Webcasts The SANS WhatWorks webcasts bring powerful customer experiences showing how end users resolved specific IT security issues.

Tool TalksTool Talks are designed to give you a solid understanding of a problem, and how a vendor’s commercial tool can be used to solve or mitigate that problem.

Other Free Resources• Other Free Resources• InfoSec Reading Room• Top 25 Software Errors• 20 Critical Controls• Security Policies• Intrusion Detection FAQs

• Tip of the Day• Security Posters• Thought Leaders• 20 Coolest Careers• Security Glossary• SCORE (Security Consensus

Operational Readiness Evaluation)

As the leading provider of information defense, security, and intelligence training to military, government, and industry groups, SANS Institute is proud to be a Corporate Member of the AFCEA community.

Save $400 when you pay for any 4-, 5-, or 6-day course and enter the code “EarlyBird18” by November 22nd. www.sans.org/northern-va-winter-reston

Northern Virginia Reston | Winter 2018 To be removed from future mailings, please contact unsubscribe@sans.org or (301) 654-SANS (7267). Please include name and complete address. NALT-BRO-Reston-Winter-2018