I completed my SANS GMON / Continuous Monitoring certification. I’m pleased with the process.
My training history is a web app course at DerbyCon (amazing for the cost) in 2011 or so, Tao Security‘s old Black Hat course on security monitoring and the Black Hat version of Offensive Countermeasures, both at Black Hat 2010? Offensive Countermeasures was interesting, but I’ve never been in an environment I could apply any of it.
SANS SEC511 felt like a five day version of Tao Security’s course. I wish this course had existed when I was new.
SEC511 covered a wide range of tools you’d likely encounter in an enterprise and the labs covered some of the more functional open source alternatives. It just seemed to make sense. BroBro is a must for security monitoring while ModSecurity is a bit of a bastard to work with and less likely to provide value in most environments.
The exam was more tailored around understanding the tools and designing a functioning environment for monitoring. I was concerned the test was going to be a memory game of understanding the various flags in tools.
If you’re reading this and are concerned about the test, @Hacks4Pancakes guide for SANS on her website is fantastic.