SANS GMON / SEC511 Review

I completed my SANS GMON / Continuous Monitoring certification. I’m pleased with the process.

My training history is a web app course at DerbyCon (amazing for the cost) in 2011 or so, Tao Security‘s old Black Hat course on security monitoring and the Black Hat version of Offensive Countermeasures, both at Black Hat 2010? Offensive Countermeasures was interesting, but I’ve never been in an environment I could apply any of it.

SANS SEC511 felt like a five day version of Tao Security’s course. I wish this course had existed when I was new.

SEC511 covered a wide range of tools you’d likely encounter in an enterprise and the labs covered some of the more functional open source alternatives. It just seemed to make sense. BroBro is a must for security monitoring while ModSecurity is a bit of a bastard to work with and less likely to provide value in most environments.

The exam was more tailored around understanding the tools and designing a functioning environment for monitoring. I was concerned the test was going to be a memory game of understanding the various flags in tools.

If you’re reading this and are concerned about the test, @Hacks4Pancakes guide for SANS on her website is fantastic.

SANS Effectiveness – Locus Of Control

Everyone has security controls/tools that work and controls/tools that don’t work.  I’d originally thought a bigger budget would solve a lot of problems.  The community likes to say that budgets don’t solve everything, but even open source needs hardware (cost) and time (cost) to implement / management.

My problem seems to be more of a locus of control issue than a budget issue.  Even if the budget doubled, I question if the security posture would increase.  A security team can easily implement AV, firewalls, malware detection, etc.  The administration and usage is almost entirely the responsibility of the security team.  The locus of control is internal to the team.

On the other hand, a penetration test has an external locus of control.  There is the budget issue, but even a budget won’t solve anything if the problematic systems have admins that won’t resolve an issue.

A web-application firewall is another example.  A network firewall is pretty simple, 80 is either open or closed to a web server.  A WAF requires cooperation between the security team and the server admin for an effective setup.  Once again, the locus of control is external.

Even if the budget keeps increasing, effectiveness won’t increase until external groups buy in.  Fixing that requires more than open source tools, a budget, or security people…