Continuous Monitoring and Security Operations - March 9-14, 2015  - Virginia Tech Campus, Torgersen Hall 2150 - Blacksburg, Virginia
General Information

The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous Diagnostics and Mitigation (CDM)/ Continuous Security Monitoring (CSM), taught in this course will best position your organization or Security Operations Center (SOC) to analyze threats and detect anomalies that could indicate cybercriminal behavior. The payoff for this new proactive approach would be early detection of an intrusion, or successfully thwarting the efforts of attackers altogether. The National Institute of Standards and Technology (NIST) developed guidelines described in NIST SP 800-137 for Continuous Monitoring (CM), and Day five (5) will greatly increase your understanding and enhance your skills in implementing Continuous Monitoring utilizing NIST framework.

SANS is uniquely qualified to offer this course. Course authors Eric Conrad (GSE #13) and Seth Misenar (GSE #28) hold the distinguished GIAC Security Expert Certification (GSE). Both are experienced, real-world, practitioners who apply the concepts and techniques they teach in this course on a daily basis. SEC511 will take you on quite a journey. We start by exploring traditional security architecture to assess its current state and the attacks against it. Next, we discuss and discover modern security design that represents a new proactive approach to such architecture that can be easily understood and defended. We then transition to how to actually build the network and endpoint security, and then carefully navigate our way through automation, NSM/CDM/CSM. For timely detection of potential intrusions, the network and systems must be proactively and continuously monitored for any changes in the security posture that might increase the likelihood that attackers will succeed.

Your SEC511 journey will conclude with one last hill to climb! The final day (Day 6) features a capture-the-flag competition that challenges you to apply the skills and techniques learned in the course to detect and defend the modern security architecture that has been designed. Course authors Eric Conrad and Seth Misenar have designed the capture-the-flag competition to be fun, engaging, comprehensive, and challenging. You will not be disappointed!

With your training journey now complete and your skills enhanced and honed, it is time to go back to work and deliver on the SANS promise that you will be able to apply what you learn in this course the day you return to the office.

March 9, 2015
SEC 511.1; Day 1
Current State Assessment, SOCs, and Security Architecture

March 10, 2015
SEC 511.2; Day 2
Network Security Architecture

March 11, 2015
SEC 511.3; Day 3
Endpoint Security Architecture

March 12, 2015
SEC 511.4; Day 4
Network Security Monitoring

March 13, 2015
SEC 511.5; Day 5
Automation and Continuous Security Monitoring

March 14, 2015
SEC 511.6; Day 6
Capstone: Design, Detect, Defend

Who should attend?

  • Security Architects
  • Senior Security Engineers
  • Technical Security Managers
  • SOC Analysts
  • SOC Engineers
  • SOC Managers
  • CND Analysts
  • Individuals working to implement Continuous Diagnostics and Mitigation (CDM), Continuous Security Monitoring (CSM), or Network Security Monitoring (NSM)

Instructor Biography:

Christopher Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area. His work experience includes penetration testing, computer network defense, incident response, and forensic analysis. Mr. Crowley is the course author for SANS Management 535 - Incident Response Team Management and holds the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GREM, GMOB, and CISSP certifications. His teaching experience includes SEC401, SEC503, SEC504, SEC560, SEC575, SEC580, FOR585, and MGT535; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities."

Additional Information:

If you wish to receive additional information about this program, please contact Randy Marchany, IT Security Lab, Virginia Tech by e-mail at

Continuing & Professional Education @ Virginia Tech