Talk With an Expert
Talk With an Expert

SEC541: Cloud Security Threat Detection

SEC541Cloud Security
  • 5 Days (Instructor-Led)
  • 30 Hours (Self-Paced)
Course authored by:Shaun McCullough & Ryan Nicholson
Course authored by:Shaun McCullough & Ryan Nicholson
  • GIAC Cloud Threat Detection (GCTD)
  • 30 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Advanced Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 22 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Acquire elite cloud threat detection capabilities to identify, analyze, and respond to sophisticated attacks in AWS and Azure environments.

Featured Quote

I would recommend SEC541 to any cloud security stakeholder that wants to empower all the security tools companies have in order to improve detection, understand protection, and overall increase their security level.
Veronique DupontCloud Cyber Security Architect, Airbus

Course Overview

SEC541: Cloud Security Threat Detection immerses students in hands-on labs that focus on detecting threats and investigating attacks across AWS, Azure, and Microsoft 365 environments. Threat-driven curriculum to equips security professionals with practical cloud threat detection techniques through analyses of real-world attacks.

The course begins with an analysis of real-world case studies, followed by implement detection controls and investigate suspicious activities. From there, you’ll build a detection engineering process, and explore cloud-native logging, API monitoring, and effective detection systems tailored to cloud environments. You’ll also gain exposure to cloud threat hunting strategies that enhance proactive detection and reduce response times.

By the end of the course, you’ll have developed practical skills to detect, investigate, and respond to sophisticated cloud threats. Security professionals will gain expertise beyond theory, implementing cloud threat detection strategies that address the critical differences between on-premises and cloud security monitoring.

What You'll Learn

  • Learn how to build a detection engineering program
  • Analyze cloud API logs to detect unauthorized activity
  • Implement effective cloud-native security monitoring
  • Utilize Azure and AWS detection services effectively
  • Apply threat intelligence and generative AI to cloud security
  • Build automation for incident response in the cloud

Business Takeaways

  • Reduce cloud breach detection time and impact
  • Implement cloud-specific security monitoring strategies
  • Establish effective cloud detection engineering program
  • Enhance visibility across multi-cloud environments
  • Leverage native tooling to minimize security costs
  • Align detection capabilities to actual cloud threats
  • Accelerate incident response with automation

Meet Your Authors

  • Slide 1 of 2
    Shaun McCullough
    Shaun McCullough

    Shaun McCullough

    Certified Instructor

    Shaun McCullough spent 20+ years at the NSA working in cyber operations as a software engineer and technical director of Blue, Red, and Hunt teams. He is currently a staff level Cloud Security Engineer at GitHub.

    Read more about Shaun McCullough
  • Slide 2 of 2
    Ryan Nicholson
    Ryan Nicholson

    Ryan Nicholson

    Senior Instructor

    Ryan’s extensive experience, including roles as a cybersecurity engineer for major Department of Defense cloud projects and as a lead auditor, underscores his dedication to enhancing the security posture of critical systems.

    Read more about Ryan Nicholson
Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC541: Cloud Security Threat Detection.

Section 1Detection of Cloud API and Network Attacks

The course begins with an investigation of a real-world cloud attack, breaking down the tactics and demonstrating how to monitor cloud management APIs. You will analyze API logs, implement network monitoring, and develop detection strategies for unauthorized activities in cloud environments.

Topics covered

  • Cloud attack analysis methodology
  • Detecting engineering
  • JSON log parsing techniques
  • Network traffic analysis in cloud
  • Detection strategy implementation

Labs

  • Investigate attacker evasions with CloudTrail
  • Building detections in CloudWatch
  • Deploying and operating a decoy honey network
  • Network Analysis in the Cloud

Section 2Compute and Application Attacks

Students focus on monitoring compute resources including virtual machines, containers, and serverless functions. You’ll then analyze the Tesla Kubernetes attack, implement logging for compute environments, and develop detection strategies for abnormal behavior patterns in cloud workloads.

Topics covered

  • Virtual machine and container logging architecture
  • Metadata service risks and exploitation techniques
  • Kubernetes and container monitoring and investigation
  • Cloud database attack detection and data exfiltration
  • eBPF and log agent customization for threat detection

Labs

  • Threat intelligence generation
  • Enhanced host visibility
  • Kubernetes command and control
  • Cryptojacking cloud services
  • Cloud storage ransomware

Section 3Security Services and Investigations

You’ll learn to implement and leverage cloud-native detection services, discovering the best ways to conduct resource inventory, identify sensitive data in unauthorized locations, and centralize security data for comprehensive threat monitoring across cloud environments.

Topics covered

  • Leveraging CSPM and CWP services in Azure and AWS
  • Cloud resource inventory techniques
  • Detecting cross-account role persistence attacks
  • Data exposure and risk evaluation
  • Analyzing activities across log types

Labs

  • Metadata services and GuardDuty setup
  • Detecting command injection in Lambda
  • Macie configuration for data discovery
  • Inspector deployment for vulnerabilities
  • Centralized logging with ElasticSearch

Section 4Microsoft Ecosystem

You’ll examine Microsoft 365 and Azure-specific detection capabilities and incorporating AI into their security program. This section concentrates on techniques to investigate Exchange attacks, utilize Kusto Query Language for log analysis, and implement Microsoft Defender and Sentinel for comprehensive threat detection in Microsoft cloud environments.

Topics covered

  • Microsoft 365 attack analysis
  • Sentinel strategies and advanced KQL
  • Defender XDR
  • Storage account monitoring
  • Cloud services using AI

Labs

  • Baker221b onboarding and active incidents
  • Suspicious email investigation
  • Authentication attacks and rogue Activities
  • Sherlock's Data Breach
  • Sherlock’s AI Assistant

Section 5Data Shipping, Automation and CloudWars

You will begin by automating incident response in cloud environments and then culminate the course by participating in the CloudWars Challenge. You’ll walk away with strategies to implement automated forensic workflows and develop skills in a capstone exercise designed to test their ability to detect and respond to cloud-based threats.

Topics covered

  • Cloud incident response automation
  • Forensic workflow implementation
  • Detection engineering principles
  • Multi-cloud security integration
  • Threat hunting methodologies

Labs

  • Automated forensics workflow setup
  • Results analysis techniques
  • CloudWars Challenge participation

Things You Need To Know

Relevant Job Roles

Cloud Security Analyst

Cloud Security

Using cloud security solutions to establish a security foundation, enable comprehensive defenses and detect attacks.

Explore learning path

Cyber Threat Intelligence Specialist

European Cybersecurity Skills Framework

Collect, process, analyse data and information to produce actionable intelligence reports and disseminate them to target stakeholders.

Explore learning path

Threat Management

SCyWF: Protection And Defense

This role collects and analyzes information about threats, searches for undetected threats and provides actionable insights to support cybersecurity decision-making. Find the SANS courses that map to the Threat Management SCyWF Work Role.

Explore learning path

Cloud Threat Detection and Response

Cloud Security

Monitor, test, detect, and investigate threats to cloud environments.

Explore learning path

Incident Response (OPM 531)

NICE: Protection and Defense

Responsible for investigating, analyzing, and responding to network cybersecurity incidents.

Explore learning path

Cyber Defense Analyst (DCWF 511)

DoD 8140: Cybersecurity

Monitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.

Explore learning path

Cybersecurity Implementer

European Cybersecurity Skills Framework

Develop, deploy and operate cybersecurity solutions (systems, assets, software, controls and services) on infrastructures and products.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Showing 10 of 10

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 4
    Learning what to look for from both sides of the keyboard in one course is refreshing.
    Scott H.U.S. Government
  • Slide 2 of 4
    Each day's content is like a well told story. The labs bring the lecture to life.
    Frank BalluffiBNY Mellon
  • Slide 3 of 4
    I really enjoyed learning more about the AWS data sources and then performing relevant attacks against them to generate events that we could hunt for.
    Gavin KnappBridewell Consulting
  • Slide 4 of 4
    I liked the labs. They were beefy but they were fun. I really liked the brute force lab because that is 100% legit. I thought it was really cool too how they show you two ways to do almost the same thing with Athena and CloudWatch.
    Samuel CosentinoCisco
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources

AltStyle によって変換されたページ (->オリジナル) /