Frequently Asked Questions – MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

Question #1: What are the goals of this course?

A: This course will help you to:

• Identify and understand the severity level of existing vulnerabilities
• Prioritize which vulnerabilities to remediate
• Identify potential controls to help avoid and mitigate vulnerabilities in the enterprise and the cloud
• Determine relevant treatment techniques and controls in the enterprise and the cloud
• Develop a framework for continuous improvement
• Develop effective vulnerability reporting for management

Question #2: Who should take the class?

A: This course is ideal for:

• CISOs
• Information security managers, officers, and directors
• Information security architects, analysts, and consultants
• Aspiring information security leaders
• Risk management professionals
• Business continuity and disaster recovery planners and staff members
• IT managers and auditors
• IT project managers
• IT/system administration/network administration professionals
• Operations managers
• Cloud service managers and administrators
• Cloud service security and risk managers
• Cloud service integrators, developers, and brokers
• IT security professionals managing vulnerabilities in the enterprise or cloud
• Government IT professional who manage vulnerabilities in the enterprise or cloud (FedRAMP)
• Security or IT professionals who have team-lead or management responsibilities
• Security or IT professionals who use or are planning to use cloud services

Question #3: What is the class layout?

A: This is a 5-day lecture and lab course - View the upcoming course runs

• There are over 22 labs in the class (Day 1 = 7, Day 2 = 4, Day 3 = 6, Day 4 = 5, Day 5 = ALL DAY CAPSTONE) 
• Day 1 features information on asset management, finding vulnerabilities, and how to make vulnerability management fun. 
• Day 2 continues instruction on finding vulnerabilities, looking at application problems, scanner configurations, and bug bounty programs. We then move into analyzing vulnerabilities and how to deal with all the results. We’ll look at prioritizing vulnerabilities, exclusions, and threat intelligence.
• Day 3 moves into communicating the problems we have found. We’ll discuss metrics, reporting, and how to handle various meetings we need to schedule, conduct, or participate in. The day concludes with an introduction to how to treat vulnerabilities with a discussion of change and patch management. 
• Day 4 wraps up the treatment section with configuration management, application management, and treatment alternatives. Switching from the more technical to the software skills, the course looks at how to gain buy-in for your programs and efforts as well as how to create, set up, and effectively operate a vulnerability management program. We also provide a maturity model for each of the course sections to summarize and wrap-up the main portion of the class. 
• Day 5, the final course day, begins with a review of a business scenario that triggers a group capstone exercise. The exercise allows students to analyze and discuss how best to implement and maintain a vulnerability management program and leverage some of the information they have learned throughout the course.

Question: #4: I've been doing work in vulnerability management for a while. Will the course be valuable to me or is it going to be too basic?

• A: The course offers valuable information and cover relevant topics for practitioners across all skill levels. The class is structured into sections according to topics that are aimed at answering questions relevant to all vulnerability management programs. For example, one of the course sections deals with understanding how to prioritize vulnerabilities. Within this section, we detail where most organizations start – with vulnerability-centric prioritization – and the various ways that this approach can be leveraged. From there, we detail an alternative approach -- asset-centric prioritization -- and the different methods of utilization. Finally, we look at a more advanced technique – threat-centric prioritization – and outline methods for performing it. In this way, the course covers the topic end to end and allows students to see where they fit into the spectrum of methods as well as ways, they can advance their program.

Question #5: My organization is moving to the cloud. Will this class help me transition my program to this new paradigm?

• A: No matter where you are on your cloud journey, MGT516 will be valuable for you. This class will help you set up or continue to mature your vulnerability management program with your cloud assets. The class with look at the options and the differences between the various providers (Amazon, Microsoft, Google) and how we can include these within our programs, as well as the different types of cloud services (IaaS (e.g. EC2, Azure), PaaS (e.g. Elastic Beanstal, Kubernetes) or SaaS (e.g. Adobe Creative Cloud or Salesforce). The class takes an integrated approach to all of the topics covered, providing a cohesive look at how the topic applies across our traditional enterprises as well as in cloud environments.

Question #6: What will the class prepare you to do?

• Create, implement, or improve your vulnerability management program
• Establish a secure and defensible enterprise and cloud computing environment
• Build an accurate and useful inventory of IT assets in the enterprise and cloud
• Identify existing vulnerabilities and understand the severity level of each
• Prioritize vulnerabilities for treatment
• Effectively report and communicate vulnerability data within your organization
• Engage treatment teams and make vulnerability management fun
• Understand what motivates our partners and how to gain their buy-in to ensure program success

Question #7: Who is the MGT516 course author(s)?

A: David Hazar and Jonathan Risto

David Hazar

David is a security consultant based in Salt Lake City, Utah focused on vulnerability management, application security, cloud security, and DevOps. David has 20+ years of broad, deep technical experience gained from a variety of hands-on roles serving the financial, healthcare, and technology industries. In his many roles, including 3 years with top security consulting firm, he has focused on helping integrate and automate security testing and other important security controls into both on-premise and cloud environments. He has also developed and led technical security training initiatives at many of the companies he has worked for, is an instructor for and contributor to SEC540: Cloud Security and DevOps Automation, and a co-author and instructor for MGT516: Managing Security Vulnerabilities: Enterprise and Cloud. David holds a BS in information systems and a Master of Information Systems Management from Brigham Young University along with numerous other technical and security certifications. @HazarDSec

Jonathan Risto

Jonathan is a SANS Instructor teaching a wide variety of SANS classes including SEC504, SEC560, SEC566, and SEC580. He is also the co-author of the SANS MGT516: Managing Security Vulnerabilities: Enterprise and Cloud.

With a career spanning over 20 years that has included working in network design, IP telephony, service development, security, and project management, he has a deep technical background that provides a wealth of information he draws upon when teaching. His leadership of direct reports and matrix teams in industries including telecom, government and charity environments. When not teaching for SANS, he primarily works for the Canadian Government performing cybersecurity research work, in the areas of vulnerability management and automated remediation. He also performs consulting work.

He holds a Bachelor of Electrical Engineering and is a licensed professional engineer (P.Eng.). He also holds a Master's Degree in Information Security Management from STI. In his spare time, he sits on the board of directors for charities and his 3 daughters keep him very busy. When possible, he enjoys the outdoors, astronomy, and photography. @jonathanristo