Graduate Certificate in Cloud Security

In 2021 doubled down on Cloud Security. I loved cloud technologies, but it’s easy to be intimidated by the nuance of securing the thousands of services across three cloud providers. Each Cloud Service Provider (CSP) has hundreds of services with thousands of changes each year, hard to keep up with. I applied to be in the program, and by that time I had already gotten 3-4 AWS certifications and was familiar with “cloud” technologies. As a bottom up learner who struggles to understand complex topics without a solid foundation, I took a chance on SANS in this case.

This wasn’t my first SANS course, and I knew if they could teach me cloud like they taught me other security topics, I would be successful. The program costs around 22k, so it better be good. I am incredibly privileged to work at places that have helped offset a lot of this financial burden, that helped me reach my goals faster than I would have been able to alone.

ISE 6610: Cloud Security Essentials | SEC488 + GCLD

February 12, 2022

This course was my first proper introduction to Azure and GCP. The author of the course, Ryan Nicholson, built a curriculum that offered a choose your own adventure of Azure and AWS labs. The content was incredibly comprehensive, a theme that would continue to build further down the chain of classes. I learned a lot in this class: the labs were plentiful informative and the OnDemand videos were good, but my index was not good and it didn’t help my exam performance. I passed but was not happy with my grade.

Note: Want to learn how I make my indexes after 7 SANS classes under my belt? (Click Here)[/posts/giac-index-how-to.md]

ISE 6612: Public Cloud Security: AWS, Azure, and GCP | SEC510 + GPCS

November 05, 2022

I thought SEC488 had a lot of labs until I got into the SEC510 material. There was work, work, and more work THEN the extra credit started. The course authors, Brandon Evans and Eric Johnson, put a ton of care into teaching topics like Identity Metadata Services (IMDS), scriptable CSP CLI programs (like aws cli or az cli), JMES Path, and most of all: Terraform. The labs showed how to secure a workload in the cloud step-by-step, including the Infrastructure as Code changes that would remediate an issue. Every other class I took after this one claimed to have “the most labs”, but I can tell you it came nowhere close. Whatever they taught in my electives, it seemed like Brandon and Eric had covered it already! This class gave me the confidence to call myself a “Cloud Security Engineer”. SANS is always big on Monday Morning Value™️and this class had plenty of actionable advice that can apply at work immediately. This was my first Cloud Security class I took in person, and the experience was amazing. I was grateful to have a team that won the Capstone Challenge coin, being able to use what I learned all week in a practical sense and get rewarded with a Battlestar Galactica themed coin was the cherry on top.

After taking the two required credits for the Graduate Certificate, it was on to my electives:

ISE 6630: Cloud Penetration Testing | SEC588 + GCPN

March 31, 2023

SEC588 I took in person as well. I had always been interested in cloud pentesting tools, even though at work I don’t “do” red team tasks. I’ve always been of the mind “how do you know it’s secure?” and my goal for this class was to gain the knowledge to test the security in my cloud (if it ever came to that). This class was 100% fun. The course author, Moses Frost, brought years of experience in the field to bear in six days of hacking AWS, Azure, and Kubernetes. He also brought many stories of pentesting assessments he had done with his years at Cisco and Neuvik. This class introduced me to the (Project Discovery team)[https://projectdiscovery.io] and their extensible set of tools for scanning the cloud “at scale”. We used Naabu, Nuclei, and Subfinder to hack a very realistic lab hosted in AWS and Azure. This course’s theme was Rick and Morty and trust me - we wore the pickle rick shit out. This class had such good vibes: everyone helped each other out all week and we learned together. Yet again, I was eternally grateful to have been on a team that earned a Capstone Challenge coin for this class. Very confidence building! SEC588 had the 2nd most labs of all the classes I took, but it certainly was number 1 in fun.

ISE 6655: Cloud Security Attacker Techniques, Monitoring and Threat Detection | SEC541 + GCTD

May 14, 2024

This class was a last-minute substitution for me and I was very excited to sit for it. At the time I enrolled in the Cloud Security Graduate Certificate program from SANS, the electives were very limited. Right as I went to sign up for my last elective, this class became eligible. Jumped at the chance to change it up, as this was more relevant to my job role. I wanted to take this class because threat intel was not a strong topic for me, especially in the cloud. The course authors for SEC541 are Shawn McCullough and Ryan Nicoholson, and they did a great job teaching Threat Detection in the cloud. We learned about logging and monitoring using cloud native tooling, detecting pivots from an attacker, M365 incident response and more! My favorite takeaways from this class were leveraging services like AWS Athena and SQL and Azure Log Analytic Workspace and KQL to parse logs from servers, flow logs from virtual networks, and cloud control plane logs. The labs in this class were great, but sometimes felt short. The SEC541 class was new-ish at the time and didn’t have the development time for a deep bench of labs like SEC510 or SEC588. I took this class in the live online format, which was not as engaging as an in-person class, but we still learned a lot. It was a great experience, but I found it hard to have discussions over Slack.

You might have a sense of what’s coming…you’re tired of reading it, just as I am tired of typing it:

After 5 days of intense learning I was grateful to be on a team that took home yet another Capstone challenge coin. The Capstones are something unique to SANS classes and I have yet to see them executed as well in any other organization’s training classes.

What I Wish was Different

Some suggestions for Graduate Certificate program improvement:

As newer classes get introduced by the SANS Cloud course authors, there is a lag between the classes offered by the Graduate Certificate program and the ‘latest and greatest’. I would have preferred to take SEC549 Cloud Security Architecture, but the class had just come out. The GIAC test hadn’t come out, and I was just too early. IMO, If I’m paying $5700 a class I should be able to pick the classes that will give me the highest return at my day job or the classes that would help me meet new career goals.

Finally, one of the bigger criticisms I see of SANS is this: I wish SANS had more to give back to the open source software, community knowledge, and conference talks they incorporate into their courses. Full price the classes can run over 11k, entering the school lowers them significantly. I know how much SANS gives to the community, because my family has directly benefitted from their generosity. It’s changed my career and the careers of many others - I just wonder if there isn’t a way to do more: I love projects like SOF-ELK and wish there were more opportunities to help contribute to future classes.

Final Thoughts

Overall, was the Graduate Certificate in Cloud Security worth it? YES. I hate paying the “SANS price”, but I have not taken another set of classes that had the same “Monday Morning Value” (MMV). SANS does a great job of keeping me informed about the stuff I need to be paying attention to as a Security Practitioner. If I had to learn it all myself, I wouldn’t even know where to start.

Cost Benefit Analysis

The Graduate Certificate 3 credit classes cost $5700 a piece. The program cost $22,800, which is a god damn nice Toyota Camry. Did it make me more valuable in my day-to-day work? 1000%. I make good money already, but wanted to increase my ability to become a high level expert and the program certainly helped me do that. Am I an expert? Not today, check back tomorrow!

Time Commitment

I’m kind of masochistic. If I am enrolled in a SANS class, there are a lot of things I stop doing until the class is over. You can be normal and spend 8-10 hours a week working through the labs and finish in the requisite three month time period. The SANS Graduate Programs require at least one class to be taken a year. Plan your employer’s Tuition Assistance Program yearly contribution and do what’s best for you!