SANS FOR509 Review

I’m really happy with this class. It covered 3 of the top used cloud products: AWS, AZURE, GCP.

It’s authored by David Cowen, Josh Lemon, Pierre Lidome but David was the instructor for two days and they invited Terrance Williams from AWS to teach Day 2 and 3. The instructors were truly experts across multiple cloud platforms and SANS didn’t let me down on the quality of their work.

Some problems I experienced at my company during cloud incidents is that we didn’t have enough logs to piece together information. In cloud environments, most logging is not enabled by default. It is very difficult to understand which ones you need on which platform.

This class went over what logs you need to enable and how to analyze them in good detail. There’s a lot of information out there that is just difficult to find out even if you read the documentation. FOR509 tells you what logs are relevant to investigations, and then how to ingest them to analyze in logstash/kibana, then extract relevant fields in order to come to conclusions on what someone did in your cloud environments.

Not only that, but they give a pretty good overview of each cloud platform. I’ve taken AWS and Azure courses and they breakdown the relevant information an incident responder needs to know in just a couple of days.

I highly recommend this for anyone just starting out in cloud incident response, or if you’re like me, spinning your wheels for months without much progress in understanding multiple log sources and how to analyze them effectively.?