Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise

This course is designed to help students build and maintain a truly defensible security architecture, while taking them on a journey towards implementing Zero Trust principles, pillars and capabilities. There will be a heavy focus on leveraging current infrastructure and investment. Students will learn how to assess, re-configure and validate existing technologies to significantly improve their organizations’ prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. (Online classes available)

Course Key Learnings

• Analyze a security architecture for deficiencies
• Discover data, applications, assets and services, and assess compliance state
• Implement technologies for enhanced prevention, detection, and response capabilities
• Comprehend deficiencies in security solutions and understand how to tune and operate them
• Understand the impact of ‘encrypt all’ strategies
• Apply the principles learned in the course to design a defensible security architecture
• Determine appropriate security monitoring needs for organizations of all sizes
• Maximize existing investment in security architecture by reconfiguring existing technologies
• Determine capabilities required to support continuous monitoring of key Critical Security Controls
• Configure appropriate logging and monitoring to support a Security Operations Center and continuous monitoring program
• Design and Implement Zero Trust strategies leveraging current technologies and investment

Business TakeAways

This course will help your organization:

• Identify and comprehend deficiencies in security solutions
• Design and Implement Zero Trust strategies leveraging current technologies and investment
• Maximize existing investment in security architecture by reconfiguring existing technologies
• Layer defenses to increase protection time while increasing the likelihood of detection
• Improved prevention, detection, and response capabilities
• Reduced attack surface

Course Content:

Module1:  Defensible Security Architecture and Engineering: A Journey Towards Zero Trust

Overview

This first section of the course describes the principles of designing and building defensible systems and networks. In this section we introduce the fundamentals of security architectures and the journey towards Zero Trust. We will cover traditional vs defensible security architectures, security models and winning techniques, and the defensible security architecture life cycle or DARIOM (Discover, Assess, Re-Design, Implement and Monitor) model.

Exercises

• Practical Threat Modeling with MITRE ATT&CK: In SEC530’s first hands-on lab, students will learn practical threat modeling using MITRE ATT&CK. This framework will be used throughout the week, so All-Around-Defenders can use this model to prioritize security countermeasures and to drive efficacy. This class will teach students to be threat-focused, not vulnerability focused, identifying where the most important risks are.
• Egress Analysis: The focus is on understanding how attackers exfiltrate data with common techniques like DNS tunneling, and how to layer defenses to increase protection time while increasing the likelihood of detection.
• Identifying Layer 2 Attacks: Network security has increased, yet layer 2 attacks still are possible in a modern organization. The focus of this lab is on identifying relevant layer 2 attacks.
• Architecting for Flow Data: This lab will help students understand the various forms of flow data and how to properly architect the proper position and use of various flow data sources to identify unauthorized or anomalous activity.

Topics

• Course Overview
  • What is a Security Architecture?
  • What makes a good Security Architect?
  • Learning Through Case Studies from Day 1 to 6 (Tyrell Corp Case Study)
  • Our Journey Towards Zero Trust
• Defensible Security Architecture
  • Mindset
    • Presumption of Compromise
    • De-perimeterization
    • Think Red, Act Blue
• Traditional Security Architecture Deficiencies
  • Emphasis on Perimeter/Exploitation
  • Lack of a True Perimeter (“De-perimeterization” as a Result of Cloud/Mobile)
  • The Internet of Things
  • Compliance-Driven Security
• Winning Defensible-Security Strategies
  • Risk-Driven and Business Outcome-Focused Architecture
  • Practical Threat Modeling: Purple Teaming
  • MITRE ATT&CK Matrix
  • Look for Blue/Red Asymmetries
  • Architecting with Security Operations in Mind
• Security Models
  • Time Based Security
  • Cyber Kill Chain
  • TBS + Kill Chain + MITRE ATT&CK
  • Architecting for Visibility & Detection
  • Architecting for Incident Response
  • Zero Trust Model
• Threat, Vulnerability, and Data Flow Analysis
  • Defensible Security Architecture Life Cycle (DARIOM Model)-

  • Threat Vector Analysis

    • Data Ingress Mapping

  • Data Exfiltration Analysis

    • Data Egress Mapping
  • Detection Dominant Design
  • Attack Surface Analysis
  • Visibility Analysis
• Layer 1 – Physical Security Best Practices
  • Network Closets
  • Penetration Testing Dropboxes
  • USB Keyboard Attacks (Rubber Ducky)
• Layer – Network Security Best Practices
  • Wireless, Zigbee and RFID badges
  • VLANs
    • Hardening
    • Private VLANs
  • Layer 2 Attacks and Mitigation
• NetFlow
  • Layer 2 and 3 NetFlow
  • NetFlow, Sflow, Jflow, VPC Flow, Suricata and Endpoint Flow
  • Cloud Flows

Module2:  Network Security Architecture and Engineering

Overview

This section continues the discussion on hardening critical infrastructure that is often found in hybrid environments, and moves on to concepts such as routing devices, firewalls, and application proxies. Actionable examples are provided for hardening routers, with specific Cisco IOS commands to perform each step.

Exercises

• Auditing Router Security: The focus of this lab is on identifying and mitigating security issues in routers.
• Router SNMP Security: In this lab, students will interact with live cloud routers and perform attacks against SNMP to understand them and, ultimately, to remove the threat
• IPv6: The Next Generation Internet Protocol, also known as IPv6, is often ignored and misunderstood. This lab allows students to interact with IPv4 and IPv6 to be more familiar with some of the differences.
• Proxy Power: Proxies have immense capabilities in dealing with malware and command and control channels. This lab walks students through what would happen to malware phoning home based on the different ways a proxy can be configured.

Topics

• Layer 3 Attacks and Mitigation
  • IP Source Routing
  • ICMP Attacks
  • Unauthorized Routing Updates
  • Securing Routing Protocols
  • Unauthorized Tunneling (Wormhole Attack)
• Switch and Router Best Practices
• Layer 2 and 3 Benchmarks and Auditing Tools
  • Baselines
    • CISecurity
    • Cisco’s Best Practices
    • Cisco Autosecure
    • DISA STIGs
    • Nipper-ng
• Securing SNMP
  • SNMP Community String Guessing
  • Downloading the Cisco IOS Config via SNMP
  • Hardening SNMP
  • SNMPv3
• Securing NTP
  • NTP Authentication
  • NTP Amplification Attacks
• Bogon Filtering, Blackholes, and Darknets
  • Bogon Filtering
  • Monitoring Darknet Traffic
  • Building an IP Blackhole Packet Vacuum
• IPv6
  • Dual-Stack Systems and Happy Eyeballs
  • IPv6 Extension Headers
  • IPv6 Addressing and Address Assignment
• Securing IPv6
  • IPv6 Firewall Support
  • Scanning IPv6
  • IPv6 Asset Inventory with Rumble Network Discovery
  • IPv6 Tunneling
  • IPv6 Router Advertisement Attacks and Mitigation
• Segmentation
  • Network vs Access Segmentation
  • Segmentation Principles
  • Firewall Architecture
  • DMZ Design
  • Layer 3/4 Stateful Firewalls
  • Router ACLs
  • Linux and BSD Firewalls
  • pfSense
  • Login segmentation
  • Azure Privileged Management (PIM)
• Application Proxies
  • Web Proxy
    • Explicit vs. Transparent
    • ICAP
    • Forward vs. Reverse
  • SMTP Proxy
    • Augmenting with Phishing Protection and Detection Mechanisms
    • Bayesian Analysis
    • SPF, DKIM, DMARC
  • • Dnstwist
    • Combining Open-Source Intelligence

Module3:Network-Centric Application Security Architecture

Overview

Organizations own or have access to many network-based security technologies, ranging from Next-Generation Firewalls to IDS/IPS and malware sandboxes. These are often deployed on-prem but also in the Cloud. Yet the effectiveness of these technologies is directly affected by their implementation. Too much reliance on built-in capabilities like application control, antivirus, intrusion prevention, data loss prevention, or other automatic evil-finding deep packet inspection engines leads to a highly preventative-focused implementation, with huge gaps in both prevention and detection.

Exercises

• Network Security Monitoring: Intrusion detection alerts and network metadata provide a holistic approach to knowing thyself and identifying unauthorized activity. This lab focuses on detecting malware operating over the network with NSM (Suricata).
• NSM Architecture and Engineering: In this lab, students will learn how to place and implement NSM technologies for proper visibility and application/protocol awareness. They will also leverage advanced correlation capabilities on Zeek to detect C2 and tunnels.
• Encryption Considerations: Network encryption protects data from being observed both by attackers and defenders. This lab focuses on how defenders can interact with TLS connections to gain back visibility for inspection in proxies, NSM, NGFW, and other solutions.

Topics

• NGFW
  • Application Filtering
  • Implementation Strategies
  • Scripting & APIs
• Network Security Monitoring (NSM)
  • Alert-Driven Workflows vs Data-Driven Workflows
  • Architecting for Network Visibility
  • Power of Network Metadata
  • Know Thy Network
  • SPAN ports vs TAPs
  • Sensor Placement
  • The Power of Network Metadata
  • Network Traffic Analysis Architecture
  • Zeek Use Cases
• NIDS/NIPS
  • IDS/IPS Rule Writing
  • Signature vs Anomaly vs Protocol analysis
  • Snort
  • Suricata
  • Zeek
• Sandboxing
  • Beyond Inline
  • Integration with Endpoint
  • Feeding the Sandbox Potential Specimens
  • Malware Detonation Devices

• Encryption

  • The “Encrypt Everything” Mindset

    • Internal and External
  • Free SSL/TLS Certificate Providers
  • SSL/SSH Inspection
  • SSL/SSH Decrypt Dumps
  • SSL Decrypt Mirroring

  • Certificate Pinning

    • Malware Pins
  • HSTS Preloading
  • Certificate Transparency Monitoring

  • Crypto Suite Support

    • Qualys SSL Labs

• Secure Remote Access
  • Access into Organization

  • Dual Factor for All Remote Access (and More)

  • Google Authenticator/TOTP: Open Authentication

  • IPSec VPNs
  • SSH VPNs
  • SSL/TLS VPN
  • Jump Boxes
  • Remote Desktop on HTML5 with Guacamole
  • Always On VPN
  • Compression and WAN Optimization
  • Modern Alternatives to VPN: ZTNA and SDP
  • Clean Source Principle and AD Management
  • Identity Access Management
• Distributed Denial-of-Service Protection
  • Impact of Internet of Things
  • Types of Attacks
  • Mitigation Techniques

Module4: Data-Centric Application Security Architecture

Overview

Our journey continues with the discussion of a strategy that is central to a Zero Trust Architecture: data-centric security. Organizations cannot protect something they do not know exists. The problem is that critical and sensitive data exist all over. Complicating this even more is that data are often controlled by a full application stack involving multiple services that may be hosted on-premises or in the cloud.

Exercises

• Securing Web Applications: In this lab, students will identify the prevention and detection capabilities that web application firewalls provide, and also learn where they can be evaded. Then changes will be applied to block and detect evasion techniques.
• Discovering Sensitive Data: Identifying where sensitive data reside is difficult but necessary. You cannot control data if you do not know where those data reside. This lab walks students step-by-step through writing a PowerShell script in order to crawl through a file system looking for sensitive data.
• Secure Virtualizatio: The focus of this lab is on showing the implication of attackers gaining host access to a hypervisor or container system, and also on various hardening and incident handling steps that can be taken

Topics

• Application (Reverse) Proxies
• Full Stack Security Design
  • Web Server
  • App Server
  • DB Server
• Web Application Firewalls
  • Whitelisting and Blacklisting
  • WAF Bypass
  • Normalization
  • Dynamic Content Routing
• Database Firewalls/Database Activity Monitoring
  • Data Masking
  • Advanced Access Controls
  • Exfiltration Monitoring
• File Classification
  • Data Discovery
    • Scripts vs. Software Solutions
    • Find Sensitive Data in Databases or Files/Folders
    • Advanced Discovery Techniques such as Optical Character Recognition Scanning of Pictures and Saved Scan Files
  • Methods of Classification
  • Dynamic Access Control
• Data Loss Prevention (DLP)
  • Network-based
  • Endpoint-based
  • Cloud Application Implementations
• Data Governance
  • Policy Implementation and Enforcement
  • Access Controls vs. Application Enforcement and Encryption
  • Auditing and Restrictions
• Mobile Device Management (MDM) and Mobile Application Management (MAM)
  • Security Policies
  • Methods for Enforcement
  • End-user Experience and Impact
• Private Cloud Security
  • Securing On-premises Hypervisors (vSphere, Xen, Hyper-V)
  • Network Segmentation (Logical and Physical)
  • VM Escape
  • Surface Reduction
  • Visibility Advantages
• Public Cloud Security Challenges
  • Shared Responsibility Implications
  • Cloud Strengths and Weaknesses
  • Data Remanence and Lack of Network Visibility
• Container Security
  • Impact of Containers on On-premises or Cloud Architectures
  • Security Concerns
  • Protecting against Container Escape

Module5:  Zero-Trust Architecture: Addressing the Adversaries Already in Our Networks

Overview

“Trust but verify” has been a common security mantra. But this is a broken concept. Computers can calculate trust on the fly, so rather than thinking in terms of “trust but verify” organizations should be implementing “verify then trust.” By doing so, access can be constrained to appropriate levels at the same time that access can become more fluid.

Exercises

• Network Isolation and Mutual Authentication: Attackers cannot attack what they cannot see or interact with. This lab shows defenders how to implement SPA or mutual TLS so that only authorized assets can connect.
• SIEM Analysis and Tactical Detection: Logging and inspecting is difficult without the right data and the proper ability to view those data. This lab shows how to use a SIEM system to find an attacker more than 10 different ways. The detection capabilities are important but the logic behind them is also important to implement variable trust conditional access across an enterprise.
• SIGMA Generic Signatures: In this lab students will understand how to use and implement Sigma generic signature rules, a new community driven project, to convert generic signatures into various formats for operational use. Students will use these signatures to enhance existing detection capabilities, determine coverage with MITRE ATT&CK Navigator and search for adversary activity.
• Advanced Defense Strategies: Attackers do not play fair and neither should defenders. In this lab, students will configure services to identify attacks in a way that internal systems continue to function but attack tools do not. Also, specialized detection honeytokens will be implemented to identify attackers cloning a public site and using it against your staff or external clients.

Topics

• Zero Trust Architecture
  • Why Perimeter Security Is Insufficient
  • What Zero Trust Architecture Means
  • “Trust but Verify” vs. “Verify then Trust”
  • US Government – Embracing a Zero Trust Security Model
  • DISA  Rethinking How We Use Existing Infrastructure
  • DISA  Zero Trust Pillars and Capabilities
  • Example of Zero Trust Scenario  Remote Exploitation or Insider Threat
  • Zero Trust  A Journey Over Time
  • Implementing Variable Access
  • Logging and Inspection
  • Network Agent-based Identity Controls
• Credential Rotation
  • Certificates
  • Passwords and Impact of Rotation
  • Password Auditing
  • LAPS
  • gMSA
• Compromised Internal Assets
  • Pivoting Adversaries
  • Insider Threat
  • NAC
• Adaptive Trust and Security Orchestration
  • Electric Fence (Automated Digital Response)
  • Quarantine
  • Device Compliance
• Securing the Network
  • Authenticating and Encrypting Endpoint Traffic
  • Domain Isolation (Making Endpoint Invisible to Unauthorized Parties)
  • Mutual TLS
  • Single Packet Authorization
  • 802.1x
  • Client Certificates
  • PKI
• Segmentation Gateways
  • Network Agent
  • Planes of Authorization
  • Micro Segmentation, Micro Core and Perimeter (MCAP)
  • Dynamic Authorization
• Leveraging Endpoints as Hardened Security Sensors
  • End-user Privilege Reduction

  • Host-based IDS/IPS

    • As Tripwires

  • Endpoint Firewalls

    • Pivot Detection
• Scaling Endpoint Log Collection/Storage/Analysis
  • How to Enable Logs that Matter
  • Designing for Analysis Rather than Log Collection
  • Auditing Policies on Windows and Linux
  • Sysmon
  • Auditd
• MITRE ATT&CK Content Engineering
  • Anomalies vs Signatures
  • SIGMA Generic Signatures
  • How SIGMA Works
  • Conversion of Signatures to Alert Queries
  • Sigma2Attack
  • Anomaly Identification vs Real-Time Alerts
• Tripwire and Red Herring Defenses
  • Honeynets, Honeypots, and Honeytokens
  • Single Access Detection Techniques
  • Proactive Defenses to Change Attacker Tool Behaviors
  • Increasing Prevention Capabilities while Adding Solid Detection

Module6:  Hands-On Secure the Flag Challenge

Overview

The course culminates in a team-based Design-and-Secure-the-Flag competition. Powered by NetWars, day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted throughout this course. Teams will assess, design, and secure a variety of computer systems and devices, leveraging all the knowledge, tools and skills obtained in class, as they defend Tyrell Corporation from the attack of the replicants.

Topics

• Capstone – Design/Detect/Defend
  • Defensible Security Architecture
  • Assess Provided Architecture and Identify Weaknesses
  • Use Tools/Scripts to Assess the Initial State
  • Quickly/Thoroughly Find All Changes Made

International Student Fee: 950 US$

Job Interview Preparation  (Soft Skills Questions & Answers)

• Tough Open-Ended Job Interview Questions
• What to Wear for Best Job Interview Attire
• Job Interview Question- What are You Passionate About?
• How to Prepare for a Job Promotion Interview

 Your FREE eLEARNING Courses (Click Here)

Internships, Freelance and Full-Time Work opportunities

• Join Internships and Referral Program (click for details)
• Work as Freelancer or Full-Time Employee (click for details)

Flexible Class Options

• Week End Classes For Professionals  SAT | SUN
• Corporate Group Trainings Available
• Online Classes – Live Virtual Class (L.V.C), Online Training

Related Course

Implementing and Auditing Security Frameworks and Controls

Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Advanced Information Security Automation with Python