SANS MGT517 was cancelled and will not return. I will
release the material in several ways over the next year: as an online resource
(, as an online class, as in person training, and in a
project plan book.
Brief Background
I wrote the course that became SANS Management 517 because
the two-day course I was a course author of, MGT535 – Managing Incident
Response, didn’t seem to fulfill many of the questions that people were asking
about. Namely, “How do I interface my incident handling capability to the
Security Operations Center?”
Secondarily, there were always questions about the related
disciplines of what I eventually called “Self-Assessment Function” within the
SOC. How do I use, create, or mature my vulnerability assessment program? How
can I convince the IT department to help us by getting a good baseline in
Additionally, there was a gap that several people echoed.
There were several documents that identified various aspects of Security
Operations Centers (SOC), but there was no single reference that said exactly
what a SOC was. Carson Zimmerman’s book, and David Nathan’s book were great,
but no one had publicly defined capabilities, staffing, the technology
involved, and the things that a SOC ingested and what its output was.
What became MGT517 was my attempt to define a reference
model around security operations centers (SOC) for organizations to consider.
About 500 students attended MGT517 when it was available through SANS. These
students were from countries around the world, and from every sector: from
manufacturers of goods you use in your home; the companies who make the
computers you use; companies who operate the largest cloud infrastructures in
the world; companies who build the software that runs most major businesses;
security software firms; financial firms; healthcare entities; representatives
of governments. Each time I taught the class, there was a chorus of “Thank
you.” I can take this back to my organization and say here’s how we should do
this. There was a common theme of there not being any other resource or class
which covered this topic. There was usually also constructive criticism and
valuable insight shared by attendees.
I am disappointed that SANS chose to cancel the class. But
what SANS didn’t cancel is my commitment to continue to develop the material. The
SOC, and security operations in general is a critical capability for
organizations around the world.
I previously mentioned an Analysis of Competing Hypotheses
(ACH) write up on why MGT517 was cancelled. It is still underway. It’s going
very slowly, but will be published eventually. That matters less than what I’m
going to do next, so what follows is that information.
Crowley Motivations
Material Access and Community Value
I want people to see the information I wrote. I think it
provides tremendous value because it puts forward a reference model. You’re
welcome to disagree with it. In fact, I would say that you must at least
consider that the model may not be a good match for your organization. I’ve tried to envision and account for every
possibility. So, the tailoring to your organization is certainly present in
such an abstracted and generalized model.
In addition to the security operations class, I am writing a
book to provide a project plan for building a SOC. This should provide a very
low-cost option for organizations to access the concepts expressed in these
various forums and provide a project plan for the organization to build a SOC.
Business Development
I want to work on interesting SOC projects. I’m only a
single person, and I won’t have a team of people working for me. Why not?
Because I’m not interested in building a company at this time. That takes away
from my ability to focus on the subject matter. But that means that I can’t
delegate tasks to people and help lots of companies simultaneously.
It means my ability to get involved in projects is very
limited if I want to keep my quality level high. My SANS teaching and course
development has consumed a large amount of my time for the last three years.
I’m taking the time I was exerting for MGT517 course development and shifting
it to course development for an online version and an onsite version outside of
SANS. I will have time for no more that 3 or 4 contract customers at any given
time, if I continue to teach for SANS and try to run a class independently.
There’s a risk in attempting to do all of this, as SANS may see this effort as
competitive and choose not to ask me to instruct classes. Setting up courses
live takes a lot of time and effort, and marketing the classes is a massive
uphill battle. Enrollment, payment systems, and onsite logistics are expensive.
Life’s a risk.
Actions Planned
Web Resource
I paid a developer to build a website for me to have a forum
for SOC discussion by vetted individuals. I haven’t been able to get back to
that effort due to so many different things going on. I’ve tried to find an
intern to help me to populate content onto the site. If you’re interested in
helping me with the initial deployment of material, please let me know. You
wouldn’t be writing anything, just populating material into the website. This will
be about a 3 month effort. Twitter is the best avenue to start this
conversation: @CCrowMontance.
I have a lot of material buried in slide decks that aren’t
accessible to people. My intention is to rescue that information from the
powerpoints I’ve build and move it to a forum for people to review and for
knowledgeable people to have meaningful discussions. My intention is to vet the
people who can discuss, but have the discussions be public. I think this is the
best way to produce high quality content. Even without community participation,
it will be a place where I can share the research and analysis I have done.
Online Class
The easiest way to get access to the material will be an
online version available through The price will be
affordable and the material will be adjusted to an online format. Once done,
this will run perpetually and will be available on your schedule.
Live Class
This will probably be a three day event, limited to 25
participants. I’ll go to locations that are good options for me and where I
think people want the event to run. This will be very much of a DIY effort, and
if you’re interested in helping me to run the class or want it as part of your
conference, I’ll certainly consider it. Also, private onsite runs are available
with a focus on your organization’s specific implementation.
Tentative Scheduled Events & Locations
This list is ambitious, and I suspect several of these
classes will not run, but I’ll try to make them all happen.
Online: Expected date of initial availability :
November 1, 2019
December 2-4, 2019 : Washington, DC Area : Security
Operations Class – Public Enrollment
January 8-10, 2020 : New York City, NY :
Security Operations Class – Public Enrollment
March, 2020 : Macau or Hong Kong : Security
Operations Class – Public Enrollment
June, 2020: Europe or Middle East, TBD
August, 2020 : Las Vegas : Security Operations
Class – Public Enrollment
November, 2020: Melbourne, Australia : Security
Operations Class – Public Enrollment
I look forward to seeing you there.