Monday, April 1, 2019

Security Operations Class Status


SANS MGT517 was cancelled and will not return. I will release the material in several ways over the next year: as an online resource (, as an online class, as in person training, and in a project plan book.

Brief Background

I wrote the course that became SANS Management 517 because the two-day course I was a course author of, MGT535 – Managing Incident Response, didn’t seem to fulfill many of the questions that people were asking about. Namely, “How do I interface my incident handling capability to the Security Operations Center?”

Secondarily, there were always questions about the related disciplines of what I eventually called “Self-Assessment Function” within the SOC. How do I use, create, or mature my vulnerability assessment program? How can I convince the IT department to help us by getting a good baseline in place?

Additionally, there was a gap that several people echoed. There were several documents that identified various aspects of Security Operations Centers (SOC), but there was no single reference that said exactly what a SOC was. Carson Zimmerman’s book, and David Nathan’s book were great, but no one had publicly defined capabilities, staffing, the technology involved, and the things that a SOC ingested and what its output was.

What became MGT517 was my attempt to define a reference model around security operations centers (SOC) for organizations to consider. About 500 students attended MGT517 when it was available through SANS. These students were from countries around the world, and from every sector: from manufacturers of goods you use in your home; the companies who make the computers you use; companies who operate the largest cloud infrastructures in the world; companies who build the software that runs most major businesses; security software firms; financial firms; healthcare entities; representatives of governments. Each time I taught the class, there was a chorus of “Thank you.” I can take this back to my organization and say here’s how we should do this. There was a common theme of there not being any other resource or class which covered this topic. There was usually also constructive criticism and valuable insight shared by attendees.

I am disappointed that SANS chose to cancel the class. But what SANS didn’t cancel is my commitment to continue to develop the material. The SOC, and security operations in general is a critical capability for organizations around the world.

I previously mentioned an Analysis of Competing Hypotheses (ACH) write up on why MGT517 was cancelled. It is still underway. It’s going very slowly, but will be published eventually. That matters less than what I’m going to do next, so what follows is that information.

Crowley Motivations

Material Access and Community Value

I want people to see the information I wrote. I think it provides tremendous value because it puts forward a reference model. You’re welcome to disagree with it. In fact, I would say that you must at least consider that the model may not be a good match for your organization.  I’ve tried to envision and account for every possibility. So, the tailoring to your organization is certainly present in such an abstracted and generalized model.

In addition to the security operations class, I am writing a book to provide a project plan for building a SOC. This should provide a very low-cost option for organizations to access the concepts expressed in these various forums and provide a project plan for the organization to build a SOC.

Business Development

I want to work on interesting SOC projects. I’m only a single person, and I won’t have a team of people working for me. Why not? Because I’m not interested in building a company at this time. That takes away from my ability to focus on the subject matter. But that means that I can’t delegate tasks to people and help lots of companies simultaneously.

It means my ability to get involved in projects is very limited if I want to keep my quality level high. My SANS teaching and course development has consumed a large amount of my time for the last three years. I’m taking the time I was exerting for MGT517 course development and shifting it to course development for an online version and an onsite version outside of SANS. I will have time for no more that 3 or 4 contract customers at any given time, if I continue to teach for SANS and try to run a class independently. There’s a risk in attempting to do all of this, as SANS may see this effort as competitive and choose not to ask me to instruct classes. Setting up courses live takes a lot of time and effort, and marketing the classes is a massive uphill battle. Enrollment, payment systems, and onsite logistics are expensive. Life’s a risk.

Actions Planned

Web Resource

I paid a developer to build a website for me to have a forum for SOC discussion by vetted individuals. I haven’t been able to get back to that effort due to so many different things going on. I’ve tried to find an intern to help me to populate content onto the site. If you’re interested in helping me with the initial deployment of material, please let me know. You wouldn’t be writing anything, just populating material into the website. This will be about a 3 month effort. Twitter is the best avenue to start this conversation: @CCrowMontance.

I have a lot of material buried in slide decks that aren’t accessible to people. My intention is to rescue that information from the powerpoints I’ve build and move it to a forum for people to review and for knowledgeable people to have meaningful discussions. My intention is to vet the people who can discuss, but have the discussions be public. I think this is the best way to produce high quality content. Even without community participation, it will be a place where I can share the research and analysis I have done.

Online Class

The easiest way to get access to the material will be an online version available through The price will be affordable and the material will be adjusted to an online format. Once done, this will run perpetually and will be available on your schedule.

Live Class

This will probably be a three day event, limited to 25 participants. I’ll go to locations that are good options for me and where I think people want the event to run. This will be very much of a DIY effort, and if you’re interested in helping me to run the class or want it as part of your conference, I’ll certainly consider it. Also, private onsite runs are available with a focus on your organization’s specific implementation.

Tentative Scheduled Events & Locations

This list is ambitious, and I suspect several of these classes will not run, but I’ll try to make them all happen.

·        Online: Expected date of initial availability : November 1, 2019
·        December 2-4, 2019 : Washington, DC Area : Security Operations Class – Public Enrollment
·        January 8-10, 2020 : New York City, NY : Security Operations Class – Public Enrollment
·        March, 2020 : Macau or Hong Kong : Security Operations Class – Public Enrollment
·        June, 2020: Europe or Middle East, TBD
·        August, 2020 : Las Vegas : Security Operations Class – Public Enrollment
·        November, 2020: Melbourne, Australia : Security Operations Class – Public Enrollment

I look forward to seeing you there.

1 comment:

  1. Looking forward to it! I took MGT517 at the summit in NOLA. As you described your predicament I heard a voice in my mind saying Sanders. I couldn't agree more with your choice on delivery platform. Wishes for success headed your way. You can't stop the signal ;)