Janith Malinga

← Back to security articles

GIAC Defensible Security Architecture certification graphic

Course review

My Review: SANS SEC 530: Defensible Security Architecture and Engineering

My personal opinion and key learnings from SANS SEC 530, including security architecture, Zero Trust, network security monitoring, and the GDSA exam.

SANS SEC 530GDSASecurity Architecture

Last November, I had the opportunity through Amazon to attend a SANS course. After doing some research and carefully considering my options, I chose the Defensible Security Architecture and Engineering course. I selected this course because it aligns well with my future career goal of becoming a Security Architect. The course content also looked very interesting and relevant to the direction I want to grow in.

The course was conducted by Ismael Valenzuela, who was a great instructor. The course was designed in a very practical and engaging way, combining strong security architecture concepts with real-world examples and hands-on exercises. This made the content easier to understand and directly applicable to real-world security challenges.

You can review the full syllabus on the

SANS website

. In this article, I will share my personal opinion and key learnings from the course, without revealing any sensitive or restricted course material. Hopefully this article will help someone on a similar path.

Offensive Security Concepts

Security engineers usually have a strong understanding of offensive security concepts, including identifying security vulnerabilities, recommending remediation actions, and assessing the security configurations of cloud and on-premises infrastructure.

One of the main areas this course focused on was how individual vulnerabilities fit into the bigger picture, and how a combination of multiple vulnerabilities can lead to highly impactful attacks. For example, a security engineer would conduct an on-premises security review separately and identify issues such as a router or switch not being updated with the latest security patches. They might also perform a separate firewall security review and provide a report on that, while the application would be reviewed separately with its own report.

However, what could be missed is understanding and demonstrating how a router misconfiguration or security vulnerability could be combined with other weaknesses to allow a malicious attacker to gain access to highly sensitive data. We often assume that man-in-the-middle attacks are very difficult and require a highly targeted malicious actor. However, the reality is that they can be easier than we think, especially when network devices are not properly hardened.

Zero Trust

Zero Trust is one of the latest trends in the security industry. One of the main learnings I gained from this course was how to design security infrastructure using Zero Trust principles. The good thing about the course is that it is not just theoretical. It also includes practical examples of how to implement Zero Trust concepts in real-world environments.

However, I felt that the course focused a bit too much on Microsoft-related technologies for Zero Trust implementation. I would have preferred to see more examples using other technologies as well. That said, the same concepts can still be applied across different vendors and environments.

Network Security Monitoring

The course had a strong focus on network security monitoring and security detection techniques, which is an area I am planning to learn more about. There was a lot of course material that required a deeper dive to fully understand.

In terms of network monitoring, I learned some of the best practices and bad practices when implementing monitoring solutions. I also had limited knowledge of detection rule writing before the course. Through the course, I learned how to write detection rules and became aware of some useful existing resources in this area. Speaking of resources, the course shared many valuable references that I can continue to use throughout my security journey.

Exam and Certification

Now, let’s talk about the exam. The certification associated with this course is GIAC Defensible Security Architecture (GDSA). The exam consists of 75 multiple-choice questions and does not include any hands-on labs. I would rate the exam difficulty as 7 out of 10. It is not too hard, but not too easy either. With over 10 years of experience in security, I was able to pass the exam on my first attempt.