SANS Institute Information Security Reading Room - SANS.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SANS Institute Information Security Reading Room Targeted Attack Protection: A Review of Endgame s Endpoint Security Platform ______________________________ Dave Shackleford Copyright SANS Institute 2019. Author Retains Full Rights. This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform A SANS Product Review Written by Dave Shackleford October 2017 Sponsored by Endgame ©2017 SANS™ Institute
Introduction The threat landscape continues to get progressively worse. More sophisticated attacks are being spotted in the wild, and security teams are scrambling to keep up. We face many new types of issues—advanced phishing attacks are proving all too successful, and ransomware has become a common form of malware that many seem helpless to prevent. In addition, we have many endpoints to protect, and attackers are savvy about targeting end users. Even worse, many advanced attacks don’t involve malware; instead they use legitimate operating system tools, operate in memory and move laterally to Signature-based accomplish their objectives and defeat traditional security programs. detection is always a In the SANS “Next-gen Endpoint Risks and Protections” survey1 from 2017, 53 percent of race against the clock, respondents indicated that at least one of their endpoints had been compromised in the previous 24 months, primarily through browser exploits and social engineering. More where vendor analysts than one-quarter (27 percent) of those who experienced a compromise noted that they need to develop discovered it via third-party notification, which suggests that many endpoint security signatures fast and tools and tactics in use today are inadequate. We really need better prevention and detection tools right now. push them out to Yesterday’s signature-based detection tools are failing us more frequently because they customers before they are built upon reactive intelligence. Traditional antivirus signatures are proving less fall victim. effective than they once were, as more advanced attackers are capable of morphing their code and indicators of compromise to evade signature-based methods. Additionally, many security teams have focused too narrowly on malware without looking enough at the vast variety of newer, more advanced methods attackers are using. Many attacks don’t leverage any malware to compromise the Endgame Differentiators enterprise network and move laterally from host to host. Some • Pre-execution prevention, accelerated detection and automated attacks use legitimate tools such as PowerShell to avoid detection hunting across the breadth and depth of the MITRE ATT&CK™ by endpoint security platforms. Another problem is that many Matrix endpoint tools are fairly heavy-handed on system resources. • Single, lightweight, autonomous agent providing 24/7 SANS reviewed Endgame’s endpoint protection product, a protection to online and offline systems lightweight agent that offers prevention, detection and response, • Artemis®, an AI-powered security mentor that elevates and threat hunting capabilities to rapidly stop targeted attacks Tier 1 analysts and accelerates Tier 3 analysts by leveraging natural-language understanding to automate data analysis, before damage and loss occur. One of the primary goals of the investigation, triage and response at enterprise scale platform is to help overcome today’s security skills gap, which many SANS surveys show is the top inhibitor to achieving • Automated threat hunting that leverages tradecraft analytics and outlier analytics to streamline workflows and surface respondents’ security and risk management goals. suspicious artifacts across millions of records in minutes With its emphasis on ease of use, coverage of attacker tactics • Automated memory forensics that detects post-injected code and techniques, rapid event triage and highly capable hunting anywhere in memory at enterprise scale in minutes methods, Endgame is a product with which SOC teams can hit the ground running. 1 “Next-Gen Endpoint Risks and Protections: A SANS Survey,” March 2017, www.sans.org/reading-room/whitepapers/analyst/next-gen-endpoint-risks-protections-survey-37652 SANS ANALYST PROGRAM 1 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Testing Overview For this review, Endgame hosted a platform-in-the-cloud infrastructure. We used the Version 2.4.1 environment, which includes the autonomous agents and the software management platform. Because we chose the Endgame hosted delivery model, we did not need to install the main Endgame platform. Endgame offers the platform in an on-premises model or in a cloud-hosted environment. Installation seems relatively painless, and the documentation provided by Endgame for installation and “Quick Start” is thorough and detailed. The review environment included a primary connection to the Endgame platform, as well as Remote Desk Protocol (RDP) connections available via jump hosts to the Windows sensors. A plethora of malware and other malicious code was available in the environment for testing, which SANS made liberal use of during the course of the review. Dashboards We first logged into the Endgame console and explored the main dashboard. It showed us a breakdown of current alerts in the environment, endpoint agent status, and endpoint OS types. In addition, other panes in the dashboard showed the breakdown of the top priority alerts, which could help analysts in prioritizing their day. The console dashboard is shown in Figure 1. Figure 1. Enterprise Console Dashboard SANS ANALYST PROGRAM 2 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Testing Overview (CONTINUED) We explored the Endpoints dashboard next. Within this view, all deployed endpoint agents can be viewed, configured and assessed. The Endpoints dashboard is shown in Figure 2. Figure 2. Endpoints Dashboard The Endpoints dashboard was simple to use. Endpoints can be discovered with Endgame’s built-in network scanner, looking for systems within the environment. Endpoints that do not have Endgame agents are flagged as “Unmanaged” and can then have sensors deployed to them directly through the console, per policy. Configure Endpoints Analysts can configure the endpoints with a protection policy by selecting those they want to configure or modify, then choosing “Misc Actions” and finally “Configure.” The configuration window then opens, and various protection, detection, alerting and response configurations for the chosen agent(s) can be implemented in real time. These will each be covered in the respective sections discussing the capabilities of the product. SANS ANALYST PROGRAM 3 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Testing Overview (CONTINUED) Investigate and Hunt This dashboard also allows analysts to initiate investigations by choosing assets and then clicking Create Investigation. In the pane that appears, they can name the investigation, assign a profile or create a new one, assign analysts to the investigation and add “hunts” to the investigation to gather and include evidence (covered later). The Investigation pane is shown in Figure 3. Figure 3. Initiating an Investigation The Alerts dashboard presents a list of the current and most recent alerts noted by the system. These can be selected to drill into and triage each alert, and alerts can also be selected to assign to particular users, facilitating team-based analysis, triage and incident response. The Alerts dashboard is shown in Figure 4 on the next page. SANS ANALYST PROGRAM 4 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Testing Overview (CONTINUED) Figure 4. Alerts Dashboard The Investigations dashboard is the central location that aggregates investigations in progress (once initiated). Analysts can update and finalize (archive) their investigations from this pane. Administration The final area of the console that we explored was the Administration pane. The Administration console provides the following capabilities: • User management—Create, delete and manage users and their assigned roles (levels 1-3, as well as admin) • Sensor management—Create and manage sensor profiles (version, protections in place and specific configuration of deployment attributes) • Alert management—Transfer alerts to central event aggregation tools if needed • Whitelist management—Whitelist alerts to prevent event overload when false positives or low-severity issues are detected • Platform management—Enable multi-client activation, which provides customers a single dashboard to view the health and status of the endpoints; this is beneficial to customers who have more than 50,000 endpoints or have endpoints in various geographies Creating a new sensor profile was simple. In the “Sensor Management” pane of the Administration console, an admin can click Create New Sensor Profile, name the profile and point to a “transceiver” (the platform it will connect back to). Then the admin selects the binary for the preferred Endgame sensor version, and that’s it. Once the new sensor profile is created, the admin can configure the default protection controls in place for the sensors. These are covered in more detail in the upcoming sections. SANS ANALYST PROGRAM 5 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting Today, an attacker’s goals are data access and exfiltration. Sophisticated attackers often use advanced nation-state techniques, which sometimes do not involve any malware, to aggressively pursue and compromise specific targets. These attacks often include fileless tactics, living-off-the-land techniques and malicious macros with delivery mechanisms via social engineering tactics such as spearphishing. After a compromise has occurred, attackers attempt to maintain a persistent presence within the enterprise network, escalate privileges and move laterally within to extract sensitive information to locations under the attacker’s control. Advanced Attacks The Lockheed Martin “Kill Chain” is an industry model for an attack lifecycle that includes the stages shown in Figure 5:2 Figure 5. Lockheed Martin Kill Chain Attack Lifecycle 2 “Deconstructing the Cyber Kill Chain,” Nov. 18, 2014, www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain/a/d-id/1317542 SANS ANALYST PROGRAM 6 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) While the widely referenced Lockheed Cyber Kill Chain created a common language to discuss sophisticated attacks, it lacks the granularity essential to make comprehensive programmatic improvement against today’s targeted attacks. MITRE, a not-for-profit organization, has created that needed granularity, collecting details on the vast array of methods to build a threat model and framework called “Adversarial Tactics, Techniques, and Common Knowledge” (ATT&CK).3 Why are we not catching these movements today when we know so much about these patterns? In short, attacks and methods are constantly changing, but our tools and approaches aren’t. To understand why, it’s helpful to break down indicators of compromise. For organizations trying to leverage signatures and typical indicators of compromise (IOCs), security detection and prevention are a constant game of whack- a-mole if the usual simple indicators are used alone. An attacker can very easily modify By changing the name code to communicate with a different IP address or domain, leverage a different local and/or value of a port or present a different cryptographic hash value. specific registry key on In contrast, behavioral aspects of attacks are by far the most valuable knowledge to a Windows platform, have in preventing and detecting compromise scenarios, but they are much more difficult to create and describe. In turn, this makes it more difficult to automate and unify attackers can easily the systems, each of which holds a little information about these attacks but doesn’t bypass some of the show the whole picture. Behavioral indicators will often include multiple indicators; for endpoint detection example, a certain IP address is accessed, retrieves a known ZIP file, unpacks and drops technologies in certain files, and installs software that opens a port or creates a new registry key. use today. Full Stack Protection Endgame offers a number of advanced features for the prevention of targeted attacks against enterprises, and these align with the various stages of the ATT&CK model. During our review, we tested several of the zero-day-prevention capabilities offered in the product, and it successfully caught each attempt, provided us advanced intelligence that included detailed indicators of compromise and system-level aspects of the attempt, and automated remediation workflow. Endgame has advanced protections that include exploit prevention, malware prevention, fileless attack prevention, malicious macro prevention and ransomware prevention. 3 Adversarial Tactics, Techniques and Common Knowledge, https://attack.mitre.org/wiki/Main_Page SANS ANALYST PROGRAM 7 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) Endgame has developed a unique technique it calls “Hardware Assisted Control Flow Integrity” (HA-CFI™). This technology uses hardware features available in processors to monitor and prevent exploitation before code execution. By leveraging hardware features, Endgame prevents exploits before an attacker reaches the “Post-Exploitation” stage of the Kill Chain (and the beginning of the ATT&CK cycle). Another feature Endgame touts is enhanced “Dynamic Binary Instrumentation” (DBI), which allows for very early-stage detection of exploits. This feature allows the product to detect malicious macros through heuristics-based prevention, closely monitor fileless attacks for process injection and look at behaviors for file activity that may indicate ransomware and similar attacks. Figure 6 shows the configuration of exploit protections within the Endgame sensor configuration screen. Figure 6. Endpoint Exploit Protection and Prevention SANS ANALYST PROGRAM 8 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) These protections are enabled by editing the Sensor configuration policy mentioned earlier. In the “Exploit Protection” category, analysts can enable HA-CFI and/or DBI to detect and prevent exploits and malware on each endpoint. A range of protections is available, including API filtering, monitoring for macros with heuristics, monitoring stack memory and many more. Figure 7 shows a prevention alert with a process injection and also highlights the source process and the target process infected. Figure 7. Endpoint Process Injection Prevention Accelerated Triage and Response For all of its capabilities in preventing attacks, Endgame also impressed us with its detection and triage capabilities, setting up more effective response and hunting activities for security teams. The first tool we explored in the world of detection was Endgame Artemis, which is an AI-powered security mentor that analyzes and triages alerts in simple English. SANS ANALYST PROGRAM 9 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) We explored Artemis after creating all of our “infections” that generated attack alerts and events. The Artemis icon, which is available in all dashboards and screens within the main Endgame console, interacts with the analyst when querying the platform. To start, we entered a query to the Artemis system (not having any idea of syntax or behavior), which produced the following dialog: SANS: “lsass.exe” Artemis: “To search process data, I need one of the following endpoint designators: - All Endpoints - Operating System (e.g. win7 endpoints) - Endpoint IP address (e.g. 10.5.1.10 endpoint)” SANS: “all endpoints lsass.exe” Artemis: “Are you sure you want to run: Search process for file lsass.exe on active endpoints?” SANS: “yes” Artemis: “Created investigation: 68f09d90-ba9d-4f9e-bf10-3a458c758ef0” We could then click a View the Investigation link directly within the Artemis console. This was an amazing way to get started quickly with an intuitive “guidance” system, one that could help junior analysts figure out what to do and where to go for more information. As we explored the product, we decided to query Artemis for more in-depth information. One of the pieces of malware we ran in the first phase of the analysis was named sekur1.exe. To get Artemis focused on a particular IOC process chain, we queried the process lineage for this executable on a particular endpoint in the test environment (shown in Figure 8). Figure 8. More Advanced Artemis Queries SANS ANALYST PROGRAM 10 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) Artemis dutifully created the investigation and provided in-depth results that we then reviewed in the Investigations console (see Figure 9). The Investigation pane includes information about processes created, running and terminated, as well as user, system and command-line details. It was also simple to filter results by process, DNS, user or network event. Figure 9. Artemis-initiated Investigation Another view of the investigations is the Endgame Attack Visualization. With a click of a button, an analyst can search across the entire environment for more evidence of the attack or can pivot to one of Endgame’s many integration partners to gather information about the overall extent of the compromise. SANS ANALYST PROGRAM 11 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) Figure 10 shows the guided response workflow that accelerates an analyst’s ability to quickly triage and respond to alerts. Figure 10. Endgame Artemis Guided Response Workflow This set of results provided a detailed timeline of the execution of malware/exploit code (sekur1.exe), followed by Windows services being initiated and DNS lookups being performed for local systems and external domains, as well. Take Action For any given alert, Endgame offers a number of responses an analyst can take directly from the console. First, we can start an investigation, much as we did with the Artemis query engine. Second, we can take a variety of actions depending on the nature of the alert. For files, we can download the file locally for analysis or delete the file. For process injection, we can suspend the process thread to minimize impact on the affected host, terminating the malicious behavior while response and forensics teams get engaged. In all cases, we can also choose to whitelist alert items, reducing false positives that may turn up from time to time in specific environments. SANS ANALYST PROGRAM 12 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) The Alert Details listing also provides ample information on the entire process tree on the endpoint, as well as network activity and user accounts on the system. Within the process view, we could also choose to select processes to get hash values associated with them, and kill the process if we chose. See Figure 11. TAKEAWAY: Figure 11. Details of Suspicious Processes Endgame can help rapidly detect and respond to events By selecting an endpoint, we could click the Respond button in the dashboard to in a monitored and protected configure more advanced response actions. Here, we could upload scripts or binaries to run for response and then run them as analysts. An example of running the Microsoft environment. The intelligent Sysinternals program handle.exe is shown in Figure 12. tools available in the console, such as Artemis, may serve to elevate Tier 1 analysts to be more effective at initial diagnosis and triage and accelerate Tier 3 analysts who are doing deep investigations in the environment based on IOCs and other behaviors. Figure 12. Executing the handle.exe File We were able to delete files, suspend processes and take other actions here, too. This process allowed us to run our own tools for response and collect the tool output data back to the console. SANS ANALYST PROGRAM 13 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) Hunting with Endgame Endgame automates the hunt for malicious activity at the earliest stages of the MITRE ATT&CK matrix. Endgame hunting includes process, persistence, Registry and network searches, as shown in Figure 13. Figure 13. Automated Hunting with Endgame SANS ANALYST PROGRAM 14 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) Eliminating Persistent Threats at the Earliest Stages of the Attack Lifecycle Another feature we explored in hunting with Endgame was attacker persistence. Endgame has many built-in analytics for finding and eliminating advanced attacker “beachheads” in the environment. One of Endgame’s advantages is its MalwareScore® analytics engine, which looks for unknown malicious persistence based on behaviors and unusual indicators seen on systems that may not match any known signatures. Other persistence mechanisms look for hijacking entries in the Registry, rogue dynamic- link libraries (DLLs), filename masquerading, suspicious paths and more. Within the Investigation pane, we were then able to monitor the hunt and see what results came back. We chose the Persistence hunt type and looked at different specific indicators that came back with high scores, shown in Figure 14. Figure 14. Persistence Indicators with a High MalwareScore Rating SANS ANALYST PROGRAM 15 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) We also looked at network indicators for uncommon connections or suspicious connections, shown in Figure 15. After malicious persistence is identified, an analyst can perform a variety of response actions, including uploading or executing to eliminate the malicious persistence, all with a single click. Figure 15. Suspicious Network Connections Detecting Ongoing File-less Attacks at Scale Finally, in the test environment, we drew on the “Defense Evasion” article on the MITRE ATT&CK wiki4 to run a range of highly sophisticated exploit code seen in the wild and get a sense of how Endgame handles advanced attacker techniques, particularly file-less attacks. These attacks may persist only in memory, making them very hard to detect. Endgame’s technology prevents fileless attack techniques, including shell code injection and DLL injection. Endgame’s automated in-memory analysis is able, in minutes, to identify techniques such as memory modification, memory injection, hidden modules, and packed and encrypted areas in memory across unlimited endpoints. Our hunt-monitoring tools made looking for these simple, because this is a category that Endgame looks for readily in the Process section. See Figure 16 on the next page. 4 “Defense Evasion,” https://attack.mitre.org/wiki/Defense_Evasion SANS ANALYST PROGRAM 16 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED) Figure 16. A File-less Attack Process This process has the following attributes: Path: C:\Windows\SysWOW64\rundll32.exe TAKEAWAY: Command Line: C:\Windows\System32\rundll32.exe Hunting allows analysts "C:\Users\vagrant\AppData\Local\jlc3V7we\IZsROY7X.-MP",F1dd208 to leverage automation to find suspicious behavior in Once an analyst detects a memory injection, he or she can suspend the thread, which will contain the attack without any loss of system stability. As a bonus, the analyst minutes across hundreds and can download the strings to determine the malicious command-and-control and use thousands of systems that are Artemis to search across the enterprise. managed and monitored. This example just scratches the surface of what Endgame’s hunting capabilities can do. The platform can perform single hunts for specific configuration aspects of systems, look for network ports, services and just about any item an analyst would want to find. In addition, if this is set to prevention mode, Endgame can block file-less attacks. SANS ANALYST PROGRAM 17 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Conclusion Endgame lived up to its promise. The platform focuses on the breadth and depth of the MITRE ATT&CK to stop known and unknown threats. It was easy to use and get started with, and the various dashboards were intuitive to navigate. Creating endpoint policies was straightforward, and communicating with sensors was fast and painless. Endgame prevention blocks known and unknown threats, at the earliest stages of the attack lifecycle. Where the product really shines, however, is in event detection, triage of events and threat hunting. The skills gap in security operations continues to grow. There just aren’t enough experts to go around. Endgame empowers junior analysts to find threats rapidly and effectively, analyze them and dig deeper for more evidence—which can only help to improve the state of security incident monitoring and forensics today. At the same time, all of this needs to happen fast. When we receive IOCs from threat intelligence or sharing groups, we need to look across all endpoints rapidly. Endgame provides the tools to hunt for known and unknown files, processes, and behaviors across all endpoints very rapidly, and then take remediation actions immediately. SANS ANALYST PROGRAM 18 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
About the Author Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance. Sponsor SANS would like to thank this paper’s sponsor: SANS ANALYST PROGRAM 19 Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Last Updated: May 21st, 2019 Upcoming SANS Training Click here to view a list of all SANS Courses SANS San Antonio 2019 San Antonio, TXUS May 28, 2019 - Jun 02, 2019 Live Event SANS Atlanta 2019 Atlanta, GAUS May 28, 2019 - Jun 02, 2019 Live Event Security Writing NYC: SEC402 Beta 2 New York, NYUS Jun 01, 2019 - Jun 02, 2019 Live Event Enterprise Defense Summit & Training 2019 Redondo Beach, CAUS Jun 03, 2019 - Jun 10, 2019 Live Event SANS Zurich June 2019 Zurich, CH Jun 03, 2019 - Jun 08, 2019 Live Event SANS London June 2019 London, GB Jun 03, 2019 - Jun 08, 2019 Live Event SANS Kansas City 2019 Kansas City, MOUS Jun 10, 2019 - Jun 15, 2019 Live Event SANS SEC440 Oslo June 2019 Oslo, NO Jun 11, 2019 - Jun 12, 2019 Live Event SANSFIRE 2019 Washington, DCUS Jun 15, 2019 - Jun 22, 2019 Live Event SANS Cyber Defence Canberra 2019 Canberra, AU Jun 24, 2019 - Jul 13, 2019 Live Event Security Operations Summit & Training 2019 New Orleans, LAUS Jun 24, 2019 - Jul 01, 2019 Live Event SANS ICS Europe 2019 Munich, DE Jun 24, 2019 - Jun 29, 2019 Live Event SANS Cyber Defence Japan 2019 Tokyo, JP Jul 01, 2019 - Jul 13, 2019 Live Event SANS Paris July 2019 Paris, FR Jul 01, 2019 - Jul 06, 2019 Live Event SANS Munich July 2019 Munich, DE Jul 01, 2019 - Jul 06, 2019 Live Event SANS London July 2019 London, GB Jul 08, 2019 - Jul 13, 2019 Live Event SEC450 Security Ops-Analysis Beta 1 Crystal City, VAUS Jul 08, 2019 - Jul 13, 2019 Live Event SANS Cyber Defence Singapore 2019 Singapore, SG Jul 08, 2019 - Jul 20, 2019 Live Event SANS Charlotte 2019 Charlotte, NCUS Jul 08, 2019 - Jul 13, 2019 Live Event SANS Pittsburgh 2019 Pittsburgh, PAUS Jul 08, 2019 - Jul 13, 2019 Live Event SANS Rocky Mountain 2019 Denver, COUS Jul 15, 2019 - Jul 20, 2019 Live Event SANS Columbia 2019 Columbia, MDUS Jul 15, 2019 - Jul 20, 2019 Live Event SANS Pen Test Hackfest Europe 2019 Berlin, DE Jul 22, 2019 - Jul 28, 2019 Live Event SANS San Francisco Summer 2019 San Francisco, CAUS Jul 22, 2019 - Jul 27, 2019 Live Event DFIR Summit & Training 2019 Austin, TXUS Jul 25, 2019 - Aug 01, 2019 Live Event SANS Riyadh July 2019 Riyadh, SA Jul 28, 2019 - Aug 01, 2019 Live Event SANS July Malaysia 2019 Kuala Lumpur, MY Jul 29, 2019 - Aug 03, 2019 Live Event SANS Boston Summer 2019 Boston, MAUS Jul 29, 2019 - Aug 03, 2019 Live Event Security Awareness Summit & Training 2019 San Diego, CAUS Aug 05, 2019 - Aug 14, 2019 Live Event SANS Melbourne 2019 Melbourne, AU Aug 05, 2019 - Aug 10, 2019 Live Event SANS London August 2019 London, GB Aug 05, 2019 - Aug 10, 2019 Live Event SANS Crystal City 2019 Arlington, VAUS Aug 05, 2019 - Aug 10, 2019 Live Event SANS Krakow May 2019 OnlinePL May 27, 2019 - Jun 01, 2019 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced
You can also read