As a SANS newb, I've heard only positives on how phenomenal the training and events are from my peers and management team. I was told it can be a long week, but it is well worth it. I have attended other large conferences with numerous speakers and keynotes, but SANS is on a different level with the information being shared and how it can immediately be applicable to your life both personally and professionally.
I opted to sign-up for the SEC555 Course, SIEM with Tactical Analytics by Justin Henderson. From the first day, I was unsure how best to approach the course. There were suggestions my peers and management provided prior, as they have taken SANS certs previously. However, there were numerous questions I was still asking myself. Should I index during class? Should I take some notes and just listen? Should I work ahead on the labs during class? Should I stay for the bootcamps, which continue an extra 1-2hrs after the all day session has completed? Should I attend the night talks?
In the end, it's truly up to the individual. What works for one person, may or may not work for another. I found myself utilizing a combination of things. I initially started by listening to the talks and not indexing on day 1, as that is what my management and peers suggested. I also know it took them several weeks to well over a month to complete their indexes and take their exams after their SANS sessions. I've spoken with several instructors and the consensus seems to be to take the exam while its fresh in your mind, ideally within the first 2-weeks after completing the course.
With that concept in mind, I found that I really wasn't as engaged within the course material as I would have liked, by attempting to just listen and follow through the slide deck. After about the first 40 pages, I decided I needed to change my approach. I had looked around the room and the majority of people were not indexing the course content during class. However, there was about 3 people out of a class of 25+ that were actively indexing.
Once I changed my approach and began indexing the content, I really felt engaged and was actually beginning to learn the concepts far greater than just sitting there and following along. Writing down the concepts for nearly every single page was my approach. I've seen other indexes and typically it's book, page number and a single line of description with the occasional double line based upon the material requiring it. It's my understanding this helps for quicker searching the content when actually taking the exam. Granted, I have not taken the exam just yet, but this seems like a good approach to building an index.
With that being said, some slides are faster than others. To wait on the instructor, you may end up falling behind at times as I did on day 1. I found I was basically playing catch-up all day and was barely, if at all, keeping up with the content. While I still found this helpful to index, it was not my ideal approach as I began to incorporate into day 2.
My day 2 approach involved trying to stay a little bit ahead of the instructor with my index, anywhere between 3-10 pages ahead. This helped me read the content ahead of time and also process what was being taught, seeing the content and terms for a second time. Typically any questions I might have had on the content were answered as the material was presented to us. To help me get ahead I started indexing just a little before class. This worked well for me throughout the remainder of day 2.
The SANS night talks begin on the first day and go through day 3. The night talks are really good opportunity to take in additional knowledge that you would not necessarily gain through your course. I must admit however, I was rather exhausted on the first day. My specific course contained more slides on the first day than the second. I too needed an adjustment as a SANS newb, not knowing what to expect. After class was over, I was so exhausted I needed some food and then rest.
The second day was not near as intense as the first for me, as I started to find my groove with the new approach on indexing and a good night's rest. By the end of the second day, I had incorporated better planning and knew a little bit more of what to expect. I was able to relax some and attend a phenomenal night talk by Micah Hoffman on OSINT. The examples and scenarios he presented were incredibly eye-opening and truly hit home with all of the social media aspects. The concepts were immediately applicable to our everyday lives and is definitely information I will be sharing with others.
The progression made through the end of the second day, continued on to the third. I again was much more within my element and was able to gain a tremendous amount of knowledge through my course and was not near as exhausted as day 1. I was again able to attend a night talk on How to Become an All-Around Defender...The Secret Sauce by Justin Henderson & Ismael Valenzuela. This session was additionally just as valuable as the session I attended on the previous night. This session was directly applicable to my job and provided insight into additional techniques I could immediately begin to implement.
I continued this process through the remainder of the days and building my indexing became even faster. I continued to gain tremendous knowledge every single day, that again is directly applicable and will continue to help my organization upon my return. While listening and learning for an entire week is an experience within itself, you learn to adapt and can improve your techniques as you experience it.
I additionally had the pleasure of attending NetWars Core, which again I did not know what to expect. I can most definitely say this is an incredible experience. There are 3 different types of networks, where you compete for flags and points to level up. You can participate as an individual or as teams. I must say, not knowing what to expect can be a little intimidating. However, this was one of the best experiences I've had. Everyone is there to have a good time and to compete. Even if you do not think you will do well, you should absolutely give it a try. I was pleasantly surprised on the content, the flags and the progress made throughout the competition. They have snacks, drinks, music and its most definitely a good time. They also separate the competition by newbies (first-timers) and veterans. This made it a bit more of even playing fields to see how you rank based on experience.
Networking and the people at SANS are awesome as well. Everyone is very excited to be here and to learn. The instructors are absolutely phenomenal not only towards their students, but towards each other. It seems like one big family amongst the instructors, especially considering how much they go through to become an instructor. As mentioned earlier, this speaks volumes to the level of training received at SANS versus other training received. It by far is on a different level. I highly recommend SANS for anyone and to embrace the opportunities and knowledge provided.
SANS is by far the top training and most beneficial certifications within the security industry and there are numerous reasons for that. The training received is immediately applicable. The question I am asking myself is, where to begin. The advice I received is to review and prioritize. Knock out some of the easy one's and show progress to management. Save the harder one's for later in the priority list and that way management sees the value received sooner than later. Additionally, it helps me to feel rewarded by seeing results as well.
Whatever your approach turns out to be, you will absolutely love the SANS experience. You will most definitely find what works for you. Listen to your body and be honest with yourself on your learning style. There are numerous approaches on how to handle this experience. I highly recommend taking everything in possible and experiencing as much of SANS as possible. You will not be disappointed by any means. Don't be afraid to ask questions. The instructors go out of their way to help and are incredibly supportive. There are numerous training paths and courses to take at SANS. There is a reason so many people have multiple SANS certifications. As my instructor says, "everything is awesome".