Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Protecting Virtual Endpoints with McAfee Server
Security Suite Essentials
Copyright SANS Institute
Author Retains Full Rights
Sponsored by McAfee
Protecting Virtual Endpoints with
McAfee Server Security Suite Essentials
December 2013
A SANS Analyst Whitepaper
Written by Dave Shackleford
Capability Sets for Virtualization Security
Discovery
Page 3
Protection
Page 7
Conclusion: Putting the Pieces Together
Page 2
PAGE 18
©2013 SANS™ Institute
Introduction
More and more organizations have adopted system virtualization technology in the past several years.
As of Q4 2013, estimates indicate that 50 to 60 percent of large enterprises are using virtualization.1 Many
organizations are implementing private and hybrid cloud architectures and building or leveraging a private
cloud or currently using Infrastructure-as-a-Service (IaaS) offerings from a number of cloud service providers.
Because their operations increasingly take place in “virtual data centers,” many businesses have discovered
that traditional security controls have not kept pace with the rapid technology changes associated with
virtualization and private/hybrid cloud deployments. Such a gap can easily lead to system and data exposure
in virtual machines, excessive consumption of resources within the virtual environment due to lack of
optimization and integration with virtualization platforms, and a lack of flexibility in monitoring and reporting
on the state of virtual assets, including security controls and policies.
The inherent multitenant nature of these systems, especially in the public cloud, is another obvious area of
risk for organizations deploying virtualization platforms. Multitenancy creates the possibility that multiple
systems, owned and maintained by different business units—or even different companies—end up sharing
physical infrastructure. Virtualization makes it easy to (sometimes unknowingly) mix applications and data in
ways that would have never happened in the purely physical data center.
For example, many organizations unknowingly run sensitive or compliance-related applications on the
same hypervisor—and thus, the same physical host—as less sensitive applications, potentially exposing the
sensitive data to intermingling or leakage through access by less sensitive systems or other resources. Virtual
machines (VMs) that are meant to be PCI DSS-compliant could share a virtual network with systems that are
less sensitive in nature, their combined traffic may be hosted on the same hypervisor, or the files making up
the VMs may be stored in the same location.
Security teams have struggled with this problem for some time internally, and the problem is only
compounded when trying to ascertain the “trust status” of a cloud provider’s systems.
SANS had the opportunity to review several elements of McAfee’s Server Security Suite Essentials that
address some of the emerging challenges of securing virtual platforms and cloud environments. The new
McAfee products tackle these problems admirably. Hypervisor validation is easily configured and maintained
with Intel’s latest development in hardware-based boot attestation services, and both the agent-based and
agentless variations of MOVE AntiVirus can significantly streamline deployment and reduce system overhead.
1
w
ww.serverwatch.com/server-news/vmware-ceo-aims-for-90-percent-server-virtualization.html
SANS Analyst Program
1
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Capability Sets for Virtualization Security
McAfee’s focus on data center security involves three major categories of capability sets for their products:
1.Discovery. Inventory and analysis of systems and applications, a critical starting point for inventorying
and managing systems and applications.
2.Protection. Creating trust and security policies, evaluating systems and applications and providing
protection from malicious code and other attacks.
3.Expansion. Enabling fluid and secure growth into private and public cloud infrastructures without
sacrificing security controls and capabilities. For example, with the addition of VMware and Amazon
data center connectors, McAfee is creating a powerful integration strategy for security in the cloud.
Although numerous products within the McAfee portfolio follow this strategy, the focus of the SANS review was
on integration with and protection of virtual infrastructure. The products and capabilities reviewed include:
• McAfee ePolicy Orchestrator 5.0.1
• McAfee MOVE AntiVirus 3.0
• McAfee Boot Attestation Service 3.0
The goal of the review was to validate that specific functions are available and working in the versions evaluated.
SANS Analyst Program
2
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Discovery
As both internal and external cloud provisioning becomes commonplace, enterprises are shifting their
concerns to knowing where workloads are located and how they are running. Visibility and system inventory
have become more difficult, with the dynamic movement of virtual systems among hosts and datacenters
and into public cloud infrastructure.2 For this reason, inventory discovery and system monitoring are more
important than ever, not only to IT departments, but to the organization as a whole.
In McAfee’s new version of the Server Security suite, the McAfee Server Security Suite Essentials, the key to
central monitoring and management of the operating inventory—including virtual workloads—is ePolicy
Orchestrator (ePO). Several new features have been added to the suite to facilitate discovery, monitoring and
management in both internal and external cloud environments:
• M
cAfee Server Server Security Suite Essentials can be integrated into virtual and cloud environments
to automatically discover all VMware and Amazon Web Services (AWS) virtual machines; ePO will then
display the relationships among hosts, virtual machines and virtual appliances.
• N
ew Data Center Connector for vSphere allows enterprises to import all virtual machine workloads
from VMware’s vCenter into ePO (including unprotected VMs), providing visibility beyond just those
workloads protected by McAfee.
• A
Data Center Connector for Amazon AWS provides expanded visibility into Amazon’s cloud services,
including the EC2 and S3 platforms.
The Data Center Connector for vSphere is simple to set up; with account credentials and IP address (or DNS
name) information for a VMware vCenter Server (the VMware management platform), ePO can connect to
vCenter over a standard HTTPS channel and begin enumerating VM workloads that are known to the vCenter
system. The Data Center Connector for vSphere is shown in Figure 1.
Figure 1. vCenter Connector Details
2
F or the sake of clarity, we use the term host to refer to the combination of hypervisor and physical hardware; we use the terms physical host
and hypervisor when a distinction between hardware and software needs to be made.
SANS Analyst Program
3
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Discovery
(CONTINUED)
Upon being successfully linked to a VMware virtualization infrastructure (or AWS account), ePO recognizes the
connection as a registered “cloud account,” as shown in Figure 2.
Figure 2. Registered vCenter Cloud Account
Once the vCenter connection has been created, ePO will display a list of hosts and VMs known to the vSphere
environment. These VMs also display their relationship to particular hosts, which can help security teams
evaluate the placement and current state of workloads. Figure 3 illustrates the ePO console showing hosts and
VMs added from vCenter.
Figure 3. Hosts and VMs from vCenter in ePO
SANS Analyst Program
4
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Discovery
(CONTINUED)
A new Data Center ePO dashboard debuts in this version that includes, in particular, dashboard elements that
show all defined data centers known to ePO; the integration and installation of MOVE AntiVirus (also known
as MOVE AV), both agent-based and agentless, across VMs and cloud systems; as well as the trust attestation
status for hypervisors. Additional dashboard elements display the status of McAfee’s file integrity monitoring,
host firewall and application control tools to provide a complete picture of host-based security controls in the
virtual and physical environments. The ePO console is shown in Figure 4.
Figure 4. McAfee Data Center Server Security ePO Dashboard
It is easy to drill down into the different dashboard elements. For example, the chart shown in Figure 5 shows
the antimalware status for systems within the system.
Figure 5. Antimalware Status for Known Systems
SANS Analyst Program
5
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Discovery
(CONTINUED)
By clicking on the blue “unprotected” area of the chart, security administrators can easily list the specific
systems that are currently unprotected, as shown in Figure 6.
Figure 6. Drill-down Dashboard Showing Unprotected VMs
These types of charts and dashboard elements provide a broad and configurable monitoring perspective
within the entire data center, so administrators can see a variety of different aspects of the environment’s
security posture all at once.
SANS Analyst Program
6
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
The most critical element of the McAfee Server Security Suite Essentials, of course, is the protection
capabilities for data center systems; and McAfee’s endpoint security tools in the MOVE (Management for
Optimized Virtual Environments) family do so admirably. MOVE AV optimizes the malware-processing
capabilities of McAfee VirusScan in an effort to deliver improved performance and resource utilization for
virtualized environments. There are three deployment options available—Agent, Agentless, or both Agent and
Agentless—to meet a variety of needs. The tools include the following components:
Agentless Deployment
• MOVE AntiVirus SVA (Security Virtual Appliance). The SVA provides offloaded scanning of virtual
systems, minimizing the performance impact on them.
• McAfee Agent (MA). On the SVA, this agent handles policy, task and event communication between the
MOVE SVA and ePO.
• McAfee MOVE AntiVirus ePolicy Orchestrator extension. This provides policies and controls for
configuring McAfee MOVE AV through ePO.
•V
Mware VMtools vShield Endpoint driver. This enables virtual desktops and servers to offload file
scanning to the SVA communicating over the ESXi hypervisor.
Multiplatform Deployment
• McAfee Offload Scan Server(s). These are Windows 2008 Server platforms that handle scanning for
MOVE AV multi-platform agents.
• MOVE AntiVirus Client for Windows. This enables virtual desktops and servers to offload file scanning
to the Offload Scan Server(s) communicating over the virtual network.
• McAfee Agent (MA). This handles policy, task and event communication between the MOVE AV client
and ePO.
• McAfee MOVE AntiVirus ePolicy Orchestrator extension. This provides policies and controls for
configuring McAfee MOVE AV through ePO.
SANS Analyst Program
7
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
Deployment Options
For public and hybrid cloud deployments, the multiplatform deployment option makes sense, because the
SVA does not need to reside on the same hypervisor as the VMs being protected. With this model, virtual
machines are protected from malware as follows:
• A
s VMs access files, a hash value or “fingerprint” of those files is created and compared to a local cache/
whitelist.
• If the file fingerprint is not in the local cache, the fingerprint is sent to the SVA for scanning.
• I f the MOVE global cache does not recognize the fingerprint, the file itself is moved to the Offload Scan
Server for assessment.
• T he file is analyzed and also compared to available information from McAfee’s Global Threat Intelligence
(GTI) service. If the file is malicious, MOVE AV quarantines it, deletes it or restricts access, depending on
policy for the individual VM.
• I f the file clears these checks, its fingerprint is added to the local and global cache and access is granted.
On future access (by the same or different endpoints), the local (guest system) or global (SVA) cache will
be consulted, to confirm whether access is permitted or denied.
The agentless deployment option is designed to integrate with VMware vShield Endpoint and addresses
the challenges of protecting the virtual environment and keeping it free of malware without the need for a
resource-intensive agent, resulting in easier deployment and configuration.
For agentless deployment, the SVA must be on the same hypervisor as the protected endpoints, which makes
this more ideally suited for private cloud scenarios with more control over hypervisor and VM placement.
Agentless deployment requires all protected VMs to have VMware Tools installed; the MOVE system utilizes the
vShield Endpoint driver feature in VMware Tools to intercept files bound for the VM’s file system. When files are
analyzed in agentless deployment scenarios, the file handle is sent to the SVA first to check the global cache,
and if needed, the SVA will scan the file while it’s still at the individual VM endpoint because the SVA has access
to shared storage. The file is then quarantined, deleted, restricted or approved, in the same manner as the
MOVE deployment, and the local and global signature caches are both updated accordingly.
Setting up antimalware and operational policies for the MOVE multiplatform or agentless deployment within
ePO is very simple.
SANS Analyst Program
8
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
Multiplatform Configuration
We configured the multiplatform deployment of MOVE AV with ease, as follows. First, we established the
general settings to point our clients to a set of McAfee Offload Scan Servers; we also enabled the malware file
cache settings, as shown in Figure 7.
Figure 7. General Settings for Multiplatform Deployment
Setting up the types of files to scan, when scanning occurs, and specific exclusions was also easy. We opened
the Scan Items tab, as shown in Figure 8, and made our selections.
Figure 8. Scan Options
SANS Analyst Program
9
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
In this scenario, files are scanned when reading and writing to disk, as well as when they’re opened for
backup. All files are scanned, and only McAfee components are excluded currently. The Alerts tab enables you
to configure where you want to send alerts from the MOVE AV agent, as shown in Figure 9; the defaults are
selected, sending alerts to ePO and the Offload Scan Server Windows Event Log.
Figure 9. Alert Options
The Actions tab allows administrators to select the desired primary and secondary actions that MOVE AV takes
when malware is detected. Options include deleting files or denying access to files, as shown in Figure 10.
Figure 10. Malware Detection Actions
Finally, if files should be quarantined when malware is detected, setting parameters including location and
duration before deletion is performed on the Quarantine tab (the default quarantine location is the Offload
Scan Server’s C:\ drive in the Quarantine directory), shown in Figure 11.
Figure 11. Quarantine Settings
SANS Analyst Program
10
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
Offload Scan Server Settings
The Offload Scan Server (OSS) is critical to the proper operation of a multiplatform deployment of MOVE
AV. Setting up the protection parameters for the OSS is also simple within ePO. The General tab (not shown)
enables you to configure the OSS cache, the number of concurrent scans and the number and size of log
files. The Scan Settings tab enables you to configure scanning for unwanted programs (e.g., spyware and
adware), as well as enforce scans for archives and MIME-encoded files. (Enabling these last two is usually not
recommended, as they can degrade performance.) You can also set the sensitivity level of McAfee GTI here, as
shown in Figure 12; the default is Medium.
Figure 12. Offload Scan Server Scan Settings
The Alerts tab is similar to MOVE AV’s Alert tab, where you can choose to send malware alerts to the local
Windows Event Log and ePO. Finally, the On-Demand Scan tab enables you to configure whether scans can be
started on demand and how many scans can be run at a time. The On-Demand Scan Time Window grid enables
granular selection of days and times when scans are allowed to start.
Configuration: Agentless
The MOVE AV Agentless product scan operations are configured entirely within the Security Virtual Appliance
(SVA). In order for MOVE AV to function in the agentless scenario, VMs must have VMware Tools installed to
leverage the vShield Endpoint driver, which, in turn, communicates with the SVA on each host.
SANS Analyst Program
11
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
The first setting to configure is the SVA Authentication tab, enabling communication with vCenter Server or a
host. Figure 13 shows a typical configuration, using HTTPS over TCP port 443, where the administrator or root
credentials are provided.
Figure 13. SVA Authentication
The next step is to configure the Scan Settings tab. The settings on this tab are very similar to those described for
the OSS—cache settings, on-demand scanning, scan times permitted—with the addition of a checkbox labeled
VM-based scan configuration. This setting enables admins to add, modify and assign scan policies to individual
VMs, groups or resource pools protected by the SVA. Figure 14 illustrates the Scan Settings tab options.
Figure 14. SVA Scan Settings
SANS Analyst Program
12
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
Finally, the SVA Quarantine settings tab controls the quarantining of files when malware is detected in them.
Unlike the OSS, the SVA quarantines files to a designated network share. Users must enter credentials in the
form of a username and password to allow SVA to access the share, as shown in Figure 15.
Figure 15. SVA Quarantine Settings
The scan policies for antimalware protection in the agentless deployment are relatively straightforward to
configure. The General settings, shown in Figure 16, control MOVE AV’s On-Access and On-Demand scanning
for VMs.
Figure 16. Agentless Scanning
The majority of the scan policy settings for MOVE AV in an agentless setup are configured in the Scan Items
tab. Here, we can set up on-access scans when files are opened and/or closed, designate certain file types to
scan, scan compressed and/or MIME-encoded files (again, not usually recommended) and choose McAfee GTI
sensitivity levels.
SANS Analyst Program
13
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
McAfee antimalware heuristics, which look for behavioral patterns of files that may indicate malware, can also
be enabled. The “unwanted programs detection” options are more granular here, enabling admins to select
specific categories and types of programs that should be detected and handled under the policy. These are
shown in Figure 17.
Figure 17. MOVE AV Agentless Scan Policy
In an agentless deployment, exclusions are similar to those for MOVE AV’s multiplatform mode; they allow
for wildcards to be specified, but require the entire directory path. You can specify applicable actions on
malware detection for both on-access and on-demand scans, and you can enable quarantining as well
(the default is Disabled).
SANS Analyst Program
14
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
We determined that the McAfee MOVE AV virtualizationaware product, both agent-based and agentless, appears
to perform as indicated in limited, nonperformance testing.
Hypervisor statistics at normal loads did not indicate
unwanted overhead due to antimalware processing. EICAR
test files—nonmalicious files used to validate that signaturebased scanning is functioning properly—were used to
validate antimalware scanning and detection, and we
successfully demonstrated the results within ePO, as shown
in Figure 18.
When quarantining is enabled in an agentless
deployment and MOVE AV deletes a malware
file, a .vmq file is created that contains an
obfuscated version of the malware file’s
contents. The .vmq file also has a header
with associated metadata used to identify the
malware sample’s VM of origin, its original
path on that VM, its MD5 and other properties.
The .vmq file is a temporary backup of the
original malware sample and will be deleted
automatically once it is 28 days old.
Figure 18. MOVE Malware Detection in ePO
SANS Analyst Program
15
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
Boot Attestation Service
The last piece of the McAfee Server Server Security Suite Essentials that we reviewed was the Boot Attestation
Service, which McAfee developed in conjunction with Intel, which ensures that the hypervisor image booted
is the expected one. Suitable physical hosts have a chipset containing the Intel Trusted Execution Technology
(TXT) functionality. Administrators boot up a machine with a “gold” image in a clean-room environment and
extract and save the values of the registers computed by TXT (This is called a Known Good Machine—KGM).
Other similar hosts in the data center are associated with this KGM. When each of them boots up, their TXT
register values are compared against those of the KGM. If they match, it is a trusted boot; if not, it is untrusted.
To set up Boot Attestation, you need to download a Linux-based Boot Attestation Server as an Open
Virtualization Format (OVF) virtual appliance and then configure it to communicate with ePO. After that, you
can configure simple policies, based on each host’s hardware, on the Boot Attestation Server, that allow an
individual host to be configured as trusted or not. A new column (VMM Trust State) appears in the hypervisor
listing within ePO’s system tree, as shown in Figure 19.
Figure 19. VMM Trust State Column in ePO
SANS Analyst Program
16
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Protection
(CONTINUED)
In addition, a new ePO Dashboard chart (Boot Attestation Status) can be displayed that shows the total
number of trusted and untrusted hosts (see Figure 20).
Figure 20. Boot Attestation Status Graph in ePO
More extensive analysis of Boot Attestation settings and policies was not performed, but the fundamental
product and capabilities seem to function as designed.
SANS Analyst Program
17
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Conclusion: Putting the Pieces Together
Overall, McAfee has taken a number of progressive steps in adapting its technology for virtual and cloud
environments, and the Server Security Suite Essentials reflects this. The MOVE AV product was easy to set up
and configure, and it integrated well with VMware vSphere virtual environments. MOVE AV will be particularly
attractive to organizations looking to put an end to “AV storms” caused by excessive overhead processing and
resource utilization on VMs; by leading to dynamic migration of guest systems, such storms can destabilize an
data center environment.
In addition, the use of Intel TXT technology in the chipsets of the physical hosts adds an entirely new
dimension to building a trusted multitenant cloud infrastructure, whether public or private. By controlling
which VMs can run on which hosts, organizations can now gain an entirely new set of controls by which to
manage their overall system and data security posture. As mainstream cloud providers move to embrace
this technology and provide APIs and native monitoring capabilities for TXT protection, the security and
auditability of public cloud environments may improve dramatically.
Overall, we found the products in the new McAfee Server Security Suite Essentials to work well, and they were
easy to set up and configure. Because new virtual appliances are required, it’s important to properly plan for the
additional overhead they’ll represent in the virtual data center, but some of this is likely offset by the reduction
in overhead across VMs due to minimal antimalware and security processing. When more cloud provider
connectors are available, and cloud providers support TXT attestation, this set of security solutions could easily
facilitate a significant increase in overall cloud security in the areas of visibility and host and data protection.
SANS Analyst Program
18
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
About the Author
Dave Shackleford is the founder and principal consultant with Voodoo Security, a SANS analyst, instructor
and course author, and a GIAC technical director. He has consulted with hundreds of organizations in the areas
of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has
extensive experience designing and configuring secure virtualized infrastructures. He has previously worked
as CSO for Configuresoft and CTO for the Center for Internet Security. Dave is the author of the Sybex book
Virtualization Security. Recently, Dave co-authored the first published course on virtualization security for the
SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps
lead the Atlanta chapter of the Cloud Security Alliance.
SANS would like to thank its sponsor:
SANS Analyst Program
19
Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
Last Updated: June 18th, 2017
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
DFIR Summit & Training 2017
Austin, TXUS
Jun 22, 2017 - Jun 29, 2017
Live Event
SANS Paris 2017
Paris, FR
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, AU
Jun 26, 2017 - Jul 08, 2017
Live Event
SANS Columbia, MD 2017
Columbia, MDUS
Jun 26, 2017 - Jul 01, 2017
Live Event
SEC564:Red Team Ops
San Diego, CAUS
Jun 29, 2017 - Jun 30, 2017
Live Event
SANS London July 2017
London, GB
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
Tokyo, JP
Jul 05, 2017 - Jul 15, 2017
Live Event
SANS Los Angeles - Long Beach 2017
Long Beach, CAUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Cyber Defence Singapore 2017
Singapore, SG
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS ICS & Energy-Houston 2017
Houston, TXUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, DE
Jul 10, 2017 - Jul 15, 2017
Live Event
SANSFIRE 2017
Washington, DCUS
Jul 22, 2017 - Jul 29, 2017
Live Event
Security Awareness Summit & Training 2017
Nashville, TNUS
Jul 31, 2017 - Aug 09, 2017
Live Event
SANS San Antonio 2017
San Antonio, TXUS
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Hyderabad 2017
Hyderabad, IN
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Prague 2017
Prague, CZ
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MAUS
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS New York City 2017
New York City, NYUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Salt Lake City 2017
Salt Lake City, UTUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Adelaide 2017
Adelaide, AU
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Virginia Beach 2017
Virginia Beach, VAUS
Aug 21, 2017 - Sep 01, 2017
Live Event
SANS Chicago 2017
Chicago, ILUS
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Tampa - Clearwater 2017
Clearwater, FLUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS San Francisco Fall 2017
San Francisco, CAUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Network Security 2017
Las Vegas, NVUS
Sep 10, 2017 - Sep 17, 2017
Live Event
SANS Dublin 2017
Dublin, IE
Sep 11, 2017 - Sep 16, 2017
Live Event
SANS Minneapolis 2017
OnlineMNUS
Jun 19, 2017 - Jun 24, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced