Penetration Testing mailing list archives
Re: Security Certifications for SOC team
From: Matt Gardenghi <mtgarden () gmail com>
Date: Mon, 23 Feb 2009 07:28:17 -0500
Just for the record: None of the SANS classes I have taken have taught vendor specific material. The GCFA and the GPEN used open source material exclusively. Maybe it's different in other certs, but SANS seems to be vendor agnostic.
Matt Gardenghi Andre Gironda wrote:
On Thu, Feb 19, 2009 at 7:31 AM, John Perea <JPerea () contegosecurity com> wrote:I think SANS Certificates will help specially the GCIA and GCIH since you're team is assigned at the SOC.This is a good suggestion, but SANS is a vendor-focused, money-making organization. I would prefer that incident handlers support CERT's program instead: http://www.cert.org/certification/ For IDS/IPS certification (which I think is a relatively flawed piece of modern operational security infrastructures), I would suggest Sourcefire. I know that years ago I would never have considered them, but with Gartner's approval so high, and their VMware vSphere integration through the VMsafe API (and it appears that they are one of the only vendors doing this) - it seems a logical choice. It's also nice that they support Snort certification since it is the dominant open-source project. http://www.sourcefire.com/services/education Server virtualization, VNET, and cloud computing tend to complicate IDS/IPS as much or more than the modern application layer attacks. By "application layer" I'm not really referring to the seventh and highest layer of the OSI model. These sorts of attacks aren't something that you can rely on packet capture for. You can't even rely on an APIDS or WAF for a large majority of these attacks, especially not with human-assisted learning let alone "auto-learning". Just by the nature of Javascript, various HTML/CSS/Script encodings, the way that HTML attributes work, canonicalization, Unicode and other character sets, and domain logic issues - IDS/IPS is too immature to be dealing with modern application attacks on their own. Some behavior based detection may help a little here, but I haven't found it to be "reliable" just "better than signatures". dre
Current thread:
- Security Certifications for SOC team Alcides (Feb 18)
- RE: Security Certifications for SOC team John Perea (Feb 20)
- Re: Security Certifications for SOC team Andre Gironda (Feb 22)
- Re: Security Certifications for SOC team Matt Gardenghi (Feb 26)
- Re: Security Certifications for SOC team Andre Gironda (Feb 26)
- Re: Security Certifications for SOC team Scott (Feb 26)
- Re: Security Certifications for SOC team Andre Gironda (Feb 22)
- RE: Security Certifications for SOC team John Perea (Feb 20)