Penetration Testing mailing list archives
Re: Security Certifications for SOC team
From: Andre Gironda <andreg () gmail com>
Date: Mon, 23 Feb 2009 16:52:22 -0700
On Mon, Feb 23, 2009 at 5:28 AM, Matt Gardenghi <mtgarden () gmail com> wrote:
Just for the record: None of the SANS classes I have taken have taught vendor specific material. The GCFA and the GPEN used open source material exclusively. Maybe it's different in other certs, but SANS seems to be vendor agnostic.
SANS doesn't sell tools. They sell training and certifications. In order to pass their certifications, it is more than often required to attend their training. Anyone who has passed SANS certs without the training, feel free to speak up about your experiences. They make it sound as if they are the primary provider of training and certification for the US DoD when they reference the Department of Defense Directive 8570. They take sections out of the DoD docs and remove references to competitors. These and other anti-competitive practices shine a bad light on SANS in my eyes. SANS has some good free resources, especially as introductory material, such as their SANS posters that they are known wildly for. However, again, their focus in on their own training and certification programs, not any external or third-party ones (except for third-party certifications that they also happen to offer training for). SANS makes it sound like they are the only game in town, when in reality, their courseware and instructors often pale in comparison to other training/cert vendors such as ISECOM, Vigilar / Intense School, Security Innovation, Microsoft ACE, McAfee/Foundstone, Symantec, IBM ISS, HP ASC, Ernst & Young, Verizon Business Security Professional Services / CyberTrust, InfoSec Institute, SecurityPS, Security University, and probably every incident handling and/or application security boutique (e.g. Aspect Security, Cigital, iSecPartners, NGSS, Leviathan Security Group, Denim Group, Gotham Digital Science, IOActive, ImmunitySec, Blueinfy, Security Compass, Casaba Security, Neohapsis, Mandiant, Matta, Stach & Liu, Corsaire, Korelogic, Consciere, Sensepost, nRuns, SecureState, Offensive Security, et al). Apologies to any security boutiques out there that I have missed -- be sure to speak up! SANS works fairly exclusively with InGuardians for instructors, making their focus and scope rather limited. BlackHat Training isn't even this exclusive. While I understand that many of the training class days at conference events like the upcoming CanSecWest are rather expensive -- they are priced similarly as SANS. The value your organization is going to get for price per head per class goes way down with these high-profile courses and instructors. It's always best to work with a small boutique where you can get rate-card or scaled pricing, in addition to creating and maintaining your own internal training, especially Lunch 'N Learn style. I have seen the SANS training material and have compared it to many of the above material from other training sources. SANS is very low-quality, and who is to say that any training is better than any other? The best way to measure the effects of your training to-date is to implement your own metrics program that indexes things like organizational risk and readiness programs, along with instructor and student feedback on all training aspects (e.g. course material, the instructor, the classroom setting, etc). I come from a very unbiased approach to security training. The best security training I have seen comes out of Microsoft, and some of the best demo material I've seen has come from Security Innovation. Starting with these vendors and then focusing into specific areas with a security boutique is often the best approach for any sized organization if you really don't know where to start. Back to the original post, however, I do feel that CERT maintains the highest quality and most vendor-neutral approach to certification for individuals in Security Operations Centers. Anyone who is willing to put up a better argument is welcome to do so here. I have found that ISECOM and the ISO/IEC organization (with their ISO 27001 Lead Auditor certification) have been able to stay fairly vendor-neutral, especially compared to other facets in the industry such as the (ISC)2 CISSP, ISACA CISA/CISM/CGEIT, and NSA IAM/IEM. I have been keeping my eye on compliance-neutral certification programs such as the Society of Payment Security Professionals (SPSP), as well as quality-driven programs such as the ISO 9001:2008 Lead Auditor, Six Sigma Belts, and the ISTQB. SPSP in particular has some information on Education and Training Validity and Certification Development: https://www.paymentsecuritypros.com/en/art/51/ https://www.paymentsecuritypros.com/en/art/48/ If you are really looking for a "one-size-fits-all, one-stop shop" like SANS, I suggest that you look into IntenseSchool instead. They are partnered well with many organizations and feature much more rich and modern content on topics like payment application security, virtualization security, and many other topics. Personally, I would rather go with my earlier suggestions, but there are some organizations who are unwilling or unable to spend the time and effort on improving their security training, even if it takes a little bit of work. Cheers, Andre
Current thread:
- Security Certifications for SOC team Alcides (Feb 18)
- RE: Security Certifications for SOC team John Perea (Feb 20)
- Re: Security Certifications for SOC team Andre Gironda (Feb 22)
- Re: Security Certifications for SOC team Matt Gardenghi (Feb 26)
- Re: Security Certifications for SOC team Andre Gironda (Feb 26)
- Re: Security Certifications for SOC team Scott (Feb 26)
- Re: Security Certifications for SOC team Andre Gironda (Feb 22)
- RE: Security Certifications for SOC team John Perea (Feb 20)