Re: Security Certifications for SOC team

[Miller Grey <vigilantgregorius () gmail com>]

My apologies Andre, I realize now you were not the original poster, so
my response was way off base and I jumped the gun prematurely (stepped
on a rake).  Although, having been to SANS and having attended various
boot camps, I think you're opinion on SANS is a bit harsh, and you
were the one that brought up SANS being vendor-specific.  If you meant
in the material, fine, although I think it varies by
instructor/course.  I've found the majority of boot camps I've been to
introductory and focused solely on the certification exam, not the
knowledge-base needed to to do the job, which I find SANS does (to an
extent).  I also know a number of people who have challenged the certs
successfully without taking the classes.  Your assertion about the DoD
is a bit harsh as well IMHO, that's marketing.

I will at least try to add some value to this thread since I skewed it
in the negative with my previous post (which I humbly regret).  ISECOM
has some amazing material, although I've never been to their training,
I reference their OSSTMM framework often, and found their recently
authored book to be quite interesting.  Microsoft ACE has always been
solid, as well as the Foundstone folks...but to say that SANS pales in
comparison to your list of (some very vendor-specific) training
vendors is a bit over the top.

Putting metrics to training quality (especiialy feedback) is an
awesome idea, one that should be implemented in every business, no
doubt.  I also think for a soc, your assertion on CERT is dead on.
What better a training vendor for IR than CERT, or at least that would
be my assumption.  Again, I have no experience with their training
materials/instruction.  I do know the training and GCIH cert is pretty
good.  (Out of curiosity, what's your opinion of EC-Council and the
CEH cert?)

The original poster (whom I grossly and unfairly attacked) asked what
certs have a good deal of respect in the industry and demonstrate
competency to their _clients_.  The keyword, of course, being clients.
 While I understand the need for the security industry as a whole to
concentrate on quality education (certs being way over-valued, in fact
as a whole we need to stand up to some of this over-reliance on broad
certs in name only, ISACA and ISC2 in particular, which I think you do
a good job of demonstrating), clients also need a standard on which to
base their decisions.  They (not necessarily as vendor-conscious as we
are) know only a handful of certs in which they can recognize...CISSP,
CISA, etc...A lot of these vendors (including some you mentioned), in
this current environment of vying only for revenue/market share, are
only adding to the confusion.

It would be wonderful if the emphasis on certification was minimized
and the focus was put more on quality subject matter.  Look at OWASP,
amazing subject matter, open to the public, and no certification in
sight (I hope).

Your idea about people educating themselves on education is a good
one, but who educates the clients looking for a global, recognized,
gold-seal of approval?  Which in the end is what they need, right?  In
this case, a SOC that is staffed with intelligent, knowledgable folks
who can perform high quality work.  How else do they base their
decision?

Again, I apologize for my last post, it was a useless rant misdirected
and totally out of line.  Every bit of information you posted was
informative (even if I disagree on your view of SANS) and very useful.

...I will know slowly back away, tail between legs...

-mg

On Sun, Mar 1, 2009 at 10:34 AM, Andre Gironda <andreg () gmail com> wrote:
> On Sun, Mar 1, 2009 at 8:39 AM, Miller Grey <vigilantgregorius () gmail com> wrote:
> > Maybe if you spent more time and effort on handling your awesome new
> > responsibilities in the operations center than putting together long,
> > drawn-out, overly-thoughtful emails, you would have an idea...and from
> > your exhaustive list of schools, you already do.
>
> While you may feel that education and certification for the
> penetration-testing community/industry is less important than I do, I
> don't think that you have a right to tell anyone who is giving away
> tons of free information whether their time is wasted or not.
>
> My "idea" is that people should educate themselves about education.
> What's your idea?  To spread the message that TL;DR bores you?
>
> dre