Penetration Testing mailing list archives
Re: Security Certifications for SOC team
From: Andre Gironda <andreg () gmail com>
Date: Sun, 1 Mar 2009 13:15:16 -0700
On Sun, Mar 1, 2009 at 11:54 AM, Miller Grey <vigilantgregorius () gmail com> wrote:
My apologies Andre, I realize now you were not the original poster, so my response was way off base and I jumped the gun prematurely (stepped
Hey no problem. I just want to get ideas out in the open and discussed. I know that they come off as harsh. I apologize for being a bit hasty and reckless in my approach.
Putting metrics to training quality (especiialy feedback) is an awesome idea, one that should be implemented in every business, no doubt. I also think for a soc, your assertion on CERT is dead on. What better a training vendor for IR than CERT, or at least that would be my assumption. Again, I have no experience with their training materials/instruction. I do know the training and GCIH cert is pretty good. (Out of curiosity, what's your opinion of EC-Council and the CEH cert?)
I have read through the CEH training, as well as the many books available out there (including the official ones that EC-Council put out). I really feel that if this is the direction of penetration-testing, then it's no wonder the bad guys are winning. CEH teaches basic network attack paradigms and focuses on freeware/crippleware Windows/GUI-dominant tools. I would be hard pressed to ever take anything that the EC-Council produces seriously given their history. It's extremely likely that I would hire someone with zero certifications and less experience over someone who had CEH on their resume. Maybe that is harsh, but I would say that I have my reasons.
It would be wonderful if the emphasis on certification was minimized and the focus was put more on quality subject matter. Look at OWASP, amazing subject matter, open to the public, and no certification in sight (I hope).
Right on! Well said.
Your idea about people educating themselves on education is a good one, but who educates the clients looking for a global, recognized, gold-seal of approval? Which in the end is what they need, right? In this case, a SOC that is staffed with intelligent, knowledgable folks who can perform high quality work. How else do they base their decision?
In the same way that the best security checklists provide up to only three-fourths of the security that needs to be managed away from risk - a global gold-seal is going to be [at best] the same. I think companies should base their decisions on where their risk and compliance issues most stand out. Focus on SOX? : CISA / CISM. Focus on PCI-DSS? : CPISA / CPISM. Focus on ISO 27001/27002? : ISO 27001 Lead Auditor. Focus on penetration-testing assessments? : ISECOM OPST or possibly even HP Accredited Integration Specialist (AIS) in Application Security using HP WebInspect v7 and/or Fortify Associate/Professional/Expert certifications. Focus on risk analysis / assessment? : ISECOM OPSA or NSA IAM and IEM. Focus on incident handling / response? : CERT CSIH.
Again, I apologize for my last post, it was a useless rant misdirected and totally out of line. Every bit of information you posted was informative (even if I disagree on your view of SANS) and very useful.
Well, certainly SANS does not agree. Steven Northcutt sent me an email rebuttal, and he brought up some excellent points: On Sun, Mar 1, 2009 at 11:27 AM, Stephen Northcutt <stephen () sans edu> wrote:
SANS works fairly exclusively with InGuardians for instructors, making their focus and scope rather limited.= = = Er, not even close. I think four of the 80+ faculty are InGuardians, maybe it is five. Granted they are some of our heavy hitters. You end up recommending IntenseSchool and they are a good outfit, I admire the work of the Kaufman brothers. However, who do they have on their faculty that you can put in the same league as Ed Skoudis, Josh Wright, Mike Poor, Kevin Johnson. ( I stuck with InGuardians for a reason, I have a heck of a lot of bench strength left), that have written major security books, contributed proof of concept exploit demonstrations, spoken at major events, testified to congress, etc, etc.
I meant that in the application security (including penetration-testing and ethical hacking) and incident handling spaces, InGuardians is over-represented by SANS/GIAC for this "type" of material (i.e. appsec and IH) in "comparison" to the other long list of appsec/IH security boutiques that I listed. Mind you, I have every respect for the InGuardian guys, but I see them as only one voice of many. Please let this correction to my previous email stand. I didn't want to make it seem like I don't understand SANS/GIAC, their instructors, or their training/certification models. Cheers, Andre
Current thread:
- Re: Security Certifications for SOC team Scott (Mar 03)
- Re: Security Certifications for SOC team Andre Gironda (Mar 03)
- RE: Security Certifications for SOC team Craig S. Wright (Mar 03)
- <Possible follow-ups>
- Re: Security Certifications for SOC team Miller Grey (Mar 03)
- Re: Security Certifications for SOC team Andre Gironda (Mar 03)
- Re: Security Certifications for SOC team Michael Condon (Mar 04)
- Re: Security Certifications for SOC team Andre Gironda (Mar 03)
- Re: Security Certifications for SOC team FS (Mar 10)
- Re: Security Certifications for SOC team Andre Gironda (Mar 03)