Re: Security Certifications for SOC team

[Andre Gironda <andreg () gmail com>]

On Sun, Mar 1, 2009 at 11:54 AM, Miller Grey
<vigilantgregorius () gmail com> wrote:
> My apologies Andre, I realize now you were not the original poster, so
> my response was way off base and I jumped the gun prematurely (stepped

Hey no problem.  I just want to get ideas out in the open and
discussed.  I know that they come off as harsh.  I apologize for being
a bit hasty and reckless in my approach.

> Putting metrics to training quality (especiialy feedback) is an
> awesome idea, one that should be implemented in every business, no
> doubt.  I also think for a soc, your assertion on CERT is dead on.
> What better a training vendor for IR than CERT, or at least that would
> be my assumption.  Again, I have no experience with their training
> materials/instruction.  I do know the training and GCIH cert is pretty
> good.  (Out of curiosity, what's your opinion of EC-Council and the
> CEH cert?)

I have read through the CEH training, as well as the many books
available out there (including the official ones that EC-Council put
out).  I really feel that if this is the direction of
penetration-testing, then it's no wonder the bad guys are winning.
CEH teaches basic network attack paradigms and focuses on
freeware/crippleware Windows/GUI-dominant tools.

I would be hard pressed to ever take anything that the EC-Council
produces seriously given their history.  It's extremely likely that I
would hire someone with zero certifications and less experience over
someone who had CEH on their resume.  Maybe that is harsh, but I would
say that I have my reasons.

> It would be wonderful if the emphasis on certification was minimized
> and the focus was put more on quality subject matter.  Look at OWASP,
> amazing subject matter, open to the public, and no certification in
> sight (I hope).

Right on!  Well said.

> Your idea about people educating themselves on education is a good
> one, but who educates the clients looking for a global, recognized,
> gold-seal of approval?  Which in the end is what they need, right?  In
> this case, a SOC that is staffed with intelligent, knowledgable folks
> who can perform high quality work.  How else do they base their
> decision?

In the same way that the best security checklists provide up to only
three-fourths of the security that needs to be managed away from risk
- a global gold-seal is going to be [at best] the same.

I think companies should base their decisions on where their risk and
compliance issues most stand out.  Focus on SOX? : CISA / CISM.  Focus
on PCI-DSS? : CPISA / CPISM.  Focus on ISO 27001/27002? : ISO 27001
Lead Auditor.

Focus on penetration-testing assessments?  : ISECOM OPST or possibly
even HP Accredited Integration Specialist (AIS) in Application
Security using HP WebInspect v7 and/or Fortify
Associate/Professional/Expert certifications.  Focus on risk analysis
/ assessment?  : ISECOM OPSA or NSA IAM and IEM.  Focus on incident
handling / response? : CERT CSIH.

> Again, I apologize for my last post, it was a useless rant misdirected
> and totally out of line.  Every bit of information you posted was
> informative (even if I disagree on your view of SANS) and very useful.

Well, certainly SANS does not agree.  Steven Northcutt sent me an
email rebuttal, and he brought up some excellent points:

On Sun, Mar 1, 2009 at 11:27 AM, Stephen Northcutt <stephen () sans edu> wrote:
> > SANS works fairly exclusively with InGuardians for instructors, making their
> > focus and scope rather limited.
>
> = = = Er, not even close. I think four of the 80+ faculty are InGuardians,
> maybe it is five. Granted they are some of our heavy hitters. You end up
> recommending IntenseSchool and they are a good outfit, I admire the work of
> the Kaufman brothers. However, who do they have on their faculty that you
> can put in the same league as Ed Skoudis, Josh Wright, Mike Poor, Kevin
> Johnson. ( I stuck with InGuardians for a reason, I have a heck of a lot of
> bench strength left), that have written major security books, contributed
> proof of concept exploit demonstrations, spoken at major events, testified
> to congress, etc, etc.

I meant that in the application security (including
penetration-testing and ethical hacking) and incident handling spaces,
InGuardians is over-represented by SANS/GIAC for this "type" of
material (i.e. appsec and IH) in "comparison" to the other long list
of appsec/IH security boutiques that I listed.

Mind you, I have every respect for the InGuardian guys, but I see them
as only one voice of many.

Please let this correction to my previous email stand.  I didn't want
to make it seem like I don't understand SANS/GIAC, their instructors,
or their training/certification models.

Cheers,
Andre