Re: Security Certifications for SOC team

[Andre Gironda <andreg () gmail com>]

On Mon, Feb 23, 2009 at 5:28 AM, Matt Gardenghi <mtgarden () gmail com> wrote:
> Just for the record: None of the SANS classes I have taken have taught
> vendor specific material.  The GCFA and the GPEN used open source material
> exclusively.  Maybe it's different in other certs, but SANS seems to be
> vendor agnostic.

SANS doesn't sell tools.  They sell training and certifications.  In
order to pass their certifications, it is more than often required to
attend their training.  Anyone who has passed SANS certs without the
training, feel free to speak up about your experiences.

They make it sound as if they are the primary provider of training and
certification for the US DoD when they reference the Department of
Defense Directive 8570.  They take sections out of the DoD docs and
remove references to competitors.  These and other anti-competitive
practices shine a bad light on SANS in my eyes.

SANS has some good free resources, especially as introductory
material, such as their SANS posters that they are known wildly for.
However, again, their focus in on their own training and certification
programs, not any external or third-party ones (except for third-party
certifications that they also happen to offer training for).  SANS
makes it sound like they are the only game in town, when in reality,
their courseware and instructors often pale in comparison to other
training/cert vendors such as ISECOM, Vigilar / Intense School,
Security Innovation, Microsoft ACE, McAfee/Foundstone, Symantec, IBM
ISS, HP ASC, Ernst & Young, Verizon Business Security Professional
Services / CyberTrust, InfoSec Institute, SecurityPS, Security
University, and probably every incident handling and/or application
security boutique (e.g. Aspect Security, Cigital, iSecPartners, NGSS,
Leviathan Security Group, Denim Group, Gotham Digital Science,
IOActive, ImmunitySec, Blueinfy, Security Compass, Casaba Security,
Neohapsis, Mandiant, Matta, Stach & Liu, Corsaire, Korelogic,
Consciere, Sensepost, nRuns, SecureState, Offensive Security, et al).
Apologies to any security boutiques out there that I have missed -- be
sure to speak up!

SANS works fairly exclusively with InGuardians for instructors, making
their focus and scope rather limited.  BlackHat Training isn't even
this exclusive.  While I understand that many of the training class
days at conference events like the upcoming CanSecWest are rather
expensive -- they are priced similarly as SANS.  The value your
organization is going to get for price per head per class goes way
down with these high-profile courses and instructors.  It's always
best to work with a small boutique where you can get rate-card or
scaled pricing, in addition to creating and maintaining your own
internal training, especially Lunch 'N Learn style.

I have seen the SANS training material and have compared it to many of
the above material from other training sources.  SANS is very
low-quality, and who is to say that any training is better than any
other?

The best way to measure the effects of your training to-date is to
implement your own metrics program that indexes things like
organizational risk and readiness programs, along with instructor and
student feedback on all training aspects (e.g. course material, the
instructor, the classroom setting, etc).

I come from a very unbiased approach to security training.  The best
security training I have seen comes out of Microsoft, and some of the
best demo material I've seen has come from Security Innovation.
Starting with these vendors and then focusing into specific areas with
a security boutique is often the best approach for any sized
organization if you really don't know where to start.

Back to the original post, however, I do feel that CERT maintains the
highest quality and most vendor-neutral approach to certification for
individuals in Security Operations Centers.  Anyone who is willing to
put up a better argument is welcome to do so here.  I have found that
ISECOM and the ISO/IEC organization (with their ISO 27001 Lead Auditor
certification) have been able to stay fairly vendor-neutral,
especially compared to other facets in the industry such as the (ISC)2
CISSP, ISACA CISA/CISM/CGEIT, and NSA IAM/IEM.  I have been keeping my
eye on compliance-neutral certification programs such as the Society
of Payment Security Professionals (SPSP), as well as quality-driven
programs such as the ISO 9001:2008 Lead Auditor, Six Sigma Belts, and
the ISTQB.

SPSP in particular has some information on Education and Training
Validity and Certification Development:
https://www.paymentsecuritypros.com/en/art/51/
https://www.paymentsecuritypros.com/en/art/48/

If you are really looking for a "one-size-fits-all, one-stop shop"
like SANS, I suggest that you look into IntenseSchool instead.  They
are partnered well with many organizations and feature much more rich
and modern content on topics like payment application security,
virtualization security, and many other topics.  Personally, I would
rather go with my earlier suggestions, but there are some
organizations who are unwilling or unable to spend the time and effort
on improving their security training, even if it takes a little bit of
work.

Cheers,
Andre