Re: Security Certifications for SOC team

On Sun, Mar 1, 2009 at 11:54 AM, Miller Grey
<vigilantgregorius@xxxxxxxxx> wrote:
My apologies Andre, I realize now you were not the original poster, so
my response was way off base and I jumped the gun prematurely (stepped

Hey no problem. I just want to get ideas out in the open and
discussed. I know that they come off as harsh. I apologize for being
a bit hasty and reckless in my approach.

Putting metrics to training quality (especiialy feedback) is an
awesome idea, one that should be implemented in every business, no
doubt.  I also think for a soc, your assertion on CERT is dead on.
What better a training vendor for IR than CERT, or at least that would
be my assumption.  Again, I have no experience with their training
materials/instruction.  I do know the training and GCIH cert is pretty
good.  (Out of curiosity, what's your opinion of EC-Council and the
CEH cert?)

I have read through the CEH training, as well as the many books
available out there (including the official ones that EC-Council put
out). I really feel that if this is the direction of
penetration-testing, then it's no wonder the bad guys are winning.
CEH teaches basic network attack paradigms and focuses on
freeware/crippleware Windows/GUI-dominant tools.

I would be hard pressed to ever take anything that the EC-Council
produces seriously given their history. It's extremely likely that I
would hire someone with zero certifications and less experience over
someone who had CEH on their resume. Maybe that is harsh, but I would
say that I have my reasons.

It would be wonderful if the emphasis on certification was minimized
and the focus was put more on quality subject matter.  Look at OWASP,
amazing subject matter, open to the public, and no certification in
sight (I hope).

Right on! Well said.

Your idea about people educating themselves on education is a good
one, but who educates the clients looking for a global, recognized,
gold-seal of approval?  Which in the end is what they need, right?  In
this case, a SOC that is staffed with intelligent, knowledgable folks
who can perform high quality work.  How else do they base their

In the same way that the best security checklists provide up to only
three-fourths of the security that needs to be managed away from risk
- a global gold-seal is going to be [at best] the same.

I think companies should base their decisions on where their risk and
compliance issues most stand out. Focus on SOX? : CISA / CISM. Focus
on PCI-DSS? : CPISA / CPISM. Focus on ISO 27001/27002? : ISO 27001
Lead Auditor.

Focus on penetration-testing assessments? : ISECOM OPST or possibly
even HP Accredited Integration Specialist (AIS) in Application
Security using HP WebInspect v7 and/or Fortify
Associate/Professional/Expert certifications. Focus on risk analysis
/ assessment? : ISECOM OPSA or NSA IAM and IEM. Focus on incident
handling / response? : CERT CSIH.

Again, I apologize for my last post, it was a useless rant misdirected
and totally out of line.  Every bit of information you posted was
informative (even if I disagree on your view of SANS) and very useful.

Well, certainly SANS does not agree. Steven Northcutt sent me an
email rebuttal, and he brought up some excellent points:

On Sun, Mar 1, 2009 at 11:27 AM, Stephen Northcutt <stephen@xxxxxxxx> wrote:
SANS works fairly exclusively with InGuardians for instructors, making their
focus and scope rather limited.

= = = Er, not even close. I think four of the 80+ faculty are InGuardians,
maybe it is five. Granted they are some of our heavy hitters. You end up
recommending IntenseSchool and they are a good outfit, I admire the work of
the Kaufman brothers. However, who do they have on their faculty that you
can put in the same league as Ed Skoudis, Josh Wright, Mike Poor, Kevin
Johnson. ( I stuck with InGuardians for a reason, I have a heck of a lot of
bench strength left), that have written major security books, contributed
proof of concept exploit demonstrations, spoken at major events, testified
to congress, etc, etc.

I meant that in the application security (including
penetration-testing and ethical hacking) and incident handling spaces,
InGuardians is over-represented by SANS/GIAC for this "type" of
material (i.e. appsec and IH) in "comparison" to the other long list
of appsec/IH security boutiques that I listed.

Mind you, I have every respect for the InGuardian guys, but I see them
as only one voice of many.

Please let this correction to my previous email stand. I didn't want
to make it seem like I don't understand SANS/GIAC, their instructors,
or their training/certification models.


Relevant Pages

  • Re: Doubt regarding Sec+
    ... I have a CEH, ... The CEH is a technical cert which is great if ethical hacking and pen ... The CISSP is currently considered the defacto standard for overall ... information security. ...
  • Re: [NEWS] More Net Attacks Loom, CERT Says
    ... >>More Net Attacks Loom, CERT Says ... LOL. ... trend, according to security experts, are poor security practices. ... and the response to that is "we can't afford to.. ...
  • Re: [NEWS] More Net Attacks Loom, CERT Says
    ... >>More Net Attacks Loom, CERT Says ... LOL. ... trend, according to security experts, are poor security practices. ... and the response to that is "we can't afford to.. ...
  • Re: Security and EOL issues
    ... A belief that a good company, if Microsoft were one, would provide ... regulations governing what the automobile industry must do. ... older software's security would be just fine. ... > Computer Emergency Response Teams, ...
  • RE: CEH program and Sybex Study Guide
    ... They have a variety of courses, and most of them are given by people on the bleeding edge of the InfoSec field. ... CEH program and Sybex Study Guide ... I am now focusing on security as my carrer. ...