Educause Guest Blog: Think Before You Speak

Hello All:

In honor of cyber security month 2016, Educause allowed me to be a guest blogger once again for their Security Matters blog.

Read it Here: Think Before You Speak: Effectively Share Risk Across the Organization

There are some other great articles published this week as well, including one written by SANS’ Lance Spitzner.

Thanks for checking it out!

SANS SEC503 (GCIA) Review

Ouch. My head hurts.

I am tempted to end my review right there, but this class is just too awesome. I would not be doing it justice.

This past May I attended SEC503, Intrusion Detection In-depth, virtually. It was v-live format; Essentially a live stream of the course at SANS Houston. As far as the format is concerned, I liked it more than on-demand, but not as much as being there in the flesh. You don’t get to network as well and obviously you miss out on Netwars and SANS @ Night, but the core part of the experience is kept intact. I had the ability to interact with the class via chat, which was definitely useful. If I typed in a question, the moderator would inform the instructor, in this case Johannes Ullrich. He would than respond verbally, which was a great way to interact with the instructor remotely. This was important to me because one of the primary reasons I prefer SANS courses over many others is the caliber of their instructors. Dr. Ullrich is truly an expert in the field and for those that don’t already, I would highly recommend subscribing to his daily ISC Stormcast. If you don’t know, now you know (yes, that was a 90’s hip hop reference)! I digress.

The course lived up to the hype. It has a reputation for being one of the most challenging SANS courses. And I would have to say that of the courses I’ve taken, there is truth to that. I will qualify that by saying I do not have a strong background in this area. I had a high level understanding of packet analysis solely from SEC401, but otherwise this was uncharted territory for me. I am comfortable with IDS concepts overall and oversee a managed implementation of such, but my hands-on experience is limited. This course filled in all the gaps. I was able to work with snort quite a bit, and some other great solutions such as Bro, SiLK and Security Onion. I learned very quickly that aside from basic functionality, Bro requires basic programming capability to support, hence the limited adoption. I also learned more about IP, TCP, UDP, and IPv6 that I ever cared to know about. But more importantly, I have a crystal clear understanding of what is normal and what is not when looking at a series of packets. It also provided plenty of flight time with tcpdump and Wireshark.

wireshark screenshot

Wireshark screenshot

 

I used the full 4 months to prepare for this exam after taking the course. Partially due to external time contention (being appointed interim CISO shortly after I took the course) and partially because this material was outside of my comfort zone…not my cup of tea as “they” say. I still managed to score a 95 on the exam. I’m not sharing that to brag. I wanted to reassure my blog readers that if you are inclined to take this course, you can be successful, even if you’re not already a packet ninja. If you want to be one, this is a good place to start. I would like to set your expectation, though. Even after taking this course, I would not consider myself a black belt. Brown belt at best!

Do I recommend this course…absolutely. Keep the Advil handy, though!