Tuesday, March 3, 2009

Suggestions for Security Training

I respond to questions from time to time about a recommend security training pipeline for SOC operators at all levels. Here is the general recommendation I've developed.

(Jr Sec Analyst) Year 1 goals
- Security +
- GCIH

(Sr Sec Analyst) Year 2 goals
- begin CISSP study (reading, not a bootcamp yet)
- GCFA if doing investigations
- or GCIA if focused more on network management of IPS

(Sec Engineer/ Sr Sec Analyst, Principal) Year 3 goals
- CISSP course and testing
- GREM if moving toward malware investigation
- OR GPEN if moving toward software assurance (recommend GCIA prereq)
- begin local research projects and security defense-in-depth expansion through pilots

(Sec Architect) Year 4 goals
- CISSP/ISSEP certification
- additional SANS courses
- demonstrated local research and expansion projects

I choose to emphasize the CISSP over other equivalent certifications (CISA/CISM) becuase of its better ROI in the DOD8570.01M requirements structure. Any employee you are going to have in government service that you plan to invest in for more than a year, you should pursue this certification to maintain compliance and competitiveness. Not that it gets you knowledge without having equivalent experience, but it's a marker you have to have.

I have also chosen to emphasize SANS training as they are considered an industry gold-standard, are vendor neutral, and teach underlying concepts in addition to applied practices. Their courses are not a college degree or an 'academic' environment, but it is good training for directly applicable skills.

I think Rob Fuller has an interesting perspective at his Room362 blog entry on security credentials.