Options

SCYBER vs CCNA:S vs CCNP:S

renacidorenacido Member Posts: 387 ■■■■□□□□□□
in CCNA Security
For Security Analysts doing intrustion analysis, incident response, security assessment and auditing, etc., which of the Cisco security certs is the "Goldilocks" fit for this role? We do enterprise security and in a pure-Cisco environment with ASAs, VOIP, VPN, Wireless, etc. Our Network team administers all the above, and we do the security auditing of the devices, configs, ACLs, etc. Of course we also monitor network traffic for anomalies, perform packet analysis, internal pentesting/vulnerability assessment, etc that might be discussed and provide some value to us, although we are good to go in the areas directly related to security operations. I'm mostly looking for training to give us a deeper and more technical depth of understanding of the specific technology we use so we'll be better equipped to find anomalies and harden against threats.

For a training standard and development plan, what do you think is the proper roadmap or is SCYBER alone enough?
· Share on FacebookShare on Twitter

Comments

  • Options
    cynicbeardcynicbeard Member Posts: 15 ■□□□□□□□□□
    First... SCYBER is a specialist cert.

    SCYBER is not necessarily CISCO specific. I just took the exam about a week and a half ago and was impressed with the content. It's definitely not GCIH, but it does have questions along that line of content (not scenario driven). Basic traffic analysis, basic IR procedures, general security concepts, etc.

    CCNA/P:S are very Cisco specific. I just finished up studying for the CCNA:S and although I see value in the material and enjoyed learning the material, for my specific career goals and what I currently do, I see value but not as much as what other certs have to offer.

    If you plan on staying where you are at... then you've answered your own question. Go down the CCNA/P:S route, especially if your environment is VERY Cisco. I am a fan of SCYBER, so I would say "go for it", but it doesn't hold the weight that other security certs have.

    Books:

    Practical Packet Analysis (You just want to understand basic traffic analysis)
    The Blue Team Handbook: IR Edition (And this would just be to familiarize yourself with the IR lifecycle)

    Learn concepts: Intrusion Detection / Prevention, Event Monitoring (Book: Practical Intrusion Analysis - This will go way too deep, but it will cover what you need).
    · Share on FacebookShare on Twitter
  • Options
    renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Thanks cynicbeard, that's helpful.

    Not so interested in "marketability" of the certs themselves, this is for our analysts who are gainfully employed with us and decorating their resumes is their responsibility not mine.

    But being in a Cisco environment, knowing as much as possible about their stuff helps a lot and I have always encouraged our guys to get vendor-specific certs that aren't necessarily security certs for that reason. I think CCNP:R&S is better than nothing but CCNP:S is better for us than R&S.

    Thanks also for comparing SCYBER with GCIH as that is also in their development roadmap and I don't want to add something that is more or less redundant.
    · Share on FacebookShare on Twitter
  • Options
    docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I have strong feelings about security training and certifications, so you'll have to excuse what may sound a bit like a rant...

    I don't know much about SCYBER, but I will say that focusing too much on vendor-specific training has its drawbacks. Knowing how to manage equipment and solutions is certainly important, but it's just as important (if not more) to see beyond them and start seeing the process, the nuances of the threats and risks, and keeping up on the evolving nature of the landscape. I've seen too many professionals who are "equipment-oriented" and only able to perform up to the device's limits. It really helps to have a more open-minded approach because vendor-oriented training tends to be naturally biased towards vendor solutions.

    To be effective in this day and age, you can't blindly put your faith in Cisco/Sourcefire/Check Point/Palo Alto Networks/FireEye/[insert your NextGen brand here]. Everything is behind the curve, and everything sucks to some degree. I'm always weary of candidates who have drank the Kool-Aid when I interview them. Unfortunately, the training and certifications which tend to be better known are the vendor ones.

    I'm very curious about SCYBER, but I have a feeling it's more of a starting point. In order to understand the security features of Cisco products better, I think it's also important to know the type of attacks they're designed to counter, and that requires a more fundamental understanding of the offensive tools, tactics, and most importantly the creative human thinking which make the attacks happen. In order to defend, you have to understand how to attack. It's hard to be able to do both equally well, but it really helps to have both perspectives.

    SANS SEC504 is a great training course but that's just the tip of the iceberg. Something like OffSec's PWK or SANS SEC502, 503, 560, and FOR508 are also solid for extending the skill set. All the SANS courses are quite the dollar commitment though so it's certainly not for the extremely budget-conscious.

    For a team of analysts, I think an internal library of some books like The Practice of NSM, Counter Hack Reloaded, Wireshark Network Analysis, and so on would be a good investment at a relatively low cost. PWK is probably the best bang-for-the-buck in terms of security training.

    Also check out online training like CBT Nuggets for your team as part of the library:

    https://www.cbtnuggets.com/all-courses
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
  • Options
    renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Good stuff docrice, amen brother (or sister ?)

    I certainly do not RELY on vendor-specific training and the core of our security training is vendor-neutral. The reason I'm looking at vendor-specific stuff is precisely for knowing the capabilities and the limitations of the tech in our environment, to be better informed security SMEs in engineering and do more thorough security assessment, to know where to look for deficiencies and how to optimize. As an example, would you rather have your ASAs audited by a guy who knows Cisco IOS and has a good understanding of Cisco's equipment, or a guy without that, all other factors being equal? Would you rather your Windows Server infrastructure be audited by a security guy who has Windows sys admin experience or does that not make a difference in the quality and credibility of their findings and recommendations?

    In my experience (23 years) the best security guys I've known have deep knowledge of IT not just INFOSEC.

    Threat and risk analysis is constant and informs everything we do, from operations to strategic planning to our training plan. We can't yet afford SANS training at this time, but I'm building our tech library. We have subscriptions to Hacker Academy and I'm evaluating CBT Nuggets. Would like to offer PWK/OSCP but our department has only existed less than a year and I've some bigger gaps to fill training-wise on a limited budget.

    I totally agree with you that you can't rely on tools to save you, many people think if they have the latest greatest stuff they saw at BlackHat then they're covered. Nope. People, processes, technology, in that order. For that reason training is super important to me as well.
    · Share on FacebookShare on Twitter
  • Options
    renacidorenacido Member Posts: 387 ■■■■□□□□□□
    docrice wrote: »

    SANS SEC504 is a great training course but that's just the tip of the iceberg. Something like OffSec's PWK or SANS SEC502, 503, 560, and FOR508 are also solid for extending the skill set. All the SANS courses are quite the dollar commitment though so it's certainly not for the extremely budget-conscious.

    The majority of us would donate a kidney to have the training budget for half of that. For us all the SANS training and GIAC certs are a pipe dream.
    · Share on FacebookShare on Twitter
  • Options
    renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Our roadmap for security analysts (to get hired they come with 2+ years general IT experience plus Sec+/GSEC/SSCP or 1+ years in INFOSEC):

    Good: C|EH; E|CSA; Hacker Academy (all courses); Cisco & Microsoft training if available (via on-site w/ cert or CBT Nuggets); vendor-provided training on our SOC tools

    Better: All the above except SANS-equivalent courses instead of EC-Council

    Best: All the above plus OSCP

    I have to think in terms of good vs better because of current budget issues. Like I said, most don't have pockets deep enough for SANS.


    Thoughts/suggestions?
    · Share on FacebookShare on Twitter
  • Options
    docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Training courses gets people up to speed quicker, but there's something to be said about doing a lot of reading, self-exploring, and digging on your own to learn things. It can take a lot longer, but the sense of struggle and futility until the mental light bulb turns on is what can really ingrain long-term knowledge into the learning experience.

    For this reason, I think having a bookshelf full of blue/red team books as well as general IT Windows/Linux/networking material is the cheapest way to achieve training on a budget, assuming you combine it with an in-house lab full of second-hand equipment and some allocated self-paced training time for each staff member.

    At least that's how I might approach it.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
Sign In or Register to comment.