Blue Team/ Red Team certifications

mnashe

Not sure if the subject is going to make folks roll their eyes, but I've been doing a lot of reading on the Blue Team and Red Team. I first came across Red Team on a job post I saw, it was Red Team Operator or something like that. It was a term I didn't know they used in IT security. From what I gathered, Blue Team are the defenders and Red Team are the penetration testers trying to get in. Very interesting reading.

I've been trying to see where my current job history experience fits in within security. I've spent many years as a Windows/VMware admin, and have a couple years with network experience, mainly cisco LAN switching, and data center technologies. Don't get me wrong, I like routing and switching, but my favorite part of the day is when I need to get on the firewall to do something. I really want to focus on security now. Network security/Infrastructure security.

Anyway, when I look at the two teams, I see myself working as a defender (blue team), for now. Ideally, I'll learn both sides. As I've mentioned in other thread, I started my CCNP Security, as I was interesting to learn about ISE, IPS and more about ASA firewalls. Vendor specific is great, but not everyone is using Cisco IPS or Cisco Firewalls, so that seems limiting. I was also looking at CISSP, as lot of jobs in my area require it or are asking for it .

I'm looking for an opinion on what's the best certification to give me knowledge and possible opportunities. Would I be better off forgetting the CCNP Security (for now) and going for something like the GCIA or GCIH instead for this direction?

I'm open to suggestions

Kalabaster

was interesting to learn about ISE, IPS and more about ASA firewalls.

Sounds liek you want to be on the perimeter team, often these fall under the title "security engineer". I say it that way because in security, many titles, terms, and descriptions are used rather loosely.

As far as certifications go, the CISSP will give you the best return on investment, but will teach you near to nothing useful for what you want. You can, however, use it to get your foot in strongly somewhere else and try to show how your experience is relevant, get into a good position and have the new place pay for the more useful things.

Now, the decision comes down to whether you want to work on the tools and instruments that are used to maintain an organization's security posture (configuring firewalls, IDS/IPS systems, SIEMS, etc) or do you want to response to and/or proactive detect security breaches?

The first lends itself more directly to your previous experience, will be easier to get into for you at a higher level, and is very lucrative. For free, look up how to configure SNORT, and play with it on a Security Onion VM. For SANS Think about SEC401, SEC505 (Windows) or SEC506 (Linux), SEC511, and SEC566 (May lead to Senior Engineer/Architect/Lead role).

The second will be a new skillset and you may have to go down a bit in pay and/or pecking order at first. However, you will get a broader view as you are coming from administrating tools in a security context to using the tools. This will be you analysing the data (almost always) after the detection of a breach or some form of suspicious activity (yay blinky boxes!). For this route, SANS path would be SEC504, SEC508, SEC511, and SEC610.

There are so so many different paths you can take, and this was just a super broad overview of some basic directions you can take.

mnashe

Kalabaster wrote: »

Sounds liek you want to be on the perimeter team, often these fall under the title "security engineer". I say it that way because in security, many titles, terms, and descriptions are used rather loosely.

As far as certifications go, the CISSP will give you the best return on investment, but will teach you near to nothing useful for what you want..

Hi Kalabaster,
thanks for the reply. I think this is where I'm torn. Today, I have to do it all, there is no security department. I'm deploying switches,firewalls,servers, etc. Checking the firewall logs and reports daily, running vulnerability scans daily. Remediating those vulnerabilities for network devices and creating tickets for the server items. Sometimes I help them resolve their issues with research, but not much lately. too busy. My company doesn't have a SIEM, or IPS/IDS, so no experience there. I guess typically one team is configuring those devices and another team is analyzing?

SEC511 and SEC566 look very interesting to me. The certifications that relate to them don't seem to be very common on job postings. GPPA also looked good to me, but SANS did away with that course I saw

Kalabaster

Yeah, that's how it is in a great meant places. We call that having .5 security guys. The thing with SANS is that you don't get them for the certifications. You go there for the training. Using sans certs to get past hr filters is like trying to swat a fly with a sledgehammer. CISSP will open the most doors, is cheaper, and is easier. SANS WILL train you to do your job much better, however.

nopx90

You can't go wrong with 503! Great foundations course IMO. If you need analytics skills I think this is the course to take.

mnashe

Kalabaster wrote: »

The thing with SANS is that you don't get them for the certifications. You go there for the training. .

Thanks. A great way to put it. Now it's just about finding the right course to take. My only concern with doing the CISSP first is I'll get past the HR filter, but won't have the experience to do the job I'm applying for. At this point in my career, going backwards salary wise, just isn't an option. Title I don't care about. I don't mind going from Sr Network Engineer to Security Analyst, Information Security Analyst, CyberSecurity analyst, or whatever they are calling it. The different titles drives me a little nuts

This is a little too far for me travel wise, but this resembles the type of position I can see myself being interested in. I don't think I'd qualify today even if it was in my area, but maybe it'll help with some suggestions https://jpmchase.taleo.net/careersection/2/jobdetail.ftl?lang=en&job=2757294&src=JB-13027

nopx90 wrote: »

You can't go wrong with 503! Great foundations course IMO. If you need analytics skills I think this is the course to take.

It does seem like a great course

Kalabaster

Ok, that's definitely more of a "Security Engineer" role. It's also important to note that you happened to choose a bit of a diamond with your example. A sec gig at a financial firm, and a big one at that. Well, the pay is magical and the competition is significant. Going to be very hard to land a spot there at any level when you're just beginning, but having that demonstrable experience to look back on and give context to whatever training solution you take will be significant if you leverage it correctly.

SEC503 will teach you some basic IDS config stuff, but more importantly it teaches you how to read packets well. If you haven;t had experience doing so, that's pretty golden. To get a grasp of that means, go to Malware-Traffic-Analysis.net and try the exercises there, then using the information you gained try and make snort signatures that would alert or block on those signatures. That's 503, and it is pretty awesome.

mnashe

Kalabaster wrote: »

Ok, that's definitely more of a "Security Engineer" role. It's also important to note that you happened to choose a bit of a diamond with your example.

I did that on purpose haha. I know this was a far fetched one but it looked like a very good example to give. At first glance I'd think, I can do this since it mentions technologies I have experience in. I have many years of messaging and virtualization. I have experience with Cisco and Juniper too. I did work for a large financial company once but it was at a much lower level and it was for a short time so that doesn't count. I know these financial companies are really tough to get into, in general.

I also thought this was a good example of a company that's hiring for a "security engineer" position that prefers someone with CISSP

I definitely think if I take a SANS course, it'll probably be 503. I don't analyze packets that often honestly. My typical case of analyzing packets is for web browsing issues due to SSL Decryption. When someone can't get to a site properly, it's much easier for me to look at a packet capture to see if Decryption is causing the issue. I'm definitely checking out that site though. Never heard of it.

Do you think I'm on the right track for a "Security Engineer" by completing CCNP Security and CISSP?

E Double U

My path (which made sense in my former role)

CCNP Security -> CISSP -> GCIH

CEH (HR filter) and GCIA (knowledge) are up next for me.

Kalabaster

E Double U wrote: »

My path (which made sense in my former role)

CCNP Security -> CISSP -> GCIH

CEH (HR filter) and GCIA (knowledge) are up next for me.

I like this path a lot in the context of OPs situation. It's logical, efficient, and makes sense. Maybe sub in the 503 earlier than the 504 if you want to, but both are cornerstone SANS courses and you'll eventually want both or an analogue.

the_Grinch

I highly recommend SEC511! Based around hunt teaming, which is where the industry is going.

mnashe

they all seem like great courses, but after reviewing, I think I'll go for 504, as it seems most interesting to me. now I just have to decide when to go, and whether to take the vLive or On Demand. It'll probably 2017 at this point.

Kalabaster

Good luck man! Let us know how it goes

mnashe

Kalabaster wrote: »

I like this path a lot in the context of OPs situation. It's logical, efficient, and makes sense. Maybe sub in the 503 earlier than the 504 if you want to, but both are cornerstone SANS courses and you'll eventually want both or an analogue.

I was thinking about the order of what I should do. I did like the CCNP Security > CISSP > GCIH.

The only thing I'm thinking about CCNP Security is being effective in retaining the knowledge. I have always wanted to learn ISE, but my employer does not use it (yet). We do not use the email or web appliances either. I really want to know ASA firewalls well, so that's on my list, as I feel it'll be good to know 2 firewalls well.

I'm wondering if I should go this route

1 CCNP Security exam to renew current certs > ASA > CISSP > GCIH

What does everyone think?

Kalabaster

It depends on your position. You already a CCNP, and is it a simple lateral move? IF so, then hell yeah. What's ASA? Otherwise I think that makes a lot of sense, I just don't know what ASA is.

edit: After a google search, it turns out it's a Cisco cert for advanced security experts. I've been around quite a bit, but I've never heard of it before. I don't know if that's more telling against me or against the certification as far as a return on investment. I'd skip the ASA, but I don't feel qualified enough to say so definitively.

mnashe

Kalabaster wrote: »

It depends on your position. You already a CCNP, and is it a simple lateral move? IF so, then hell yeah. What's ASA? Otherwise I think that makes a lot of sense, I just don't know what ASA is.

edit: After a google search, it turns out it's a Cisco cert for advanced security experts. I've been around quite a bit, but I've never heard of it before. I don't know if that's more telling against me or against the certification as far as a return on investment. I'd skip the ASA, but I don't feel qualified enough to say so definitively.

Oh sorry, should have clarified. ASA is Cisco's firewall product. It has a part in the CCNP Security track but I meant just focus on strictly learning the ins and out of their firewall instead of doing the full CCNP Security certification for now. I have a CCNP in Routing and Switching. The CCNP Security would be 4 exams.

Kalabaster

Being vendor specific is a really bad thing in security. In fact, it's a point of pride to be tool agnostic when it comes to security, with experience in various different tools. So I'd keep that in mind when climbing up these tracks. Sure, you can use Cisco appliances but, speaking of Cisco appliances, can you write snort signatures? Can you take the same knowledge and apply it to other brands? That;s really the main question. Do you understand what's happening so fully at the command line level that you can apply the same knowledge to other techs? If so then you're fine and certifications are nothing more than an affirmation of your level of accomplishment.

Certs are often used to prove your level of effort in applying knowledge in a field that you don't have strong demonstrable experience in, so going up one side can have strongly diminishing results and maybe it's worth moving laterally into broad things like the CISSP and CEH earlier. Honestly though, after a certain point any advice is useless, and it's just worth it to do the same things that have already found you your own success.

mnashe

Kalabaster wrote: »

Being vendor specific is a really bad thing in security. In fact, it's a point of pride to be tool agnostic when it comes to security, with experience in various different tools. So I'd keep that in mind when climbing up these tracks. Sure, you can use Cisco appliances but, speaking of Cisco appliances, can you write snort signatures? Can you take the same knowledge and apply it to other brands? That;s really the main question. Do you understand what's happening so fully at the command line level that you can apply the same knowledge to other techs? If so then you're fine and certifications are nothing more than an affirmation of your level of accomplishment.

Certs are often used to prove your level of effort in applying knowledge in a field that you don't have strong demonstrable experience in, so going up one side can have strongly diminishing results and maybe it's worth moving laterally into broad things like the CISSP and CEH earlier. Honestly though, after a certain point any advice is useless, and it's just worth it to do the same things that have already found you your own success.

Good points and it's kind of where I was going with this. I'll answer your question first. No, I've never used Snort. As for applying to other brands, I'd say sure, I been able to take concepts from Cisco and apply them to Juniper. Just like I want to take my Palo Alto firewall knowledge and apply it to Cisco's firewall knowledge.

The way I was starting to look at it is, I already have my CCNP in Routing and Switching. Is CCNP Security going to do a whole lot for my resume? I'm thinking no.

Maybe I'm better off finishing one exam so my certs don't expire and look into focusing on CISSP for certification. I see Cybrary has some courses that I should go through on Pen Testing/Ethical Hacking, Cloud security, Security+ . CBT Nuggets has a CEH 9 course. I don't necessarily care to take the exam, but maybe the knowledge will be better off

I know, I'm all over the place