SEC401 - GSEC hands on?

Danielm7

I have a newer coworker in security, blue team, low level analyst now. The company will pay for his SANS GSEC course / cert but were asking what sort of hands on skills he might pick up from that. I suggested something more towards the GCIH/A range but they wanted him to get a more general overview first.

Checking the SANS course info page I'm not sure what parts of the course are hands on or what the labs consist of. Any ideas?
Thanks.

iBrokeIT

Straight from their website (https://www.sans.org/course/security-essentials-bootcamp-style) and the section called "Hands-on Training":

SEC401 is an interactive hands-on training course. The following are some of the lab activities that students will carry out:

• Setup of virtual lab environment
• Windows/Linux tutorial
• TCP **** analysis
• WireShark decoding of VoIP traffic
• Password cracking
• Host-based discovery with Dumpsec
• Hashing to preserve digital evidence
• Analyzing networks with hping and nmap
• Event correlation with Splunk
• Use of steganography tools
• Securing a Windows system with MBSA and SCA

Danielm7

Ha, wow, thanks. I was looking through the syllabus and didn't see that section at the bottom. I still think he'd be better off with one of the other courses but it's good to know.

636-555-3226

What are his actual job roles? SEC401 is a good intro primer, but don't push him to focus on a ton of general areas. get the basics down and then slot him into what will be the most effective takeaways from his class. if he's blue team, in my opinion, you can't get any better than

SEC505: Securing Windows and PowerShell Automation
https://www.sans.org/course/securing-windows-with-powershell

GCWN
https://www.giac.org/certification/certified-windows-security-administrator-gcwn


this assumes you're a predominantly Windows environment and don't already have a mature endpoint posture

iBrokeIT

I would agree with both of your assessments that SEC504/505 would be a much better fit that SEC401.

TechGromit

While I think GSEC is not absolutely necessary to start tackling higher level courses like the GCIH, I still think you need a basic security course, even if that course is just the Security+ course (or a self study book) AND Certification. I think it's important to obtain the certification to prove you absorb the material that was taught / read, otherwise you could be day dreaming during the course and learned nothing.

Danielm7

I agreed that he needed a primer, I gave him materials for the Sec+ months ago but he seems to get bored with just video/books and not focus. I know that's not my problem but it's also out of my hands. Maybe if he had to work on actually passing the Sec+ instead of just reviewing the material he'd be more focused. I got the impression that the GSEC is like the Sec++, which is nice but if we're spending 6500+ with the course/cert I'm looking for a little more return on hands on skills.

The powershell course looks interesting, he already knows some powershell and isn't really in the position to be dealing with server security and such yet. So far he's mostly responding to SOC/SIEM alert emails, AV/malware cleanup, reaching out to users with security related issues, etc. I'd like him to get into network traffic analysis and more of a deep level of understanding of what malware actually does vs just getting alerts and putting in requests to wipe laptops.

I think my director made a mistake in trying to get him to focus by suggesting things like "what interests you, maybe hacking and doing pen tests?" Of course his eyes lit up with that but he really doesn't have the background or understanding of networking to even consider something like that yet so I'm trying to get his foundation solid before he tries to specialize just because he thinks the idea of hacking sounds cool.

globalenjoi

I took SEC401 last fall, after getting Sec+ earlier in the year. It was a good class, with lots of great information, but much of it was a refresh of Sec+ with more depth. However, it definitely covers a lot of Windows/Linux basic security concepts that are interesting, and it was absolutely the best way to learn and digest the complex cryptography stuff. Had a hard time with that on Sec+, just felt like none of the books or resources ever explained it well.

Since I'm doing the graduate certificate, I really wish I had opted for the Pen Testing route, starting with the GCIH, only because I already had the Sec+ cert. But since I'm not in a pen testing position, and likely won't be for a long time, the GSEC was a good pick.

TechGromit

Danielm7 wrote: »

I gave him materials for the Sec+ months ago but he seems to get bored with just video/books and not focus.

If he worked for me, I would demand he pass the Security+ certification before spending serious training $ on him. I have a co-worker who attended three SANS courses and didn't get any certifications. I seriously wonder how much he really benefited from the courses.

Danielm7 wrote: »

I think my director made a mistake in trying to get him to focus by suggesting things like "what interests you, maybe hacking and doing pen tests?" Of course his eyes lit up ....

That's because Hacking is considered Cool. I think if your really interested in Cyber Security, incident response is where the money is. Sure it's helpful to have a little pentest background, but company's are really interested in how to protect themselves from break-ins, minimizing damage and recovering when they occur. The attack surface is so large, obviously your going to need more guards on the walls then attackers to climb over one small section of the walls. In time the over supply of penetration testers will force wages down, incident response can get boring, making keeping qualified staff more difficult, thus keeping wages high.

Danielm7

Completely agree on all points.