nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

GCIA Relevancy Question

lostsol

I work on the networking team and deal with firewalls, SSL VPN gateways, DNS, NMS, and work mostly with open source solutions. And I'm defining my own role as a Network Security Specialist. I work on the MDR team and I'm expected to jump in whenever an issue goes beyond inspecting local machines and/or mail, like DoS prevention, DNS RPZ, etc. I'd like to learn how to further harden/segment/defend my network.

I've taken FOR572 and thought it was great. I thought 503 would be a great next course, but I've read a few posts questioning its relevancy because of the increasing amount of traffic being forced over SSL. Decrypting the SSL or flow inspection would be ways to inspect the encrypted traffic. So I'm wondering if there are any other SANS course suggestions that may I may benefit more from, like the SEC555 SIEM course. Thx.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

UnixGuy

It's really hard to tell. I think knowing how to analyze packet captures is an important skill, and it might come in handy...will you be doing this on a day to day basis? really hard to predict.

lostsol

I agree that it is a vital skill, but I don't do packet analysis every day.

FillAwful

One thing that has translated very well for me in a Security Analyst role is the IDS/IPS piece. Specifically, using pcap to write a Snort rule, and then testing that snort rule against pcap (pcap with normal baseline traffic and the malicious pcap the rule was based on). This is something I do often and GCIA really helped with learning the tools and advanced packet analysis necessary to write a good snort rule.

The other knowledge was good to have but above is what was most valuable for me in my role.

UnixGuy

@FillAwful: see I use Palo Alto IDS/IPS, and I don't really write Snort rule...it's just a GUI.

So you use Snort open source?

I'm going to use Cisco FirePower soon-ish, not sure if it's a best practice to write Snort rules.?

lostsol

@FillAwful: Thank you for the feedback. I don't plan to write snort rules anytime soon, but I do agree you can't go wrong learning advanced packet analysis.
I keep reading that IDS/IPS are old technology. So what about some type of hunt teaming course?
How do I look for beaconing activity type of course. Choke points at the end of the network... DNS, http headers, x509 certs... look at choke points and find anomalous behavior.

FillAwful

UnixGuy wrote: »

@FillAwful: see I use Palo Alto IDS/IPS, and I don't really write Snort rule...it's just a GUI.

So you use Snort open source?

I'm going to use Cisco FirePower soon-ish, not sure if it's a best practice to write Snort rules.?

We definitely write snort rules for Cisco Firepower, and some networks are indeed custom snort builds. (large mixed environment) Vendor sigs are great but sometimes we want to get ahead or need something more specific depending on the network environment.

GCIA also covers some Bro usage, I've never worked with it myself but it was good to knowledge to have.

After GCIA, I rarely see things in pcap that I don't know exactly what I'm looking at. It's really helpful not only for identifying false positive and true positive alerts, but also, knowing how common protocols work on a fine grained level really helps me analyze when these protocols are not behaving like they should and whether that's due to network mis-configuration or a malicious actor. It's made me a far better analyst.

supasecuritybro

My co-worker has his GCIA and everytime we have an issue he is the go to guy since he is able to analyze the traffic. He was able to do some serious analysis before the course so he said that helped a great deal. As far as SSL goes, a lot of internal traffic is still unencrypted and there is decryption tools companies will invest in just to have the visibility. I would highly encourage anyone who is interested in packets to do this course.

E Double U

I went for the GCIA because my team took ownership of the company's Cisco Sourcefire and that has been the primary benefit for me. That NIDS knowledge really comes in handy during hunting and when someone needs a Snort rule created.

UnixGuy

Agreed that knowledge of how protocols work from GICA is priceless!

Thanks guys

lostsol

Thanks everyone.