CSA+ align with job description?

triplea

Hi,

Was looking at adding this as a technical cert to my job resume.

Before I go investing time and money in this though want to ask people advice/thoughts please.

How much did you actually learn from this? did it teach you enough to read logs? what tools to use etc? I often see job offers that require these skills but wanted to make sure this would cover it during my studies. Don't mind adding some tools along the way as I also prefer some hands on ( monkey see, monkey do! ). There's no direct duty that covers this in my current role as apart from checking the event logs for the servers daily and network intrusion is covered by an email from symantec endpoint.

Basically coming from a system admin looking to move over to infosec analyst or something similar.

Cheers.

yoba222

Given that the CySA+ is an exam and not a training course, you'll only learn what you choose to. For me, I did learn all the things you mention. I learned them in the form of two Udemy courses, a Safari Books course, a lab course, and one text book.

I might have overdid it, but 90 hours/3 months later I did touch every tool in the exam objectives.

triplea

Thanks for replying. Having retread I probably didn't explain it the best. The exam is really the end to that will hopefully show some experience on my resume. Also for me to learn/know what I really should be able to do when I get the job.

current plan is to get the ejpt out of the way first.

i then have access to training via cbt nuggets, cybrary and udemy. So will be taking a cysa course from each of those supplemented by the cysa book. I ask because I have the sec plus but that is all overview really and not hands on. I felt that sec plus really just shows you what to google to get something done rather than you knowing how to do it straight off the bat.

cheers

PsychoData91

I was part of the Beta. I did a LOT of independent study on basically anything that sounded relevant to security before the CySA+ was even in beta.

When the CySA+ Beta came around, I worked down through the objectives, giving any that sounded like I didn't feel totally competent in it a hour or two of similar trainings/content online (Remember, it's a beta, so there are no official resources released like there are now) I spent a lot of time watching youtube videos and Googling around and finding free resources related to those objectives.

All in all, above the probably 100 hours of assorted (not focused on this cert) security training I had done I probably did two weeks of an hour or two every evening, so 20-30 hours on top of experience and general study before that.

How much did you actually learn from this? did it teach you enough to read logs? what tools to use etc? I often see job offers that require these skills but wanted to make sure this would cover it during my studies. Don't mind adding some tools along the way as I also prefer some hands on ( monkey see, monkey do! ). There's no direct duty that covers this in my current role as apart from checking the event logs for the servers daily and network intrusion is covered by an email from symantec endpoint.

I mean... A lot of this I had already gotten from basic experience in Sysadmin and Security. I would say, that if your "network intrusion is covered by an email from symantec endpoint" then you're not in the right mindset.

Checking logs is good and all, but you need several components to a security role. I would encourage you to start seeking out other security issues, and work on making them better. They'll be there. SQL Servers running as some shared account, shared accounts period, not separated admin accounts, working on setting up bastion workstations and firewalling between those and servers and workstations. And none of those take any tools.

Now that it's out, I would highly encourage ITpro.tv's CySA+ Course. I havent taken this one specifically, but I've REALLY enjoyed their other courses. And they do have a number of those hands-on labs you were talking about.

I definitely did enjoy this cert and would recommend it. I'm looking at making the switch from System Administrator to possibly a CyberSecurity Analyst. I might try to toss in another cert like a SSCP, and I also took the Pentest+ beta, though I'm not sure I passed that one. To be honest, this cert isn't JUST applicable to security folks and would be an excellent bit of knowledge to round out any Jack-of-all-trades Sysadmin or just a senior sysadmin. And IT Security is doing nothing but growing right now.

triplea

Thanks for replying.

Again sounds ok in my head but didnt clarify.

Because we are ISO 27001 things like shared accounts are not allowed. ual accounts for admins etc. Its a whole framework of bits and bots Im already involved in. We just dont seem to do any active scanning other than the odd nessus test monthly. Im involved with all the patching, cloud services etc already.

Just want to make sure on the learning path to CySA+ would give me more of a chance at a career move.

Silverquick

Ok What is CYSA good for?
Here's a small description what you would do with it and why it applies, and why in the DoD this thing is HUGE...
I spend my day at a computer with a screen as large as a TV, with 4 different windows up one in each corner and these pieces of equipment and/or software running.

1. McAfee Network Security Manager and an NS-7200 Sensor with a tap out in front of the Firewall, a tap into the DMZ, and a span from the Core Router.
2. HBSS Alert and Monitoring Console monitoring HIPS, Anti-Virus, DLP, and EPO.
3. Solar Winds Log and Event Monitor (SIEM)
4. Firepower IPS (Sourcefire actually)

On all of these things I am monitoring people Reconning us outside the network from the McAfee NSM, making sure the recon attempts only show on ONE interface, and do not pass into the interfaces behind it (meaning they made it through the firewall). And spending my time checking out any other alerts like XSS alerts, where I will quite literally on another computer pull down the actual Javascript or other possible offender, and literally read line by line of the code looking for anything REAL that could as an example be an actual SQL inject, LDAP Inject, or actual XSS.
Or Perhaps an Overly Long Post Request where I will pull down the packet and look at it in Wireshark and look at the content to see not only what they were reading, but what was actual indicated in the packet.

Or perhaps some weird activity on one of the Utilities shows at a Workstation, I will then go to the Sourcefire and the event interface and run the full run of connections from that Machine to the outside world, to see every single connection, who's ID is logged in, and what URLs and Domains were hit to see if there's anything suspicious about the connections. I will be watching the Firepower Known C2 hits, and checking to see which country and/or hop point they came from.

Maybe then I'll either look at the SIEM to show all log activity from that machine for that time space and watch each little event and process that started up to link it back to that.

You know... like... when the browser opened... the audio driver suddenly kicked in... then the cmd kicking in... and what command line it ran?

Then... while I'm doing that, I might hop onto the SIPR side and check out some of the recent Classified Intelligence reports and Classified Forensics reports on Known Foreign Actor activity, grab information about a recent attack, then grab the available SNORT code from it, or perhaps code my own SNORT definition based on the Forensics to upload into both McAfee and Sourcefire so they both have it and can detect new stuff no one is even aware of yet.

THIS is what a CySA is about and what it gives you... or rather... certifies you to do.

Take your CASP, your CISP, and your Sec+ and toss them out the window...

....every one of them will be worthless compared to the CySA when you are doing this kind of thing, the only other one that will have any relevence at all is the CEH, because at least you can recognize actual hacks with it.

While this entire process can vary depending on the individual places you are at... those are the basics.

jeremywatts2005

For me CySA+ was just a validation of what I already have done and am doing. I work in DFIR space so I spent a total of zero hours studying. Bought the beta exam voucher and the next day walked in sat for the exam. A few months later I got the results boom a pass. Working in DFIR titled roles a total of 6 yrs been in tech though for around 20 yrs since the late 90's Ugghhh I am old.

mikey88

yoba222 said:

Given that the CySA+ is an exam and not a training course, you'll only learn what you choose to.

I agree. It all depends on how much time you spend labbing and get actual hands on with all the tools covered in the exam. Given that CySA+ is a new exam, it's not very well known as of yet, I wouldn't exact any immediate return on investment.