why no study guides for SANS™ Institute GIAC Certifications available?
Hi There is not a single GIAC exam where you can prepare 100% with study guide from amazon.com! The learning material on GIAC website is too expensive. Why? For me GIAC is much too expensive...
Forum Admin at www.techexams.net
If Eric Cole is any indication of what the rest of their training staff is like, I'd say is well worth it.
I think they do try to price out a lot of candidates, but when talking to folks about security, SANS certs are always highly regarded.
Next up: eventually the RHCE and to start blogging again.
Control Protocol; my blog of exam notes and IT randomness
Security is still a specialization within the grand scheme of all things IT. As with a lot of specializations with sufficient demand behind them, there's usually a positive cost difference in obtaining and maintaining cutting edge expertise. Infosec is also not something one gets into early in a career as it's grounded in many of the more typical disciplines such as systems and network administration. People who are just getting into or growing an established security career are often in the mid-to-higher end of the income scale. The cost of SANS courses then become more accessible due to that very fact. When I was just starting out in IT, taking a SANS course or justifying it to an employer as a desktop support tech would've been next to a miracle.
A former employer paid for my 401 course and subsequent GSEC exam attempt. The other four I paid out of my own pocket, and it really hurt the bank ... but I made the conscious sacrifice for it. I was only able to financially support this after building up my income to a sufficient level with accepted life trade-offs elsewhere. There are things that I can't afford which most people take for granted.
SANS also prides itself on staying current. The security landscape changes frequently and regularly updating courseware, putting it through reviews, updating the associated exams, etc. comes with a cost, especially when it's done multiple times in a year. Contributing to public initiatives such as the Internet Storm Center, etc. all have costs associated with it. With security changing so frequently, SANS conveniently packaging a lot of this into focused courses, and finally considering that for-profit motive, it's not surprising these courses cost a lot and there's no unofficial SANS study guides. While the information contained in the courses aren't proprietary, you could say that in some perspectives the way it's all put together in a convenient package is.
But if you go to any other training provider with live instruction, you pay into the thousands as well. While some of those have study material on Amazon and your local bookstores, SANS commands a premium because of the benefits I listed above. If that sounds unfair, then understand that's how life works. You have to work your way up to eventually be able to afford the luxury performance cars. And SANS instructors aren't just someone with a bit of experience in the field and are there to recite the slide deck in the presentations. These are folks that have actually been there and done that and have real-world anecdotes to pass on so you're better informed about the context of things when you get back to work.
I've taken a Cisco class at a training provider, as well as others like the CHFI and CISSP prep course at another well-known training center, and I'll say that the SANS instruction is still worth its premium price ... and all the courses I've taken from them were not at conferences but through their OnDemand program where I go through a pre-recorded environment on my own schedule. Attending a live conference / class is much more immersive but for me that comes with travel costs.
If you really want to take a SANS course and can't afford it, save your pennies or find creative ways to raise some funds. It may take time, but that's how it is with everything - high-end computer equipment, bigger house, etc.. If you just want the cert, then adopt the hacker motif and go through the course syllabus to decode the exam expectations. It's not like they hide it.
There I go rambling again...
GetCertified4Less - discounted vouchers for certs
As someone who has taken multiple SANS courses, I strongly believe they are overpriced, so let me explain why. First, allow me to clearly state that I have no problems with their conference pricing due to the logistics, effort and communication that is required to set them up. My problem lies with their 'OnDemand/VLIVE/Self-Study' training packages as they are ridiculously high. Let's look at another organization in the same market as SANS: Offensive-Security. Sure, their live training is just as expensive as SANS, but that is to be expected. If we were to compare apples to apples, Offensive-Security's 'online' courses cost about 1/3 of the premium SANS charges for a 'self-study' course. SANS uses their premiums to help fund the Internet Storm Center, while the Offensive-Security folks use the same premiums to run BackTrack Linux - Penetration Testing Distribution, Exploits Database by Offensive Security, Metasploit Unleashed, and so forth. So, what is the difference? Both organizations have top-notch instructors with years worth of real-world experience and they also sponsor community projects. The difference lies with the pricing and the course format. SANS likes to take students by their hands and show them the world, while Offensive-Security likes take a more practical approach by teaching the students a little more than the basics and setting them free so they can explore the world by themselves.
Much like @paul78, I don't anticipate I will be taking any other SANS courses in the future. If one has to give up so much in order to save money to take one of their courses, then they better be worth it - from content to the quality of the books. You are free to do with your money as you please, but make sure you can live with your decision. There are cheaper alternatives where you can get the most bang for your buck.
In summary, as JD has stated in the past, regular folks are not the type of audience SANS is catering to. If your organization is footing the bill for you, then by all means, do go to a SANS conference as you will truly enjoy it. If you are footing the bill, then you may want to think twice about how you are going to spend your hard earned money.
Thanks for sharing your thoughts - it actually helped to solidify my own thoughts about SANS.
@crashdump - the short answer is as jd and ipchain mentioned - there are lots of other training out-there that is equally valuable and more cost-effective.
Wait, don't you mean their OnDemand is overpriced compared to the OffSec equivalent? Or perhaps you just meant OnDemand's "simulation" of being like a live class?
In any case, some of you who are on the SANS Advisory board might have also seen the lengthy threads / complaints a while back about SANS training costs from former SANS students themselves. I suspect with the added emphasis on the whole DoD 8570, a big part of SANS / GIAC's game is the defense contractor market where there's probably a lot of government dollars, increasing awareness and evolving requirements, and the appeal of hand-holding students which fits that crowd (I'm only guessing though based on my impressions of how things work in government, which isn't always flattering).
I couldn't tell you the real costs associated with running these kinds of training / certification programs and all the other community contributions and research, but I'm probably somewhat unique when it comes to funding these courses on my own dime (or maybe I'm just crazy). For my case, I needed some kind of "career-accelerant" and since my brain can only take so much compressed intensity at once, the hand-holding that SANS provides helped a lot. For the most part it has been worth the effort for me especially considering the position that I'm in right now, but certainly may not be the case for many others. There are some courses which I had hoped more from (such as 502), but I kind of knew that going in. It did at least help validate and extend some areas that I already had some experience in.
From a certification perspective, I'm sure at least one or two potential employers or recruiters who saw my resume with all the letters splashed across took note of them, but I don't think it really helped my chances at getting hired for my current position and the one before it. However, the process of studying for these did reinforce my foundations and increased my overall confidence level in how I approach / question things, including vendors who try to sell me stuff.
Another thing to keep in mind is that when a lot of people think about "security training and certs," many times they're thinking of the offensive / pentesting mindset. There are an increasing number of material and courses for these. While SANS / GIAC has GPEN, GWAPT, and some of the other 600-level offerings, there's a ton of somewhat similar offerings such as Offensive Security, eLearnSecurity, EC Council, etc.. We live in good times. I've yet to take OffSec's PWB (maybe one day when I have more free time), but my impression is that pound-for-pound, dollar-for-dollar, PWB would be the more real-world and more "fun" course to take compared to SANS 560. And I do mean "fun" in every sense of the word: the sexy tutorial videos, black hacker backgrounds, and thrill-of-the-hunt doing the final challenge which can be both emotionally exhausting and rewarding.
My impression is based on all the past SANS classes I've gone through and the one OffSec (BackTrack WiFu) experience I've had. I've heard that 560 and PWB complement each other, but if you had to choose one, my first instinct would be to recommend OffSec's with the caveat that if you're looking to attract HR eyeballs, you might not be accomplishing much unless you're applying to an organization that keeps up on these things (not common from what I can tell).
But on the defensive side, if you're looking for vendor-neutral training there seems to be much less of it. For me the prime example is SANS SEC-503 / GCIA. Going through that really helped turn things around for me and I've been able to help bootstrap a fresh start to the security program at my current job. I wouldn't say it's the only thing you need to be good at this kind of work, but I felt it had a large influence in preparing for my current role. SANS' instruction model (at least their OnDemand) works well for me for the most part since it tailors well to my schedule and time availability. Less-intelligent individuals like myself need to be spoon-fed after a long day's work since our heads are ready to explode if we become too immersed.
I'm sure there are folks lurking in these forums researching their choice in security training courses. A number of factors probably present themselves: recognition from current / future employers, employment requirements, personal goals and achievements in the wish list, the type of learning environment that fits your style, and of course cost (time and course fees). I think SANS is great for a lot of things, but none of them have made me an expert. They provided me a path for looking at things a bit more critically, but it's really up to me to make the best of what I've supposedly learned. I still have quite a ways to go. And their course books can be better proofread as I see quite a few minor grammar issues here and there, which doesn't help the credibility.
Back to signing my bankruptcy papers...
Thanks for catching that - that is exactly what I meant.
Ditto. DoD 8570 definitely has something to do with it, no doubt.
I feel the same way, so I can only echo your comments.
I couldn't agree more with this statement. I also feel PWB is an excellent way to prepare for SANS GSE if you are still considering it. As you know, PWB focuses strictly on offense, but imagine sending a copy of all of your malicious traffic to your local copy of SNORT. This should provide you with an incredible playground to practice your defensive skills.
Not much to add here. Excellent advice folks - it does not get better than this.
I enjoyed SANS 503 / GCIA as much as you did. There's no other course out there quite like it, so I would highly recommend it to those who can afford it. Dell's SecureWorks / Symantec, etc require GCIA for a reason, especially if you are part of their SOC team.
I felt SANS was great for a while, but it didn't take long for that bubble to burst. I do wholeheartedly agree that their course books can be better proofread and their quality can also be improved.
Welcome to the club!
For example, Gisp is cissp related. Gsec is close to cissp except software development and hardware replaced with linux and windows hardening basics. Gcih is ceh with incident handling covered, ceh plus incident handling books plus counter hack reloaded.
There are tons of books related on Amazon where you can find related to giac courses. And from the review you will know that they are written by experts on the field as well.
In addition, you can use some probing into the author name and look them up in the giac professional search directory. You may find some of the sans instructor and giac certified author have written some books on sale on Amazon.
Ed skoudis, Eric Cole, Stephen Northcutt , Chris Sanders, Joshua Wright, Zenny Lester, Eric Conrad are some examples of instructors or giac certified professionals who have written for books and publish themselves.
Giac course books are around 1200 to 2000 pages in length, a4 size with plenty of white space. Reading about 150% more than what the course covers will put you in the safe range for passing. That is equivalent about 600 to 1000 pages of without any white spaces.