IDS/IPS Analyst

itguy7itguy7 Member Posts: 23 ■□□□□□□□□□
I would like to get into a IDS/IPS analyst role. Does anyone have any experience or knowledge on how to get into this field? Most require previous IDS/IPS experience with Snort, ArcSight...etc. I don't have any professional experience with either of those but being in IT I'm sure you guys can understand a short overview customized to how a particular company uses it is all that's needed. Any IDS/IPS training which is affordable that would help me in the door? What other certs (if applicable) are there related to this position?

I'm trying to break out of helpdesk and start using my CEH cert for an intrusion analyst position. Any help would be appreciated! Thanks!


  • Options
    the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    What you would probably want to look for is an MSP with a Security Operations Center. I think that will probably be one of the few places that would have a dedicated IDS/IPS Analyst. Seems to me that most companies will tack it on as a collateral duty within whatever internal security team they currently have. GCIH and GCIA are probably two certs you would want to look into.
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • Options
    LinuxRacrLinuxRacr Member Posts: 653 ■■■■□□□□□□
    Last time I checked, you could download the ArcSight Logger software for free for "evaluation purposes" for a full year. Of course the number of servers and such are limited, but you get 90 days of free tech support with it as well. You have to have a valid company e-mail address though. Give that a try.
    My WGU B.S. IT - Security Progress : Transferred In|Remaining|In Progress|Completed
    AGC1, CLC1, GAC1, INC1, CTV1, INT1, BVC1, TBP1, TCP1, QLT1, HHT1, QBT1, BBC1 (39 CUs), (0 CUs) (0 CUs)
    WFV1, BNC1, EAV1, EBV1, COV1 | MGC1, IWC1 | CQV1, CNV1, IWT1, RIT1 | DRV1, DSV1, TPV1, CVV1 | EUP1, EUC1, DHV1| CUV1, C173 | BOV1, CJV1, TXP1, TXC1 | TYP1, TYC1, SBT1, RGT1 (84 CUs) DONE!
  • Options
    itguy7itguy7 Member Posts: 23 ■□□□□□□□□□
    @the_Grinch - Thanks. I do like how those certs have no prerequisites. I may get one of them but I've seen the GCIH being equal to the CEH so I'm hesitant.

    @LinuxRacr - Thanks! I didn't know that and will definitely play with it if I can get my hands on it. I do have a valid company email. Sweet!
  • Options
    docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'd say the GCIH is a stronger cert than the CEH. That said, the GCIA is directly more applicable for intrusion detection, as well as something like SnortCP.

    So that said, in order to work with IDS / IPS systems effectively, you need strong TCP/IP fundamentals, going way beyond knowing what ports are typically used for what service. An understanding of TCP, UDP ICMP, IP protocols other than 1, 6, and 17, HTTP, applications and services on common operating systems, log correlation, and so on are important components of your capabilities. It's all about assembling the puzzle from different data sets and trying to see a coherent picture of an event. Usually, the amount of data is insufficient and judgement calls have to be made based on intuition or perceived potential risks. At best, you might catch the trojaned system beaconing back to motherships. At worst, you waste an incident responder's time by sending him on a wild goose chase.

    Snort, Splunk, and other logging / event systems are available for free or have free versions you can play with at home. Security Onion is a self-contained distro that allows you to quick start without having to separate installs of each package and find their dependencies. There are plenty of libpcap-aware tools that you can play with. But in order to make good use of them, you have to understand how to read traffic and events from systems. That usually requires some network and sysadmin experience, or at the very least some NOC work in order to put the pieces together. There's some science and some art involved. The latter requires quite a bit of hands-on experience with networks, operating systems, applications, and understanding user behavior.

    I know someone at my company who does a lot of desktop support and wants to start doing IDS analysis work, but I've told him that if his TCP/IP kung-fu is weak, he has to work on that first. If you see an event, you have to understand the context of how things are put together in order to rule out false positives. IDS (and perhaps especially IPS) systems can be particularly finicky and sensitive to traffic nuances and if you can't parse the details correctly or are off by one bit, an attack may be missed.

    If your TCP/IP knowledge is pretty basic, check out Laura Chappell's Wireshark Network Analysis book as I think it's probably one of the best introductions to the subject of traffic analysis. Richard Bejtlich's Tao of Network Security Monitoring and Extrusion Detection are also recommended reading.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Options
    itguy7itguy7 Member Posts: 23 ■□□□□□□□□□
    Either I'll buy some books or just purchase online wireshark training from Laura's university. I would love to get my WCNA. I think it would be most beneficial on my resume but more so for the education pertaining to an IDS Analyst role.

    Thanks for the advice!! I now have a new cert to study for and get! And a bonus it's not thousands of dollars for the training and exam like some other certs (CEH, GCIA, GCIH).

Sign In or Register to comment.