SANS noob - vulnerability management

So I just passed my CISSP, and now my boss says they will pay for some SANS courses. And will do multiple courses. I'm in charge of lots of stuff, but one of my main areas is Vulnerability Management.

I never had time to take a week off for a work study program, and I didn't have the spare change to pay for these on my own, so I never really researched it.

now suddenly it is an option. So this little SANS magazine thing says SEC301 > SEC401 > SEC504 and then SEC 550 or a bunch of specializations such as Network, WEb, Lab, Mobile, etc

which sort of falls in line with things here:

https://www.sans.org/curricula/

or

https://www.giac.org/certifications/get-certified/roadmap

so.... my question...

I was thinking SEC401 (GSEC), then SEC504 (GCIH), then SEC560 (GPEN)

I don't believe there are any prerequisites, and I'm assuming I should have no qualms for skipping SEC301 (GISF), but anyone with experience, do I need SEC401 (GSEC)?

I would be more than happy to take it and add it to my resume, but I don't want to waste company money and time if it is basic stuff

also SEC550 does not have a cert attached to it, so dont know I want that

Find more posts tagged with

Comments

NetworkNewb

Sounds like you have more experience than me and I went straight into GCIH. They give you everything you need to know to pass the course and do not need to be an expert in anything to go through it comfortably.

GirlyGirl

Personally from someone who has taken more than one course, I wouldn't recommend GSEC to anyone. Nothing against it, or SANS/GIAC but it's pretty basic for the cost. I would suggest Security+ over GSEC. From a financial standpoint. It is like paying 60k for a Honda Accent. The only way I'd take it is if the top picks for my WorkStudy request were denied and that was the only other option. It is 3,214 (listed) GSIF professionals and 28,933 (listed) GCIH professionals. That is all the time I have to write about it. Personally If I am paying or anyone is playing for a course it better give me a return of investment or some sort

I would suggest the SEC560. Since I've taken the SEC504 and currently taking the SEC560. You used the word vulnerability. A vulnerability according to SANS is, a flaw someone can exploit to cause harm. This course deals heavily on exploitation. 100000x more than SEC504.

Mike-Mike

thanks for the heads up, I will probably try and skip GSEC then... and I did plan on SEC560 (GPEN), but I'm not sure what you saying about SEC504 (GCIH)... you think 504 was good?

and I am pretty sure they will pay for at least 2, most likely 3 courses for me, so it is not like I need to pick 560 or 504, I can do both, just want to make sure 504 would be beneficial

NetworkNewb

GirlyGirl wrote: »

I would suggest the SEC560. Since I've taken the SEC504 and currently taking the SEC560. You used the word vulnerability. A vulnerability according to SANS is, a flaw someone can exploit to cause harm. This course deals heavily on exploitation. 100000x more than SEC504.

I'm assuming this is correct. I've only taken the GCIH course, but since it is an incident handling course it goes over the incident handling process. Where the 560 is just a penetration course. I'm assuming the 504 more is a beginner penetration course compared to the 560.

TechGromit

Mike-Mike wrote: »

thanks for the heads up, I will probably try and skip GSEC then... and I did plan on SEC560 (GPEN), but I'm not sure what you saying about SEC504 (GCIH)... you think 504 was good?

I took the SEC504 and I feel it was beneficial to me. While I agree you can skip the GSEC since you already have a CISSP, the CISSP covers nothing nothing about the tools you need and use for incident response, which the 504 covers.

NetworkNewb wrote: »

I'm assuming the 504 more is a beginner penetration course compared to the 560.

As for 504 not being a penetration testing course, it's not suppose to be, it's an incident response course where you get to learn both offense and defense. I would cautious of skipping too many of the basic SANS courses and jumping into the more advanced stuff. If you do not have a decent foundation, (which the CISSP doesn't give you) your going to quickly be over you head when taking the more advanced courses.

Mike-Mike

NetworkNewb wrote: »

I'm assuming this is correct. I've only taken the GCIH course, but since it is an incident handling course it goes over the incident handling process. Where the 560 is just a penetration course. I'm assuming the 504 more is a beginner penetration course compared to the 560.

but based on your experience, did you find the GCIH as beneficial?

Mike-Mike

TechGromit wrote: »

I would cautious of skipping too many of the basic SANS courses and jumping into the more advanced stuff. If you do not have a decent foundation, (which the CISSP doesn't give you) your going to quickly be over you head when taking the more advanced courses.

well in addition to the CISSP, i have 22 other certifications, my bachelors and masters from WGU and over 15 years of experience it technology, with over 5 being security related.

that being said, I dont have an over inflated opinion of myself, and I would gladly take the GCIH course if those of you who have had it recommend it

i dont see anything wrong with having a resume with multiple GIAC certs, but like I said, I dont want to waste company money for no reason

iBrokeIT

Have you looked into any over their graduate certificates? This one might be of interest: https://www.sans.edu/academics/certificates/penetration-testing

At $5k per class+cert it might be cheaper and easier to tap into multiple sources of funding through your company if they offer both tuition reimbursement + training budget. That's probably what I'll be doing once I qualify after hitting the 1 year mark at my new company.

Also yes, skip the GSEC since you already have most of that knowledge and don't need the name recognition of that cert.

UnixGuy

I'm not a SANS expert but Im doing the GCIA now. Based on your experience, I would choose GCIA, GCFA...like the more challenging ones. I don't think there is a cert for vulnerability management - maybe the vendors certs for that. SANS are great, the more the better. If I get an opportunity with SANS, I'll always choose the more challenging ones

NetworkNewb

iBrokeIT wrote: »

At $5k per class+cert it might be cheaper and easier to tap into multiple sources of funding through your company if they offer both tuition reimbursement + training budget. That's probably what I'll be doing once I qualify after hitting the 1 year mark at my new company.

I tried doing this at my current company and my manager denied me! Says I couldn't grab from two different buckets for the same thing... Thought it was pretty weak!

TechGuru80

GirlyGirl wrote: »

Personally from someone who has taken more than one course, I wouldn't recommend GSEC to anyone. Nothing against it, or SANS/GIAC but it's pretty basic for the cost. I would suggest Security+ over GSEC. From a financial standpoint. It is like paying 60k for a Honda Accent. The only way I'd take it is if the top picks for my WorkStudy request were denied and that was the only other option. It is 3,214 (listed) GSIF professionals and 28,933 (listed) GCIH professionals. That is all the time I have to write about it. Personally If I am paying or anyone is playing for a course it better give me a return of investment or some sort

I would suggest the SEC560. Since I've taken the SEC504 and currently taking the SEC560. You used the word vulnerability. A vulnerability according to SANS is, a flaw someone can exploit to cause harm. This course deals heavily on exploitation. 100000x more than SEC504.

The real value that comes from GSEC compared to the Security+ is the Windows/Linux knowledge, and the labs. It really comes down to who is footing the bill...you could always try to do a Work Study for GSEC. Somebody who has a good grasp on the GSEC knowledge will be of more value than Security+...but it covers more.

The core concepts of SANS come from GSEC, GCIH, and GCIA....so I would frankly start with those unless you are specifically in a pen testing role or have a very focused need (like forensics). Frankly in a lot of companies, vulnerability management involves reading scan outputs and tracking their remediation. Security Engineers and Security Analysts are much more likely to require pen testing and forensic skills.

iBrokeIT

NetworkNewb wrote: »

I tried doing this at my current company and my manager denied me! Says I couldn't grab from two different buckets for the same thing... Thought it was pretty weak!

Yikes! I get the impression that he is one of those managers that feels threatened by too much employee professional development and is reigning you in through the training budget strings he controls. IF that is the case, you have my condolences.

Ertaz

Meh, I administer a vuln mgmt program. It can get deep quickly if you have a large volume of devices and regulatory and other compliance issues to contend with.

I took sec560 back in October as my first SANs class. My feedback is that it had very little to do with an actually managing vulnerabilities but it does give some good info on assessing them. (It's still the best training class I've ever attended.) The class was way crowded. Lots of smart people contending for time with the instructor.

A few things I wish I'd known more about and worked to shape at the outset:

1. Vulnerability Management Policy -> This makes or breaks what you and the folks who are resolving issues are accountable for and defines what risks management is willing to accept. Too lenient and you're at risk, too strict and you're working beyond your capacity and causing hate and discontent through the entire org.
2. What suite do you use to manage your vulnerabilties? (Nessus/Nexpose/Qualys) Many times they offer free or discount training with their tools.
3. How do you deliver the reports to engineers and to management? Do they access the tool natively? an excel export? integrated with a GRC tool? Have you set goals around your assessments?

Danielm7

iBrokeIT wrote: »

Yikes! I get the impression that he is one of those managers that feels threatened by too much employee professional development and is reigning you in through the training budget strings he controls. IF that is the case, you have my condolences.

Just sounds like company policy, I can't do it at my company either. It's either tuition, or training, but not both.

The plus side of that is that, assuming your company pays for training, is that you can do both. Or, if you don't need any more schooling, if you leave the company you're not required to pay back training funds in most cases where tuition reimbursement ties you to the company by requiring payback in time (typically 1 year working there for each year of reimbursed tuition).

kiki162

I agree with GirlyGirl on the GSEC exam. That one is a mix of Net+ and Sec+ IMO, and yes it's great, but it's like getting your MCP or A+. If your looking for an entry level course to ease you into SANS/GIAC, start with either SEC 501 or SEC 503, then go for SEC 504. Remember you don't have to take exams, but you'll get a lot of good experience in.

BTW...I should come work at your company if they are paying for SANS courses like that

BlackBeret

I know I'm late to the party, but 504 is very basic. You don't need it to go on to 560. 503 (leading to GCIA) is a much better course for the money and deals more with vulnerability management and analysis. I HIGHLY recommend SEC503 to anyone doing analysis or technical management, it's a good course and I'd put it over 504 any day.

Mike-Mike

iBrokeIT wrote: »

Have you looked into any over their graduate certificates? This one might be of interest: https://www.sans.edu/academics/certificates/penetration-testing

At $5k per class+cert it might be cheaper and easier to tap into multiple sources of funding through your company if they offer both tuition reimbursement + training budget. That's probably what I'll be doing once I qualify after hitting the 1 year mark at my new company.

Also yes, skip the GSEC since you already have most of that knowledge and don't need the name recognition of that cert.

I might give this a shot

NetworkNewb wrote: »

I tried doing this at my current company and my manager denied me! Says I couldn't grab from two different buckets for the same thing... Thought it was pretty weak!

I expect this will be the outcome

kiki162 wrote: »

BTW...I should come work at your company if they are paying for SANS courses like that

I have worked for several big name big money corps, and this is the first to even consider it

BlackBeret wrote: »

I know I'm late to the party, but 504 is very basic. You don't need it to go on to 560. 503 (leading to GCIA) is a much better course for the money and deals more with vulnerability management and analysis. I HIGHLY recommend SEC503 to anyone doing analysis or technical management, it's a good course and I'd put it over 504 any day.

I will have to look into 503

sb97

kiki162 wrote: »

I agree with GirlyGirl on the GSEC exam. That one is a mix of Net+ and Sec+ IMO, and yes it's great, but it's like getting your MCP or A+. If your looking for an entry level course to ease you into SANS/GIAC, start with either SEC 501 or SEC 503, then go for SEC 504. Remember you don't have to take exams, but you'll get a lot of good experience in.

BTW...I should come work at your company if they are paying for SANS courses like that

SEC503 is still probably the best training class I have ever had. When I used to work for a MSSP we sent all new analysts to the course.

UnixGuy

sb97 wrote: »

SEC503 is still probably the best training class I have ever had. When I used to work for a MSSP we sent all new analysts to the course.

+1

Awesome course and usually stuff that are hard to have in one place.