GCIA Intrusion Analyst

altdrugz · December 2013

Hello, I ve taken my CCNA in the last May and now im doing my MSc in Information Security. I will probably go for the CISSP exam around July. The doubt that I have is that I would like to work in a job that could have any relation with intrusion detection systems etc. So I found this GCIA Intrusion Analyst certification but I think that it is kinda outdated or something. The question is shall I go for CCNA Sec or CCNP Sec or for GCIA Intrusion Analyst?

veritas_libertas · December 2013

Why do you assume that it's outdated?

docrice · December 2013

I have the impression that SANS 503 has been recently updated since the SANS course listing has a "new" label marked next to it.

The Cisco courses will teach you how to configure Cisco security appliances, but I seriously doubt they will put you into a strong security mindset. Configuring for best-practices is one thing, but to understand the playing field more in-depth and from an attacker's perspective really rounds things out. I've noticed that many people who know how to configure tools often don't know what it is they're defending against. In addition, many ASA admins that I've met have very little understanding how TCP/IP functions at a low-level and how it's abused. Without knowing the latter, you have no real defense aside from very basic perimeter security.

altdrugz · December 2013

I think its outdated because searching for books I found out the Network Intrusion Detection book that was written in 2004 and also the books related to snort/tcpdump filters and wireshark filters are kinda old. By the way, do you think that this is what is needed? Applying rules to wireshark/snort/tcpdump ? I havent understood completely the exam... Also I agree with you @docrice lots of people dont have a fully understand about the different aspects of security. Thankfully for me I am learning these different aspects of security management in my Msc. I still have to figure out whether the GCIA Intrusion Analyst certification will give TRUE value (adding my MSc + CISSP + CCNA) for the next September that I will search for a job.

docrice · December 2013

The book you're referring to isn't the course material. But that said, understanding these concepts and applying them is pretty critical in day-to-day operations when responding to IDS alerts. Anyone can initially install an IDS/IPS appliance, but continued tuning and event validation requires a lot more depth than simply knowing which buttons to push and knobs to turn in order to modify the behavior of the sensors.

SANS 503 certainly isn't the end-all when it comes to intrusion detection training, but I will say that it opens up a whole new world than what the vendor-based courses teach (even Sourcefire's for their commercial solutions). The groundwork to do real intrusion detection is really about understanding patterns, normality, and abnormality. This requires a particular focus and mindset beyond seeing the network through the eyes of tools.

Intrusion detection is a craft that not many understand, and many IT shops treat the subject as a thing that's outsourced to a device which runs on auto-pilot. However, this is a serious disservice since it completely overlooks the nuances involved in understanding your environment and being sensitive to changes/anomalies. Some organizations will recognize GIAC certifications (particularly the GCIA), and some won't. I will say that out of all the SANS courses and GIAC certifications I've obtained, the GCIA remains one of the top two or three most valuable to me personally due to the amount of revelation in perceiving threats, the adversary's potential mindset, and the multi-dimensional correlation which an analyst must bring together during event validation.

If you can visualize the structure of traffic and their payloads at the atomic level and question the assumptions made by vendors, hardware appliances, software, configurations, and their factory rules, you become that much more empowered to see past the marketing hype and the documentation made by the product designers and therefore more effectively gain sufficient sensitivity to detect and respond to potential threats.

altdrugz · December 2013

Do you think that understanding completely how to write filters for snort/tcpdump/wireshark will be enough to pass the GCIA Intrusion Analyst cert?

docrice · December 2013

No. That's only a small part of the SANS SEC-503 material.

dover · December 2013

I agree wholeheartedly with Doc.

503 wants to give you a deeper understanding of TCP/IP and TCP/IP traffic; not just what layer does what or what filter you need to use to 'see' certain things. It goes much deeper. The class wants to teach you what each byte in each header is for, what it indicates (and doesn't indicate) and it gives you the information to decide for yourself if that is something you want to log, allow, block, alert, investigate, etc. Like Doc said, an IPS/IDS shouldn't be some 'box' that flies on autopilot unless all you want is a checkbox on an audit report.

Bottom line (in my opinion), if you have the opportunity to take 503, take it. You won't learn this material, in this way, in a Master's class - at least not one that I've encountered anyway.

YFZblu · December 2013

My two cents: The CCNA: Security track is really just an awareness certification. The IDS/IPS portion is basically a chapter on how to click around the GUI to enable/disable rules.

If you're interested in beginning to learn actual intrusion detection, IMO you will be hard-pressed to find better training than SANS 503.

GCIA Intrusion Analyst

Comments