GCED Certification?

Hi there, this is my first post on this forum. I have been able to obtain approvals from my management to send me for in-person GIAC sessions - however, I am really confused if I should obtain the GCED (SEC 501) or GCIA (SEC 503).

I have a very strong Identity and Access Management and Information Assurance background. I am currently implementing a slew of security capabilities at my current organization from a defense standpoint, which will shortly include NIPS, HIPS and Log Correlation/SIEM. While I have a CISSP, I was hoping to take a technical course that could provide me the most value. I can see how GCED would be a broad coverage of material across different areas, and I can see how GCIA will take me down the path of intrusion detection and packet analysis. However, I do have other network security folks on the team who probably already specialize at application layer packet capture and firewall rule assessments - so given these factors, is it wise to spend $5000 on my GCED? Or would you rather choose an area of specialization and do things right first, before looking at the broad coverage?

Thanks,
Sunny

Find more posts tagged with

Comments

docrice

SANS 501 isn't as commonly discussed here and is probably one of SANS' less popular offerings (based on the current number of GCED-certified individuals), but I can see its potential value and considered taking it myself once or twice before. 503 is all about packet analysis, understanding headers, protocol behavior, gauging the adversary's point of view as well as your defense's, and discerning patterns. The value you'll derive by choosing one course or the other will largely be based on whether you're looking for better impact to your current role or if you want to learn a lot more about a niche subject area.

503 is easily one of my favorite SANS courses. However, there's also something to be said about a course that opens your eyes to many different areas to see a bigger picture. Tough choice, but ultimately depends on what you're trying to get out of the classroom experience.

ssuneja001

Thanks boss for replying to the post. I really appreciate you spending time on the forum and will look forward to sharing my thoughts across other areas in the forum.

I am choosing to go with SEC 501 first (to get the bigger picture, supplement my current positioning within Information Security, and to play the devil's advocate from time to time). I will probably be using the 2014 educational budget to move towards SEC 503, because I can clearly understand how it would be more tactical in nature with respect to incident management; and provide value with advanced packet/log/event correlation.

Regards,
Sunny

SephStorm

I can't wait to hear from a 501 student, I am very interested in the course myself.

YFZblu

I flipped through the 501 courseware at SANS San Francisco - A full day on malware alone is enough to pique my interest. It looks great.

Psyco32

YFZblu,
Was the day that you peeked at on detecting and/or reverse engineering malware? I have already taken the 610 course but to be honest some of it (610) was over my head and I will have put some serious study time in. Was wondering if in your opinion GCED course was something to shoot for. By the looks of the course syllabus it has parts of all the other SEC courses mixed in (503,504, 560) .

LionelTeo

I have both GCIA and GCED, below are my views of this two. I hope that they could be of help to you.

GCIA
- Packet Analysis
- Wire Shark
- TCP ****
- Binary Analysis
- Hex Analysis

GCED
- Basic IDS/Pen Test coverage
- Very good in depth Incident Handling Steps (much better than GCIH)
- Very good anti malware/cleaning/detection
- Very good router/network configurations, security and attacks

chanakyajupudi

Short but apt review on both.

Psyco32

@LionelTeo: Thanks. I might have to go back and take a look at the GCED next year.

JDMurray

Very few people have the GCED certification, maybe 800-1000. Most people go from the GSEC to the GCIA or GCIH.

LionelTeo

I remember my analyst number was about 900 plus.

I recommend this course along with GCIH. GCED is a really good reinforcement for GCIH. For example, GCED covers different tools use for detecting and cleaning malware, such as hiijack this, sysinternals tools, checkng for weird unusual services, newly added files, newly added DLLs, newly added drivers, newly added BHO's and how to see if they are malicious. It also cover on tools usage for checking rookits.

Eric Cole also cover the debate if we should just contained the system and pull it off from the network. He put up a good deal of information saying that network information is as valuable as the system information, and a sniffer can be run for a couple of hours before you contain the system if you have the time. He also give example of real world incident and the step by step hands on illustration on how it was contained.

The incident handling part of GCIH course heavily lacks information on this two areas.

In Addition, the first book contains all network device common security problem, and how to configure to fix it, this is the only course from GIAC that offers this information.

However, GCED is extremely disappointing in Intrusion and Penetration Testing areas, both areas seems like a product of rushed work having only about nearly 200 pages. Coverage is really really very poor in this two books as seems to be compare to other GIAC course book.

ssuneja001

Hi community members,

I have taken the GCED class (SANS 501) class this week. Let me know if you have any questions. I highly recommend everyone to take this course - it has some stellar content in it, and yes light coverage of Pen Testing type of areas. However, comprehensive coverage of network security, IDS configurations and malware detection makes this worth your time and money.

Regards,

Remedymp

Anymore updates on the GCED?

5ekurity

I'm interested also. I have my training already selected for the year, but I'm heavily considering GCED / GCIH next year.

laughing_man

Interesting. I wish I had known this. Taking GCIH now, mainly for the incident handling piece, which I agree is but a small sliver of the material in this course. Great course, don't get me wrong, but not exactly what I was hoping for. All the same, I will have to take a look at the GCED next time.

ssuneja001

Hi All,

I have passed the GCED today - and the exam was very structured and comprehensive. I will be happy to answer any of your questions, if you have any at this point. Having gone through the course content, I see the following associated with GCED:

+ - Incident Handling Procedures - they are absolutely great in this course.
+ - Network Infrastructure Hardening - terrific content
+ - Malware Analysis - Doesn't go into reverse engineering malware, so there's some scope of technical depth in my opinion
+ - Snort Rules (well covered)

My next goal would be to evaluate if GCIH or if GCIA makes more sense for me. I am primarily a "blue team" guy, however - I am coming to terms with the fact that a little bit of "red team" expertise is really vital to have a well-rounded appreciation in this field. Therefore, GCIH could be my next steps forward. Please note that I am not looking to start learning a new scripting language (to write exploits) at this point in my career, so my focus area is not necessarily penetration testing.

I would like to know if the course content for GCIH redundant if I already have a strong understanding of GCED content? If yes, would I be better off with a GCIA then?

Any thoughts?

docrice

I'm actually curious about SEC501 from the other direction - if one has already gone through 503 and 504, is there a benefit to taking 501? This is probably not a question you can answer, but I'm hoping someone out there who has gone through these three courses can.

I've heard that 501 complements 401 well, but I rarely hear of anyone actually taking it. Have you gone through 401 or passed the GSEC exam? Did you take 501 in a live instruction setting or via OnDemand or SelfStudy?

I think for your case, taking 503 vs. 504 is very dependent on whether your work (or interests) actually lie in network intrusion detection. Otherwise, I think 504 would be a good place to get that attacker viewpoint and I agree that in order to be an effective blue-teamer, you need to understand red-team tactics.

ssuneja001

Hi docrice,

Let me try and take a stab at your questions:

I'm actually curious about SEC501 from the other direction - if one has already gone through 503 and 504, is there a benefit to taking 501? This is probably not a question you can answer, but I'm hoping someone out there who has gone through these three courses can.

*** Exactly. From what I can see on the website, and on this forum, and on the day-to-day breakdown..GCED seems to a condensed form of GCIH (with some more meat added in the Incident Response, Network Security, and Malware) sections. I haven't seen or heard of a ton of GCED guys, so I guess we wait for someone knowledgeable.

I've heard that 501 complements 401 well, but I rarely hear of anyone actually taking it. Have you gone through 401 or passed the GSEC exam? Did you take 501 in a live instruction setting or via OnDemand or SelfStudy?

***GSEC to me looks exactly like CISSP. Not technical enough, and more for the managers. 501 was fairly technical relative to 401. I would probably not even compare the two. I took 501 in a live instruction setting, and the class was very very good. I was buzzing with ideas when I walked out, and I hit the ground running by being hands-on in terms of implementing some of the material at my firm.

I think for your case, taking 503 vs. 504 is very dependent on whether your work (or interests) actually lie in network intrusion detection. Otherwise, I think 504 would be a good place to get that attacker viewpoint and I agree that in order to be an effective blue-teamer, you need to understand red-team tactics.

**My work requires me to wear multiple hats. One day it is risk management, the other day it is Identity and Access Management, the third day it is identifying vulnerabilities and remediating them, and the next day, it could be identifying false positives from HIPS. However, NIPS analysis and rule-writing and doing packet captures/analysis will be a great skill set to have, even though I am probably not going to get authorized on implementing this knowledge right away. Considering that, I think 504 will add a lot of value from an execution standpoint. However, I am doubting if the content is the same as 501. And if it is, then I would rather chase new information than something that I could do more reading on, in my leisure time.

***My question to you docrice - I'd want to get more information on *NIX attack tools and Virtualized security implementations - is 504 too general for such specific areas?

Thanks.

docrice

504 will get into attacks levering Linux tools for sure, but it's in relation to the various steps in the IH process and their counter-viewpoints. I'd probably consider it as a basic network pentesting intro (although 560 is more appropriate for really getting into that topic).

As for virtualization, while 504 is a solid, balanced package in its own right, it doesn't really get into virtualization security. SANS has a course just for that (SEC579), although I've never taken it.

LionelTeo

docrice wrote: »

I'm actually curious about SEC501 from the other direction - if one has already gone through 503 and 504, is there a benefit to taking 501? This is probably not a question you can answer, but I'm hoping someone out there who has gone through these three courses can.

I've heard that 501 complements 401 well, but I rarely hear of anyone actually taking it. Have you gone through 401 or passed the GSEC exam? Did you take 501 in a live instruction setting or via OnDemand or SelfStudy?

I think for your case, taking 503 vs. 504 is very dependent on whether your work (or interests) actually lie in network intrusion detection. Otherwise, I think 504 would be a good place to get that attacker viewpoint and I agree that in order to be an effective blue-teamer, you need to understand red-team tactics.

Hi Docrice,

I went the GCIH, GCIA path before taking GCED. Yes there is a great amount of benefit for taking this course. GCED helps a lot in answering many of the incident handling questions missing in GCIH, in addition to the huge network switches and router hands on hardening and malware cleaning knowledge, its like getting to good **** sheet of cleaning malware and hardening network device in one course. But the pentesting and IDS is a far cry from being good, something which I hope they will improve

ssuneja001 wrote: »

Hi All,

I would like to know if the course content for GCIH redundant if I already have a strong understanding of GCED content? If yes, would I be better off with a GCIA then?

Any thoughts?

I would seriously recommend you to attempt GCIH challenge with the book counter hack reloaded (by Ed Skoudis), course author of GCIH, and Hacker Techniques, Tools, And Incident Handling (Jones & Bartlett Learning Information Systems Security & Assurance Series) [Paperback]. The money should be well spent on GCIA course. I would recommend GCIH for those new to IT Security due to the amount of viable path it can branch into from the course knowledge (forensics, audit, analyst, pentest). Even so, I would recommend to challenge GCIH first before thinking of going for the course.

cyberguypr

Thanks for the insight. I was also wondering about the value of doing 501 after 504. This year I applied for work/study and selected 503 as the first option and 501 as the second. I now feel confident that I'll be happy if I get either.