Re: Certifications for SOC team

["J. Oquendo" <sil () infiltrated net>]

On Mon, 16 Feb 2009, Alcides wrote:

> Hi List,
>
> This question is specifically about certifications that may help us as
> team members, to demonstrate competency to the global clients who have
> assigned us a task to handle the SOC [security information center] for
> them. We have been handed over this responsibilities mostly on the
> basis of our experience. [ranging from 1 to 9 years]
> Some of us already have CEH, but we all are looking for a line of
> certs that has a good deal of respected in the industry.
> Thanks in advance.
>
> Cheers.

Certifications nowadays are becoming less and less attractive as opposed
to being a competent company with competent individuals. The most "hardcore"
security people I know in the industry really have no certs nor care about
them. Then there are those who get certs to make companies happy, etc., what
your question SHOULD have addressed is, "what content should I be teaching
and or training my staff in?"

Training goes a long way and in my POV, experience trumps a cert every
single time. With that said, I'd personally teach topics along the lines
of incidence response, handling and networking for starters. A SOC depending
on what you're monitoring is a really broad segment to give a definitive
answer to. What exactly is involved with your SOC. For example, do you
perform network analysis, if so, then I suggest you pick up some of Laura
Chappell's Wireshark University courses and have your guys thoroughly
understand how to capture, analyze, trace, dissect packet information.

If you're doing incident response, this too is going to differ. Post
incident response can and usually does consist of forensics if you
intend on prosecution. Chain of command is very big and if your IR
team isn't versed in law, protocols, etc., they'll likely cause more
harm than an intruder. With THAT said, you could go the CCE route or
CHFI route since you mention you have your C|EH. Be advised though,
you get what you put into it, reading a book for the sake of memorizing
is a lot different than understanding and practicing what you read.
Anyone can memorize anything and as I've stated repeatedly, monkeys
can be taught to run a tool.

I suggest re-vamping and re-posting the question perhaps giving us
more information on the tasks you normally encounter in your SOC.
My SOC consists of incidence reponse, forensics, network analysis,
SIEM, protocol analysis, etc.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E