Absent Member.
Absent Member.
1239 views

Analyst Training

In addition to on-the-job training, the two training packages we use to train intrusion analysts are SANS' GIAC Certified Intrusion Analyst (GIAC) and ArcSight Certified Security Analyst (ACSA).  What other education and/or conferences would be vital for security operations analysts?
0 Likes
5 Replies
Absent Member.
Absent Member.

The annual ArcSight user conference is a great learning resource, especially if the analysts have a role in creating rules, reports and other content.

http://www.arcsight.com/protect09/

-Joe

0 Likes
Admiral
Admiral

Another good GIAC training is the GIAC Incident Handling ( GCIH 504 ).

For the rest, I would say it depends on the type of logs you are collecting.  For instance, if you collect logs from specific application like IIS or Oracle, having a good knowledge of HTTP and DB would help your analyst to better understand the risks related to the alerts they get.  However this type of training should focus on the security aspect ( no need to be a web developper or a DBA to understand risks related to these applications ).

Depending on the role of your analysts, especially if they develop some AS content, it could also be interesting to have some basic knowledge in scripting and regex.

0 Likes
Absent Member.
Absent Member.

I can't believe I missed a plug for the ArcSight User Conference!  Good work, Joe.

I like GCA's advice as well.  GCIH is just a darn good cert to have regardless, the tech-specific training is really critical for folks that'll be touching security devices or systems, and the scripting / regex stuff is great for SIEM hacking.

Thanks!

0 Likes
Absent Member.
Absent Member.

I always found job rotation or job shadowing to be useful.

It's good to jump on opportunities to do new things.  When I was offered firewall work, I took it, DBA work, I took it, forensic work, I took it.

The more jobs you learn, the easier it is to understand the events you're seeing on the SIM.

-Joe

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Hello,

all Analysts from our GSOC in Vodafone have to finish successfully the GCIA exam from SANS:

http://www.giac.org/certification/certified-intrusion-analyst-gcia

Volker

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.