Wednesday, April 27, 2011

How do you address training for SIEM/LM analysts?

I struggled a bit with the title but bear with me.

The question arises from time to time and especially now that I am at my new job where we are being asked to submit training requests for next year’s budget cycle – what training would you like to get/attend? Good question. The challenge in the SIEM-esque/LM space (IMHO) is you are getting events from any number of disparate systems which you may or may not have familiarity. My experience is generally there is a team of folks devoted to the care and feeding of a particular piece of technology but they usually don’t actually look at the (log) data coming out of it with an eye towards taking action – they are focused on making sure the blinking lights stay blinking. You come in at the critical juncture point of marrying up conceptual detection use cases to the technical exercise of extracting value out of the logs the blinking lights produce. So how do you bridge that knowledge gap or do you even approach the subject of getting training with an eye towards this gap or leverage the "training" opportunity to dive into other areas?   

I sure would be interested in how people have tackled this issue. A “Just in Time” 3rd party SME type education model appeals to me but would guess most shops don’t have enough people (or able to free up enough people) to justify the expense of hosting custom training on-site. No doubt shop maturity factors into the discussion. The SANS Intrusion Detection In-Depth class looks pretty good and looks like it covers a decent swath of topics. Have folks found any other good general type courses or do you tend to focus in on specific items/threat types of training with an eye towards “reverse engineering” your knowledge relative to the specific data streams you have coming into your solutions?

2 comments:

  1. Mark,

    The two ACSA (AlienVault and ArcSight) certifications are worth mention. They have training classes available tied to these certs.

    I think most SIEM/LM analysts should start with the McGraw-Hill book on SIEM. I am a firm believer in on-the-job training and if any "training budget" is available -- to allow the individual contributors to focus on the training that they want, while providing them with a list of local (or nearby) security conferences that they can go to (e.g. Shmoocon, SOURCE, Toorcon, BSides, OWASP, et al).

    I would also push to start a local SIEM/LM user group with those training dollars (a little PR, a central meeting place with easy public transportation and handicap access, and a catered breakfast/lunch a few times a year goes a long way). Get local businesses and organizations to discuss their SIEMs in a free, non-profit, unbiased, vendor-neutral approach similar to OWASP local chapters.

    ReplyDelete
  2. Thanks for posting dre and there are some good ideas in there, especially trying to spin up local groups to do some knowledge sharing. That said I wasn't particularly impressed with the book (my review - http://runals.blogspot.com/2011/01/book-review-security-information-and.html); something for a new person to read maybe.

    The backdrop of where I was trying to go with my post was more of if you tell me what I should look for I can figure out how to get it done or how to hopefully extract that out of the logs I’m getting. The kicker is knowing enough in a particular vendor agnostic area (OS, FW, IDS, AV, etc) to understand which events are really indicative of anomalous activity vs given this and that parameter “these” events are really just noise or of less criticality. Where I’d like to focus is more on the incident detection stage (vs say sitting at a box and trying to do forensics) but scaled to a level given the volume and visibility a SIEM/LM solution provides. I did that for over 2 years but still think I have room to grow in that area. It’s the difference of knowing, for example, which events to not look at on a Windows DC for local logins because you are going to see computers updating their group policy. Hope some of that makes sense.

    ReplyDelete