I struggled a bit with the title but bear with me.
The question arises from time to time and especially now that I am at my new job where we are being asked to submit training requests for next year’s budget cycle – what training would you like to get/attend? Good question. The challenge in the SIEM-esque/LM space (IMHO) is you are getting events from any number of disparate systems which you may or may not have familiarity. My experience is generally there is a team of folks devoted to the care and feeding of a particular piece of technology but they usually don’t actually look at the (log) data coming out of it with an eye towards taking action – they are focused on making sure the blinking lights stay blinking. You come in at the critical juncture point of marrying up conceptual detection use cases to the technical exercise of extracting value out of the logs the blinking lights produce. So how do you bridge that knowledge gap or do you even approach the subject of getting training with an eye towards this gap or leverage the "training" opportunity to dive into other areas?
I sure would be interested in how people have tackled this issue. A “Just in Time” 3rd party SME type education model appeals to me but would guess most shops don’t have enough people (or able to free up enough people) to justify the expense of hosting custom training on-site. No doubt shop maturity factors into the discussion. The SANS Intrusion Detection In-Depth class looks pretty good and looks like it covers a decent swath of topics. Have folks found any other good general type courses or do you tend to focus in on specific items/threat types of training with an eye towards “reverse engineering” your knowledge relative to the specific data streams you have coming into your solutions?
