A interpret on my terminal post, Reminder: Bejtlich Teaching at Negroid Hat DC 2010, a reverend asked:I am trying to intend my consort sponsorship for your collection at Negroid Hat. However, I was ask to reassert between your collection and SANS 503, Intrusion Detection In-Depth. Would you be healthy to wage some advice?That's a beatific question, but it's easy enough to answer. The coverall saucer to keep in nous is that protocol Weapons School 2.0 is a newborn class, and when I create a newborn collection I organisation it to be assorted from everything that's currently on the market. It doesn't attain sense to me to inform the aforementioned topics, or ingest the aforementioned doctrine techniques, institute in classes already existence offered. Therefore, when I prototypal taught TWS2 at Negroid Hat DC terminal year, I prefabricated trusty it was unlike anything provided by SANS or other trainers.Beyond existence unique, here are some specific points to consider. I'm trusty I'll intend some howls of oppose from the SANS folks, but they hit their own platform to reassert their approach. The digit classes are rattling different, apiece with a unique focus. It's up to the enrollee to end what sort of touchable he or she wants to learn, in what environment, using whatever methods he or she prefers. I don't wager anything specifically "wrong" with the SANS approach, but I maintain that a enrollee module wager skills more appropriate for their surround in my class.
- TWS2 is a case-driven, hands-on, lab-centric class. SANS is largely a slide-driven class. When you listen my collection you intend threesome handouts: 1) a workbook explaining how to dissect digital evidence; 2) a workbook with questions for 15 cases; and 3) a teacher's pass responsive all of the questions for the 15 cases. There are no slides aside from a some work items and a diagram or digit to explain how the collection is ordered up. When you listen SANS you module obtain individual sets of slide decks that the pedagogue module exhibit during the instruction of the class. You module also hit labs but they are not the pore of the class.
- I fashioned TWS2 to foregather the needs of a wide arrange of students, from beginners to modern practitioners. TWS2 attendees typically closing 5-7 cases per class, with the remainder suitable for "homework." Students can work at their own pace, although we counterbalance destined cases at checkpoints during the class. A some students hit complete all 15 cases, and I ofttimes ask if those students are looking for a newborn possibleness with my team!
- TWS2 is most work digital evidence, primarily in the modify of meshwork traffic, logs, and some module captures. The pore is irresistibly on the content and not the container. SANS spends more happening on the container and inferior on the content.For example, if you countenance at the SANS instruction overview, you'll wager they spend the prototypal threesome chronicle on protocol headers and psychotherapy with Tcpdump. Again, there's nothing criminal with that, but I don't tending so such most what bit in the protocol brick corresponds to the RST flag. That was mildly engrossing in the New 1990s when that conception of the SANS instruction was written, but the noesis of a meshwork conversation has been more essential this decade. Therefore, my collection focuses on what is existence said and inferior on how it was transmitted.
- TWS2 is not most Snort. While students do hit access to a fully-functional Sguil happening with Snort alerts, SANCP session data, and flooded noesis libpcap meshwork traffic, I do not spend happening explaining how to indite Snort alerts. SANS spends at small one period conversation most Snort.
- TWS is not most SIM/SEM/SIEM. Any "correlation" between different forms of grounds takes locate in the student's mind, or using the liberated Splunk happening containing the logs collected from apiece case. If you study dumping grounds into a system same Splunk, and then querying that evidence, to be "correlation," then we hit "correlation." (Please wager Defining Security Event Correlation for my thoughts on that subject.) SANS spends digit chronicle on evenhandedly simple unstoppered maker options for "correlation" and "traffic analysis."
- TWS cases counterbalance a panoramic difference of activity, patch SANS is narrowly focused on suspicious and malicious meshwork traffic. I definite to indite cases that counterbalance some of the sorts of activities I expect an project incident detector and responder to encounter during his or her professional duties. I also do not dictate some azygos move to work apiece case. Just same real life, I want the enrollee to produce an answer. I tending inferior most how he or she analyzed the accumulation to produce that answer, as long as the chain of rational is good and the enrollee can reassert and move his or her methodology.
I hope that helps prospective students attain a choice. I'll state that I don't beam some of my analysts to the SANS "intrusion detection" class. We wage in-house upbringing that includes my touchable but also focuses on the sorts of decision-making and grounds sources we encounter to be most trenchant in my company. Also gratify state this locate concentrated on the differences between my collection and the SANS "intrusion detection" class, and does not apply to other SANS classes.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
0 komentar:
Post a Comment