In today's IT environments, budgets are shrinking and every dollar must be used wisely. This is especially true in network security training. With ever-evolving threats and operating system flaws, computer network security must be placed in the hands of well-trained individuals.
The security training on offer from reputable groups like SANS and Foundstone are excellent, but costly. Bear in mind it is not only the cost of the actual training, but the ancillary expenses too – flights, hotels, per diem, among others. And don't forget the fee for certification by such bodies as GIAC (the certification arm of SANS).
Many companies hiring network security analysts demand that candidates have certifications such as SANS before a position is offered, but the holders of sought-after certifications will command top dollar.
It is now feasible that the majority of the network security analyst's training be done in house, and at no cost to the company (except for the employee's normal salary). We have an embarrassment of training riches on the internet and, through the use of these free online assets, as well as tapping existing in-house expertise, one can create very substantial savings for their IT budget.
The ideal scenario is that the new security analyst is partnered with a senior one for six months or longer, as required. This is the best way to learn, because the senior analyst is familiar with the company's requirements.
New trainees are then brought up to speed using online resources. One website (www.incidents.org/logs) hosts Snort output logs. It is an excellent source for the analyst to begin to analyze and become familiar with them. Not every company uses Snort, but this serves as a great introduction to looking at an IDS's output. It also begins to help shape the analyst's mind as to pattern recognition. Another free resource is The Honeynet Project (www.honeynet. org), which hosts challenges based on the packet-level dissection of logs collected by honeypots.
These honeypots are built for "rooting" and the site holds contests based on logs they have collected. The winning analysis is posted and doing so means work can be compared. The methodology used by the winning analyst will convey knowledge to others, because in the world of packet analysis it is important to have a methodology. This is how the individual will approach every packet trace and, by doing so, one is less likely to miss something.
This site is the best one to use in the training of analysts due to the real-world traces collected by the honeypots. The file format used for the downloading of these files is the industry standard binary format (little-endian). This helps the analyst get used to working with files in the binary format. As the files are in this industry format, the new analyst can also become familiar with tools such as Ethereal, tcpdump, windump and others. By default they will have to learn such essential skills as writing bitmasks and complex bpf filters.
There are others sites that offer valuable insights and charts to the budding network security analyst, offering highly condensed versions of longer papers hosted elsewhere. There is the operating system tcp/ip metrics paper at http://project.honeynet.org/papers/ finger/traces.txt, for example.
After the training period has elapsed, the company can pay for certification if the employee has performed up to expectations (and will be retained). Up to now, all the employer has invested is time and that employee's normal salary. Smaller companies that do not have the resources to employ a dedicated security analyst might consider expanding the role of their system administrator. As that person already has intimate knowledge of the operating system and network topology used, it should not take long to get them up to speed.
For those who wish to increase the skills of their network security staff, there are more ways to do so. Assuming that some of them will possess a certification such as the GCIA, it might be prudent to expand their skillset to include exploit analysis and have them learn a programming language such as C or ASM. But these skills are very much part of an advanced skill set.
They can still be learned, however, through free online resources that take the form of online tutorials and IRC groups. A successful network security analyst will be a self-starter who has a consuming passion for all things computer related. You will not have to prod these individuals to learn something new, as they are probably already doing it in their spare time. Many of them prefer to learn on their own through resources like those mentioned.
As illustrated by these sites, there is a vast potential to trim one's training budget through the use of free online resources. The only cost to the company is the cost of paying the employee's salary and dedicating some time to training that new analyst. It is a very inexpensive solution when compared with the alternatives – especially in light of shrinking budgets.