Dear Naveen,
After reading your mail and the responses to it, I felt it would be
interesting to uncover at least one additional layer that most training
does not yet address. You could say it is missing from the state of
the art of IDS analysis.
Regarding the technical training, I agree with most posters that SANS
does indeed have the most in-depth course. However, in order to better
assess what type of training is required, we should actually look at
some of the activities that will be required from the analyst.
If I understand your setting correctly, an IDS analyst will classify
large (though hopefully pre-filtered) sets of batched information flows
(IDS events) into incidents, or discard them. This is a significant
challenge. It puts strain on your technical abilities, but also on your
ability to reason and analyze.
The degree of correctness is very important in this line of business, as
otherwise valuable data may not be used and an incident may not be
identified - potentially leading to a costly security breach.
As such we should consider at least part of our training process to make
sure that the analysis skills of the analysts are brought up-to-date.
Bringing analysis skills in line usually consists of identifying flaws
of thinking together with the new analysts, and making sure they are
aware of how the mind falls in these traps and how it can avoid these.
These "traps" are commonly known as cognitive biases and can be
described as e.g. being oversensitive to consistency or the persistence
of impressions. There are however, many more.
A second issue is human error. Every human has a certain flow of
incidents which he can handle - once the load goes above this flow, the
risk of human error increases dramatically. With adequate insight into
how these issues occur, changes can be made in the environment which
decrease the amount of errors, or analysts can be made aware of common
pitfalls.
Besides the regular technical requirements, an intrusion detection
analyst should be someone who has thorough command of the capacity of
his mind to come to several insights based on high volume inputs, then
being able to decide on the most likely scenario, while not discarding
the other ones through his own conviction. These are valuable skills
which need to be cultivated.
Some unfortunate news however. I do not know of any formal training
courses geared towards security analysts that bring these skills into
the workplace. As these skills are vital I would suggest you include
them into your induction sessions for new analysts. A number of good
books on these skills can be found below:
[1] "Psychology of Intelligence Analysis"; Richards J. Heuer, Jr.
Center for the Study of Intelligence
[2] "Bias in Human Reasoning: Causes and Consequences"; B. Evans
[3] "Investigating Human Error: Incidents, Accidents and Complex
Systems"; Barry Strauch
Hope this information proves useful.
Cheers,
Maarten
--
Maarten Van Horenbeeck, CISSP GCIA GCIH
maarten@daemon.be - http://www.daemon.be/maarten
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
