Hello guys,

I have a question for you: How much costs (in average) the logs storage (1 year, 3, and most important 7 years).

The reason of my question is that I am trying to convince my client to get rid of some usefull IDS/SIEM rules, and even to stop collecting some events.

Besides the noise they generate, they cost a lot of money to store them for a long time.

So, if you have some data, or some links please share them with me/us.

Thank you very much!

P.S. If you have data about how much space different events/logs take ... it would be welcome

I do not know if I'll go back to the OSCP for the moment. Probably that I'll try GCIA as it will help me in my current contract. Also, I'll have to finish studying for SEC575.

I'll go back to OSCP next year, for sure. I am wondering if they'll have a new version.

I agree that the certs are addictive, but I also like that they bring you material benefit$$$ 

That's an extra reason to keep studying.

I can see from your signature 

Thanks!

Bonjour les amis  ,

I want to share with my experience with SANS 504 course and exam. This spring I applied for few work/study opportunities with SANS. Among them was a local one, community SANS Ottawa – SEC504 Certified Incident Handler.
When I got the approval from SANS I wasn’t anymore a permanent employee, I was a contractor. I hesitated for a couple of hours if I should go or not, and the drawback was the loss of $$$ caused by the absenteeism from work. Finally, I decided that the experience of a live SANS course worth more than the buck loss.

The course was between 11 – 16 June, in Gatineau, a suburb of Ottawa (different province, but still Ottawa’s suburb  ). The instructor was Adrien de Beaupre. Adrien is an old fox, if I may say so. He is in the security industry for a long time, he is an incident handler with SANS, and he saw a lot during he’s career. He has tons of experience in incident handling and penetration testing.
I can say that the fact that he was the teacher contributed 10% to my decision to go to the course, and I was right about it.

So, on a hot Sunday afternoon we prepared the classroom and all the material for the course. Monday morning I’ve put on my red apron, and I distributed the books to the students. I can say that the whole administrative process went without problems.

Being a local event the class was very small, circa 22 students. Most of them were from different governmental agencies – army, blue eyes, government itself… (last time when I saw so many skinheads in one room was when I was in the navy  ). The advantage of this crowd was that they were disciplined, no smart-asses, no troubles during the course. Their problem is that their patrons don’t pay for the exam, so they’ll only do the course. In my opinion, this is very bad, because there is a lot more to learn after the six days of the live course. Not doing the cert will not motivate/force them to continue studying.

Here are some notes I made during the class:

Day 1
Very interesting topics and most of the students participate in the discussions. Now I convinced myself that Adrien really knows how to teach and to make things interesting.

Day 2
I am very familiar with the scanning tools like Nmap and Nessus, so this day wasn’t so impressive for me.
Par contre, I had colleagues that were really, really excited, and one even told me “This course perfectly fits my needs. Now I can defend against my CIO different portscans, because I run Nmap and I know how it works.” This really impressed me.

Day 3

Things are becoming interesting. Now I can see the difference between GPEN and GCIH. GCIH talks a lot about how to prepare against incidents and how to detect some of them.
All the students are excited about the course. Most of them are overwhelmed by material, but are happy about it.

Day 4

Things are really interesting. I like that they don’t insist so much on the offensive part, but there is a lot of defensive.

Day 5
For me this is the most complicated/interesting day. Rootkits… (I will study deeper in this subject after this class.)
Nice and interesting exercises.
Most of the other students are lost. They are browsing the internet, have a tunnel vision… 

Day 6
Capture the Flag
I made team with three other guys. Our background was very different, from the novice in the offensive stuff (but very motivated) to the more experienced ones. The challenge was interesting, and we had to apply what we have learned during the class. Of course that my team won 

After this wonderful experience I continued studied on my own. Because of home renovations I didn’t had too much time to study at home. I listened to the mp3s, and I watched some videos for the more complicated subjects. Luckily, I wasn’t that busy at work, and I did find some time to study, and to go through the OnDemand questions.

As I previously said about these questions, after my GWAPT experience, they really help someone to study harder. If you are able to pass all the OnDemand questions without the aide of books you are ready for the exam. Many of the OnDemand questions are very tool oriented, but this is not a bad thing; it will make you study more.

I learned a lot, even for the subjects where I was more knowledgeable (like Nmap or Nessus). Every time you listen to the mp3s you discover something new. Ed Skoudis is also an excellent teacher, with a lot of experience, and with wonderful teaching skills. He knows how to hook a class.


This course was a beautiful experience, and, more important, it motivated me to become an even better defender. It is my opinion that it is incomparable easier to be a pentester than to be a defender. Worst, it is very hard to take real proactive measures in an enterprise. Exception will be some shiny useless boxes, that a vendor sold your boss as “the next thing”  . In the next year I’ll concentrate more on the defensive studies, before going back to pentesting.



After I passed all the OnDemand questions without the use of the books, and after I put post-it on my books, I was ready to sit for the exam. I did the two practice exams the day before the exam, without the aide of the books, and I did pretty well at them.

I scheduled the exam for a Saturday. Sitting for the exam in a Saturday afternoon was an excellent choice for me because I was able to have a good sleep, and there is no rush. The test center was all right, and there weren’t too many takers.

I can say that I really liked the exam. The questions were common sense; I didn’t saw many tools related questions, like the ones on the OnDemand. The questions on the exam tested the knowledge relative to the subject itself. There were many questions where you could use the books to get the answer, if you really wanted to be sure that you don’t do stupid mistakes.
But, you don’t need the books to pass the exam. Probably you need them to get a very high grade. My favourite questions were the ones where they gave you a real situation and ask about your reaction to this problem. You’ll see some of these on the practice exams. As an example you’ll have a dump of traffic and you’ll have to recognize the type of event, and to propose the countermeasure. Those were really interesting, and very pertinent to the subject tested itself.

So, after 3 hours of intense concentration I finished the exam with a score of 96%, which made me really happy  .

All this experience left me with a warm feeling, and I barely wait to sit for my next exam.

Thank you SANS for this opportunity!

woot!

Congrats! This one is no 2 or 3 on my SANS list.

Nice review!

Nice writing. Very appreciated.

Congrats, and Good Luck with your new job!

I'll give it a try!

Nice!!

Thanks!

In this case Good Luck!

And try to keep your eyes on the ball!

@azmatt

A+, Net+, Sec+ Are you such a newbie?

They could help you get a job as a help desk, but... they are far away from security.

If you are new in IT ... they are a good intro, otherwise... go higher.

My opinion.

Indeed the use of those restrictions would make the life of the users a real hell.
Practically you cannot browse the internet anymore.

Luckily, this policy affects a limited number of users.

Probably, using a VM for gov related tasks would be a good idea, but it is not so easy to sell it to management.

I'll see.

Thanks!

Interesting concept, but how can you apply it to a whole team?

Like any enterprise software you need support for it. Worse, these restrictions are demanded by a gov client, which is very paranoid about security. So ... having a Chinese software processing their data... not a very good idea

Actually, the demand is that every time an applet is loaded a prompt will appear, and the user should accept it. For example, going to Google main page would mean to click OK seven times. This should prevent some web appl attacks. The problem is that the users will not be able to browse anymore, and they need this option in order to do their job (for other clients).

I was thinking that a better browser protection will make the agency withdraw the request.

I tried Avast sandboxing at home and at work. At home it works just fine, but at work it doesn't work so well. I can browse to some sites, but not to others. I think that you cannot browse to a site with an invalid certificate. As an example our Nessus has the self-created, unsigned, certificate, so I wasn't able to go tp the Nessus web page.

Now, I don't know if I should ask the help of the Avast team (we aren't even their clients), or to try to find another solution to this problem.

Thanks for the info.

Because we will use it in a business environment, the user should be allowed to download files, and even to save the bookmarks, cookies.. on the browser.

I saw that if you are clicking a pdf file, fir example, and choose the option to open it it will open in a sandboxed Adobe, which really is excellent.

Today and tomorrow I'll try some Java, Flash.. exploits and see what happens.