[Dshield] IDS Analysts

[Albert Gonzalez]

Pete brought up a good point regarding analysts. I have had the pleasure of interviewing several people at several large companies and really I find them just settling with a paper-pusher or someone not worth jack.  This is seriouly going to bite us and my profession. Yes I am an engineer but ill always be a packet monkey :)

I think there are certain criteria an analyst should meet,

	- basic sql skills for data mining.
	- some form of scripting.
	- ability to interpret payload. Would love to 	  interview someone that can interpret the 	  hex portion or at least be able to tell me 	  what the "45" means at the start of a tcp 	  packet.
	- understanding of the various forms of 	  attacks out there and not just because         	  the IDS says its a bof. A lot easier to do 	  analysis if you recognize the type or 	  maybe just maybe the attack itself.
	- has used a sniffer before (urgh) and 		  knows how to filter its output etc...

And the issue I see the most (throughtout my engagements) they might understand protocols but not the networking side. Which causes issues with placement and the visibility they achieve. Yes I understand some shops are small or have small budget but there are geeks out there. But I have also seen symantec enter a place setup LOTS of devices and not even have 50% coverage because of placements, so the big guys have issues too.


Wow that was all over the place, but what are some of your thoughts regarding required knowledge from an analyst?

--  Sent from my HTC6800
Success comes to the person who does today, what you are thinking of doing tomorrow