Monday, November 7, 2016

David Mashburn's reflections on the GSE

I asked for some of the successful GIAC GSE candidates to talk about the experience. David Mashburn is a member of the GIAC Advisory Board, a community SANS instructor and a professor of cybersecurity. We recently collaborated on an article for the ISSA Journal on the roles of a cybersecurity architect and cybersecurity engineer. These are his thoughts.

After taking the 'written' exam in the Spring, I registered for the GSE Lab scheduled for September 2016 at the SANS Network Security.  I started my preparations for the exam shortly afterwards, focusing on the items that were listed on the GSE description page on the GIAC website.  I found that to be helpful, since there was not much else in the way of information available regarding what to expect from the lab.  I expect this is by design, but it was very different from my previous experiences.  There is a Google Group that has some speculation and ideas regarding the lab from those preparing to sit for the lab, but obviously there is nothing posted in that forum from those who have actually completed the lab due to the non-disclosure restrictions.

Based on the items listed on the GSE page on the GIAC site, it seemed apparent that the lab practical would likely track and extend the exercises that were presented in the core courses that are required for the GSE.  I went back through all the labs for SEC503 and SEC504, making sure that not only did I understand the mechanics of each of the exercises but that I could go beyond what was presented in the course materials.  I also took the time to work through exercises and challenges at malware traffic analysis and Counterhack to further build analytic and hands-on skills.

In addition to the skill building work, I was also compiling the documentation that I would bring with me to the exam.  The common thread that ran through many of the post in the Google Group related to time management.  Even though one is permitted to bring as much documentation as desired, I decided to go minimalist.  I put together a single notebook with documentation on topics that I thought would be useful reference, again based almost exclusively on the topics listed on the GSE information page on the GIAC site.  This also included some of the SANS cheat sheets as well as other incident handling checklists.  The only other reference items I brought were Don Murdoch's Blue Team Handbook and the Red Team Field Manual.

Once the exam started, time was the most precious commodity.  The first session seemed to go incredibly fast.  One of the strongest feelings at the start of the first session was actually one of relief, of finally being able to get past the uncertainly and having the opportunity to be able to attack the challenge at hand.  As the exam continued, it was pretty clear that one constant issue would be time management.  You have to work quickly and know almost everything without having to look it up.  I looked up only a few things during the exam.  This is not to brag or due to my amazing base of knowledge, but is more a function of the fact that I was so busy working that I didn't want to stop for the items that I didn't immediately know.  I made the choice to prioritize the things that I knew I could finish, and to allot specific amounts of time for other items.  That meant leaving some things unfinished, even things that afterwards I felt I should have finished.

The GSE lab was a great challenge, and I think a worthwhile measure of skill.  I think that my preparation for the lab and approach during the lab itself was effective, as I was able to earn the GSE certification.  I received notification after waiting 33 days from the end of the exam that I had been awarded GSE #157.

No comments:

Post a Comment