SANS has recently released a new certificate: the GIAC Certified Detection Analyst. The cert is based on SANS SEC555 – SIEM with Tactical Analytics. If you’ve read any of the rest of my blog then you know that I am a big fan of that course! This was the first SANS course that I have taken and as such I was wondering what the best method of taking and passing the test was.
I looked around the internet and found several suggestions on how to make an index. The course came with an index, but I thought it was more of a dictionary and less of an index. I had considered starting with that one and then adding to it but then stumbled upon a gem of an article. It was called “Better GIAC Testing with Pancakes” by Lesley Carhart (@hacks4pancakes). This index system made perfect sense to me so I decided to adopt it whole-heartedly and recommend you do the same!
Reading the Books
So how did I study for the test? First I took the course. Then I read the books again cover-to-cover highlighting everything I thought could be asked on a test. Given everything I had going on in my life I could only study from 3:30 AM – 5:00 AM so it took me a while to get through the material. Of course, I couldn’t just read it. I would read a section and then break open Security Onion with the ELK stack running and try to explore the topic further (if I was capturing the right data). If I wasn’t careful I could read 2 or 3 pages of the books and then spend the next hour and a half exploring a topic “hands-on” style. That greatly extended the time it took to prepare me for the test but that was not my only goal…I actually wanted to learn the material and be able to apply it to my team and my customers.
Listening to the Audio
Once I read the books all the way through I then downloaded and listened to the audio of the class. This was awesome because it was a different instructor than the one who taught me the course. This gave me multiple points of view on what was important. It also helped that it was Justin Henderson, the course author. He provided additional first-hand stories that helped the content stick better. I listened to him on the way to and from work, while I was working out, or doing yard work.
After getting through all the audio I took my first of two pre-tests. Failed it! Scored a 76%; needed an 80% to pass. I discovered several topics/items that I could not find in my index… even though I knew they were there!
One of the things I have heard several people say is that there is not time to look up every question. After I finished my pre-test I looked at the clock and I had taken only a few minutes over an hour. I realized then that if I had a good index I could actually look up every answer and have time to spare! There are 75 questions on the test and 2 hrs to complete them. That works out to a little over 1 min and 30 seconds per question. I decided I’d have to really focus on my index.
Tuning the Index
I discovered that my index matched the books, but not my own reference style. My index said “SIEM Planning – Events Per Second” which is exactly how it was listed in the books, but then when I’d look it up I’d be looking for “EPS”. By the way “E” is nowhere near “S” in the alphabet so I’d never find what I was looking for. I ended up adding multiple entries for each item that might appear in various forms. My previous example ended up with the following entries:
This ensured that I could find it no matter what context the question was presented in.
While tuning my index I read all the books again paying specific attention to the several ways I may remember, and thus lookup, a topic. At this point, I was starting to run out of time before my voucher expired. I scheduled my test and then kept studying. One and a half weeks before my scheduled test I took my second and final pre-test and scored an 86%. There were only a few items that I did not have in my index which I quickly added. I was happy with my score, but I knew I wanted a 90% or greater on the certification so I kept studying.
Another thing I found helpful was a map of which question I should be on at what hour mark into the test. Mine was broken down into 15-minute intervals counting backwards from the two-hour mark like so:
This helped me know at a moment’s glace if I was ahead or behind pace for the test.
Taking the Test
Finally, it was test day. My test was at 1:00 PM and I had to work that morning which helped me keep my nerves down. I showed up to the test 20 min early, found the testing center, used the restroom, and checked in. It was time.
As the test started I felt confident that I would do well. If not, I had no idea what else to do to better prepare. I stayed a few questions ahead of my pace just in case I ran into difficulties. I looked up all but four questions. That was just because of the context, I couldn’t figure out what exactly they were asking so I didn’t know what to look up. Even if I knew the answer to a question I’d select my answer choice and then look it up to make sure it was correct. There were still a few questions that my index was not sufficient to handle; I suspect those are the ones I got wrong. I completed the test in 1 hour and 45 min and scored 94%. I’ll take it! I celebrated by going to Dairy Queen and getting a large Oreo and Fudge Blizzard.
My advice for passing this test is to take your time studying and really pay attention to your index. I’ve heard of classes that might share indexes but in my opinion, an index needs to be exactly what YOU need it to be. Take the time to make your index work for YOU. Plus it will help you learn the material better.
Good luck!