Course and certification exam review
I passed the Certified Security Operations Manager (CSOM) certification offered by Security Blue Team back in March 2024 (both examination parts) and wanted to write (and share with you) few words about my thoughts and experience, both on the course and the exam.
I was waiting for the CSOM certification by Security Blue Team (SBT) since May 2022. First announced release date was planned for Q4 2022, then for Q1 2023 and finally it was released on Q1 2024 -> 31/01/2024! For the first month after release (until end of February) it was discounted by 50%. So it was a good time to think about the purchase. What I finally did. After passing BTL2 I think it was a good choice to try something different, not focused on technical, hard skills.
Few days later, SBT announced a giveaway so there was a chance to win the voucher.
It was announced that the number of vouchers (winners) was even doubled.
I didn’t find myself on the winners’ list… bad luck😔… maybe next time.
### COURSE CONTENT — THEORY ###
Course content/modules according to the official syllabus (quizzes are also included between the course domains or parts within the same domain to test the gained knowledge):
Domain 1 — Modern Security Operations
- Business Objectives, Legal Enablers, and Considerations
- Security Operations Teams
Domain 2 — Building a Security Operations Team
- Threat Modelling
- Building Your Team
- SIEM & Detection Engineering
- Case Management
- Other Tooling & Administration
- Processes and Documentation
Domain 3 — Capability Development
- Incident Response
- Threat Intelligence
- Vulnerability Management
- Digital Forensics
- Malware Analysis
- Threat Hunting
Domain 4 — Metrics, Maturity, and Measuring Success
- SOC Maturity Models
- Operationalizing MITRE ATT&CK
- Cyber Deception
- Security Orchestration, Automation, and Response
- Reporting and Metrics
- Retaining Talent
- Additional Activities
### COURSE CONTENT — LABS ###
CSOM, like other SBT courses has a pretty good lab part. After very well prepared theory part there must be time for hands on practice activity — LABS — if applicable for the topics. At the moment of writing CSOM has 9 unique labs, 100 hours available — and I think that it’s more than enough to finish them all and still have lot of time… to repeat the labs before taking the final exam:
Labs are divided into 4 categories/groups with different tools and scenarios:
Building a Security Operations Team (3 labs):
- Deploying Sigma Rules — Convert Sigma rules to Splunk’s SPL to identify security events;
- Case Management — Use TheHive to correlate between investigation cases;
- Endpoint Detection & Response — Utilize Wazuh to investigate malicious activity.
Capability Development (3 labs):
- Threat Intelligence in Practice — Use MISP to identify and correlate ransomware activity;
- Vulnerability Management in Practice — Analyze scan results from OpenVAS to investigate vulnerabilities;
- Digital Forensics in Practice — Conduct a hard-drive investigation using Autopsy to uncover insider threat activity.
Metrics, Maturity, and Measuring Success (2 labs):
- Cyber Deception — Deploy an AD honey user and configure alerting in Wazuh EDR;
- Metrics Dashboarding, Case Management — Create a dashboard to highlight security investigation and case metrics.
CSOM Exam Preparation (1 lab):
- Practice Exam Lab — Prepare for the CSOM Practical Assessment with a practice investigation lab using Wazuh, MISP, and A…
### THE EXAM ###
After finishing the whole content (topics, quizzes and labs) I’ve decided to take the exam at the first convenient time.
It is first Security Blue Team certification with hybrid exam approach as we have both Theory (24 hours) and Practical (4 hours) part on the final exam. They could be taken separately, at any time during the course access period.
# Theory Element #
Students will complete a business case study, conducting research, performing threat modelling, and completing other tasks to populate a short report template.
In the beginning there was no choice between Theory Element or Practical Element as Practical Element was under maintenance. So I have to choose Theory as my first examination part challenge. For me this was a new experience. Before CSOM, all my written report based exams had online lab environment (virtual machines, SIEMs, pcaps, logs, forensic artifacts… whatever) that should be investigated. But not this time. It’s completely different. No investigation, no online lab environment.
I’ve started the exam on 12/03/2024. I’ve submitted the report after less than 4 hours (out of 24 hours available for this part). As the report is graded manually I have to wait few days for the final score. On 18/03/2024 (5 business days) I’ve received the email message with information that my report was graded… and my final score is available in the learning portal. Indeed, it was there. Very, very good news.
# Practical Element #
Students will take part in a short hands-on incident response engagement, using threat intelligence context and existing scenario details to perform analysis and capture key information about the attacker’s actions.
Everyone was waiting for the information when the Practical part will be available. Who will be the FIRST CSOM? Information was posted on SBT Discord ~30 minutes before midnight on 22/03/2024 so they kept the word.
Read it only in the morning and my first thought was… no time to waste… let’s do it… challenge accepted! Maybe there is still a chance to be the FIRST 😎
I’ve started the exam in the morning on 23/03/2024. In this part of the exam there is no report writing but a 4 hour assignment with 20 questions (changed from 10, I think it was good decision) and an online lab environment — same format as in BTL1 exam or BTLO investigations. Personally I don’t like it. I prefer report writing exams because there is no place for mistakes like correct answer but in wrong format (misspelled words, whitespaces etc.). I’ve submitted my answers after about 1.5 hour (out of 4 hours available for this part). In this part the result, and the feedback, is given immediately after submitting the answers… and my was 85% (17/20 was correct). I passed the exam but I expected to have done much better.
I read the after exam feedback (which answers were wrong) and I use the review option button. I was pretty sure that 2 out of those 3 incorrect answers were correct, third one was wrong as I overthinked it too much. After less than 30 minutes I’ve received an email with the following information (this was lightning fast):
At that moment I felt completed 😊
### Overall Exam Score ###
But was I FIRST? Unfortunately NOT, someone was faster 🫣😅
### Why CSOM? ###
Certified Security Operations Manager is a new certification in the industry. It’s name could be easily confused with GIAC Security Operations Manager (GSOM) certification. Maybe in the future it could be a good and affordable alternative for both SANS LDR551: Building, Leading, & Managing (SOC) Security Operations Center course and GSOM certification.
For sure it’s valuable for a technical team leader/manager or technical analyst/specialist aspiring for a team leader/manager role. Or just for someone who wants to learn new things and gain new experience in the field of cybersecurity.
Fully recommended!
Pros:
- High quality and well written content;
- Varied and interesting labs;
- Still developing new content topics and practical labs;
- Still growing community of new students and alumnis;
- Hybrid exam approach (testing both Theory and Practical part);
- Both exams could be completed just in few hours;
- Exams could be taken separately (even on different days);
- Answers review option;
- Personal and detailed feedback to all students regardless of whether they pass or fail each exam element.
Cons (for individuals):
- Regular price: £1999 at the time of writing (course and certification are addressed mainly to companies for corporate training purposes, not individuals, which might explain the price level).
## UPDATE (ToDo) ###
This section will be updated after getting certificate and coin.
