The SANS GSE

What’s it like to take one of the hardest cybersecurity certifications in the industry — and pass!

If you have worked in cybersecurity for some time, you have likely heard of SANS and the GSE (GIAC Information Security Expert). It seems that everyone I meet in security has heard of SANS, and those who don’t have any idea what I’m talking about. I also realize the industry is evolving. Options are available that were not when I started in cybersecurity. I can’t say if they are as good, but the whole cybersecurity landscape is changing. The fact is, the way we have been doing cybersecurity needs to shift in some way, given the number of data breaches daily. Security needs to be everybody’s job at some level, not just a select few with super elite knowledge.

Still, getting a masters of security engineering and the GSE has been a firehouse of information that improved my understanding of how malware, pentesting, incident response, and network monitoring work to a very technical depth. I wouldn’t be where I am today if it weren’t for the amazing instructors I had and the wealth of information I’m not sure was available anywhere else when I started. At the time, security wasn’t the hip thing to do that it seems to be now.

Since then, many new security training options have evolved, including my cloud security classes. Other instructors and degree programs teach specialized skills or offer broad programs, but I’m not sure if they all offer instructors with as much real-world experience and deep knowledge that my instructors had. You’ll have to research that when considering options.

Whether you love or hate certifications, most security people in security have heard of SANS and the GSE. There are under 250 of us in the world at the time of this writing. What I find is that most Human Resources departments have only heard of the CISSP. Many more people have that certification. Which one is better? It depends on what the people hiring you believe is better or require. Probably either one will help you get past HR.

Most people will tell you the CISSP is not hands-on and the GSE is. They are just very different. If you like looking at packet capture headers and doing pentesting, as stated in the test description, the GSE is for you. If you want to remember how high the fence needs to be for physical building security and other general security knowledge, go for the CISSP. I never took that test, except for some practice questions — the fence question is the one I always hear people joke about because for most people in cybersecurity that information isn’t typically ever needed.

I suppose any certification you obtain shows that you put in some effort, but I can tell you that the GSE was one of the hardest tests I ever took from anyone. Probably the hardest. It is the only test I didn’t pass on the first try and for most of my SANS courses I passed in the 80–90+ range. My scores varied by how into the material I was and how much time I had. In the end I just wanted to get done with the masters program and didn’t study as much — no one sees your score. They just see you have a cert. For most tests I think passing is high 60’s to low 70’s.

One of the things that made the GSE difficult is that it is hands on. You can’t just memorize some terms or create a list of keywords for an open book test. You have to sit at a computer and analyze cybersecurity events and problems and run tools to come up with answers. I spent a lot of time working with databases and data structures in my career. Passing an open book test is all about how well you index your notes and being able to find the information quickly. You may also need to know logical things where memorization and math help, like converting hex to binary to decipher packet headers or analyzing malware in JavaScript, a PDF file, or assembly. Hands on keyboard seems to involve a different part of the brain as far as I can tell.

The other thing that made it challenging for me was that there was no practice test. I didn’t know how to study — efficiently or effectively, at least. I feel like the pass rates are almost too low, and part of that is lack of clarity around what to expect. I think this may be changing going forward, but I’m done, so you’ll have to go find that out for yourself. The guidance as I initially understood it was basically, study everything from three classes — over thirty books like the ones in the photo. Those classes are broad, covering many different topics and tools. I tried to review everything in the books and create cheatsheet notes for everything. I didn’t have time to practice it all.

I am not allowed to tell you what is on the test, but in retrospect, I will say that you to read the test instructions and follow them precisely. At the time I took the test, it was not necessarily aligned with the classes the way one might expect. I wasted time worrying about things that were not specifically called out. After talking to the person that writes the GSE, I now understand why. The test may change in the future — but no matter how the test changes, just stick to what is in the instructions, and you should be ok.

The other thing that I found challenging was that someone told me I could use my laptop. That is no longer the case if anyone tells you that. I had started to write scripts to automate things I expected to be on the test. That was a waste of time. Besides that, I’m not sure how much it would have helped. It’s better to just know the basics well and be able to work fast.

I had no idea what to expect on the test so one of my strategies was not to study too long and just go take it. I didn’t want to waste too much time studying and find out I was doing it all wrong when I got to the test. It’s an expensive choice but that was my strategy. That initial attempt was my practice test.

I studied for about 3–4 weeks, and part of that was passing the written. I have heard other people studied for 9 months but that seemed like way too much time for one test (to me anyway!) Who has that much time just for one test? I’m very busy and didn’t want to spend that long away from real work and other things I had to do. I also completed the Cyber NetWars Defense and was in third place in my group at the end but did not find that very applicable.

I hoped maybe I would get lucky and pass. I did not. Out of about 40 people taking the test with me, only nine passed. That gives you an idea how hard the test is. Some people were taking the test a second time, and some of them didn’t get a full pass or didn’t pass at all. They let people who only miss one section by a minor amount write a paper on that topic. Some people in my group got that option. I did not — but in the end, glad I didn’t. I never had to write a paper and whenever I do one of those I pick a complicated topic and ends up taking me 3–4 months.

Taking a pile of books to the test did not help. My extensive notes did not help. I wasted time looking through them and couldn’t find what I needed. Eventually, I just used the computers provided. I could have saved all the time I spent putting sticky notes on books and taking them apart to try to consolidate into binders. I could have skipped the books people told me to buy as supplements. I didn’t need to lug one hundred pounds of paper around or whatever it was. Maybe those help others. To me, they wasted precious time.

Everyone told me to study one section of the material most, so I did. As it turns out, that was probably the thing I knew best when I started. During the test, I was too slow in other areas I barely studied due to being overly concerned with one portion of the test (which I passed). I knew what to do on the other parts, I just wasn’t fast enough to get it all done and had to look too many things up.

The other issue I had was the room was so cold the morning of the second day that I couldn’t think. I have below average body temperature to begin with, and the room felt like Antarctica. I kept going into the hall to warm up and lost time. Yes, I was already wearing a sweatshirt. In the afternoon I was wearing two sweatshirts, a scarf, and a hat and was ok. That cost me time I realized after the fact I really needed.

I have always said SANS would make a killing if they sold parkas at their conferences. SANS is the reason I am now the proud owner of a Caesar’s Palace fleece jacket after getting sick because it was so cold in the classroom. I was wondering if they were trying to simulate working in a data center during the test, but it was just a problem with the hotel heating system and the particular room. That issue did not exist the next time I took the test and probably won’t again because they realized there was a problem — but I also brought extra sweatshirts and scarves just in case!

That portion of the test with the extra frigid room was also my weakest section of the test I am pretty sure, but they don’t tell you exactly where you fail if you do. But there were some things I just took too long to do and I knew it. I also got out and realized I missed a super obvious question. I knew and was just missing one small detail on another. I also ran out of time to answer all the questions in two sections of the test and I think I left two involved questions completely blank, or close to it.

After the test, I knew where I was weak and had a better idea what to study. I also figured out a better strategy by the end. Forget the books, use the computers they give you to look stuff up. You won’t have time to look up everything, but that worked better for me. You may see a problem you don’t recall seeing before, that’s not even in the classes, or at least it’s not exactly the same, or maybe it was in the class now but not when you took it. Figure it out. Do what you do at work to solve new problems. Yep. Google it.

SANS offers the test every six months. I decided to take the test a year later due to various obligations during the next run. The first thing I did was focus on getting paid work in areas I was weakest. I also took my final electives for the masters program in that area, but turns out was not very applicable. Mostly I got faster at using the tools by doing real-world projects and in some cases, teaching other people how to use them. I feel like you really have to know something to be able to teach it.

I had the best intentions to study the books and do all the labs prior to the next attempt. I didn’t. I think I cracked the books once before I got to the hotel in Virginia the day before the test. I got there, and I thought I was just wasting my money since I hadn’t studied at all. Crystal City hotels and DC flights are not cheap. I wondered what I was even doing there.

I took a few class books with me that had tools I expected to be on the test based on the instructions. I got there one day early, ran through the books and I think I made about two or three pages of notes in the cover of a book with commands I might need. I already knew a few of the tools inside and out. I ran all the commands I had time for on the others in the instructions so they would be familiar.

Finally, I took a practice test they gave us which they are developing for the future. In the end, I didn’t find it to be very aligned with the real test. Again, that may change as I know the test writers are continuously improving. At any rate, I was surprised to pass the practice test. Hopefully having the practice test will make it easier to know what to study in the future, because they really help with the other SANS tests. Practiced recall is one of the best ways to learn and that’s what those practice tests do.

The next two days I was in a room taking the test at a computer provided to me. As stated in the test description, day 1 covers incident response. You’ll want to work fast, even though they told us to go slow in the class I took! Make sure you given an answer to every question. If you don’t answer a question completely, you can come back to it if you have time. Same goes for day 2 which covers a wide range of topics. If there’s something you haven’t seen before, use the computer and figure it out.

You’ll need to have used the tools to know how to run them, where to find things on your machine, and what you need to look up on Google. The second time I took the test I think I took a couple of books of class books the first day, and none of the books I had purchased off Amazon last time I took the test. The second day I only took my one book with notes in the front and back cover, and I think I looked at it twice and only for my notes I’d written.

As I was taking the test, I made a concerted effort to stay focused and work fast — especially on day two where I felt weaker the first time. For a lot of people it’s the opposite, and they told me they struggled with day 1. It really depends on your experience. I used the computer a lot and got something down in all the questions as quickly as I could. As it turns out, my real world experience is what made the difference.

At the end of the test I knew I did much better than the first time, but I wasn’t sure if I would pass. It’s hard to know. But I answered pretty much all the questions. I figured out topics I missed the time before. I wasn’t sure if I did as well on the incident handling as the first time, but I thought I found everything. I think I answered every question the second time or very close. I ran out of time to complete one question fully with the tools but put the steps down as to what needed to be done to complete the parts I had not finished. I realized after I was doing all the right things, just visually missed one piece of output, otherwise would have completed it fully.

So you get done with the test, and you wait. I think the turn around time is about 45 days. Luckily I was too busy to worry about it. At some point I did get notification — I passed! I was overjoyed and relieved beyond belief at that moment. The second time around I think about 7 people out of about 30 passed. You can see the most recent certified GSE professionals on the SANS web site. I was also done with the SANS master of information security engineering at that moment.

It took over five years for me to get through the SANS masters program due to work obligations, financial considerations, and selecting research paper topics that took way too long to write. The GSE is a tough test, but it’s a great feeling when it’s all over — and even better at the end of the five year slog of a very intense masters program!

It’s also pretty amazing when you know the caliber of the other people who have earned a GSE and you get to be in their ranks. You don’t need a GSE to be amazing in cybersecurity, but it does demonstrate that you have some specialized knowledge and credentials few people in the world have achieved. For me, it a personal sense of accomplishment for a challenging goal. After experiencing a data breach, I set out to learn how it happened.

Mission accomplished.

Teri Radichel — Follow me: @teriradichel

__________________

Check out the book I’m writing: Cybersecurity for Executives

__________________

Upcoming events where you can hear Teri Radichel speak about cloud security:

IANS Seattle Information Security Forum (Cryptojacking, Cloud Migration, Google Cloud) (June 12–13)

AWS RE:INFORCE ~ Are you ready for a cloud pentest? (June 25–26)

Serverless Days ~ London (July 11)

IANS Charlotte Information Security Forum (September 25–26)

IANS Houston Information Security Forum (September 11)

Bienvenue au congrès ISACA Québec 2019

…and of course she’s usually at the Seattle AWS Architects and Engineers Meetup sponsored by 2nd Sight Lab!

Past Cloud Security Presentations (Videos)

RSA ~ Red Team vs. Blue Team on AWS with Kolby Allen

AWS re:Invent ~ RedTeam vs. Blue Team on AWS with Kolby Allen

Microsoft Build ~ DIY Security Assessment with SheHacksPurple

Follow me for future blog posts on cloud security, or sign up for cloud security training to learn more. © 2nd Sight Lab 2019

Responses
The author has chosen not to show responses on this story. You can still respond by clicking the response bubble.