Security Certification: GCDA

Security Certification:

GIAC Certified Detection Analyst (GCDA)

Description

"The GIAC Certified Detection Analyst (GCDA) is an industry certification that proves an individual knows how to collect, analyze, and tactically use modern network and endpoint data sources to detect malicious or unauthorized activity. This certification shows individuals not only know how to wield tools such as Security Information and Event Management (SIEM) but that they know how to use tools to turn attacker strengths into attacker weaknesses." - Justin Henderson, SANS SEC555 Course Author

Who is the GCDA for?

  • Security Analyst
  • Security Architects
  • Senior Security Engineers
  • Technical Security Managers
  • SOC Analysts
  • SOC Engineers
  • SOC Managers
  • CND Analysts
  • Security Monitoring
  • System Administrators
  • Cyber Threat Investigators
  • Individuals working to implement Continuous Security Monitoring or Network
  • Individuals working in a hunt team capacity

Areas Covered on the GCDA

  • SIEM Architecture and SOF-ELK
  • Service Profiling, Advanced Endpoint Analytics, Baselining and User Behavior Monitoring
  • Tactical SIEM Detection and Post-Mortem Analysis

Find affiliated training for GCDA now.

No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.

*No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.*

Requirements

  • 1 proctored exam
  • 75 questions
  • Time limit of 2 hours
  • Minimum Passing Score of 79%

Renew

Certifications must be renewed every 4 years. Click here for details.

Delivery

NOTE: All GIAC exams are delivered through proctored test centers and must be scheduled in advance.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt. GIAC exams must be proctored through Pearson VUE. Please click the following link for instructions on How to Schedule Your GIAC Proctored Exam http://www.giac.org/information/schedule_proctored_exam.pdf. GIAC exams are delivered online through a standard web browser.


Bulletin (Part 2 of Candidate Handbook)

Exam Certification Objectives & Outcome Statements

The topic areas for each exam part follow:

Alert Analysis
The candidate will demonstrate an understanding of how to analyze endpoint security logs, augment intrusion detection alerts, analyze vulnerability information, correlate malware sandbox logs, handle alerts efficiently, identify which alerts to retain and identify staff training opportunities.
Device Discovery
The candidate will demonstrate an understanding of how an environment can be more fully understood through the use of active and passive device discovery and how this understanding can be used to create baselines and detect anomolous behavior.
Endpoint Logging Analysis
The candidate will demonstrate an understanding of how to discover abnormal activity, establish baselines and optimize logging to find anomalous behavior through the use of endpoint logs, events of interest and host-based firewalls.
Endpoint Logging Collection
The candidate will demonstrate an understanding of how to identify attacks and analyze logs in both Windows and Linux environments and employ scripting to reduce log noise as well as establish collection strategies, both agentless and agent-oriented in these environments.
Log Aggregation and Parsing
The candidate will demonstrate an understanding of how log filters and message brokers can be used during data queuing and storage to enhance log retention and search response times, demonstrate an understanding of the methods and techniques used to perform analysis, analytical reporting, and alerting through the use of visualizations and detection dashboards.
Log Collection
The candidate will demonstrate an understanding of how data gathering strategies, event rates, storage requirements and staffing requirements inform SIEM planning and event logging device architecture, log monitoring for assets, data gathering and preservation strategies and techniques of log collection.
Log Output and Storage
The candidate will demonstrate an understanding of data queuing, resiliency and storage as well as how to perform analytical reporting and alerting through the use of visualizations and detection dashboards.
Network Service Log Analysis
The candidate will demonstrate an understanding of how to identify attacker characteristics, determine anomalous behavior and establish baseline behavior in common network protocol traffic such as SMTP, DNS, HTTP and HTTPS.
Network Service Log Collection & Enrichment
The candidate will demonstrate an understanding of detection methods and relevance to log analysis, analyzing common application logs, application of threat intelligence to generic network logs, correlation of network datasets and establishment of network baseline activity.
Post-Mortem Analysis
The candidate will demonstrate an understanding of how to use virtual machines and malware sandboxes, configure systems to generate event log alerts after compromise, identify unusual time-based activity and re-analyze network traffic after an incident.
Software Monitoring
The candidate will demonstrate an understanding of how to identify authorized and unauthorized software, treat scripting tools and command line parameters as a special kind of software and source collection methodology.
User Monitoring
The candidate will demonstrate an understanding of how to utilize behavior analytics when analyzing user logons, built-in accounts and system services based on patterns, use network data to discover unauthorized use or assets, configure enterprise wide baseline collection and establish large scale persistence monitoring.

Where to Get Help

Training is available from a variety of resources including on line, course attendance at a live conference, and self study.

Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.

Finally, college level courses or study through another program may meet the needs for mastery.

The procedure to contest exam results can be found at https://www.giac.org/about/procedures/grievance.