A little ArcSight conference breakout session self promotion

I figure since I have a blog upon which to write why not do a little promotion for the breakout session I am leading at the ArcSight 2010 User Conference.

I knew going into the 2009 User Conference that based on our daily event count ArcSight thought of us as being a medium sized company – and on the lower end at that. Certainly, I thought, we weren’t really “that” small. In short, we were. The reality is even though our event count has increased since then, we still are. At last year’s conference I was quickly struck by the number of very large companies who use this product and their multiple hundred million EPD. By and large the historic ArcSight tool and mindset has been with this sort of company in mind. One can generalize they have a 24x7 SOC with staff ready to receive alerts and respond in (near) real time. (accurate?) As a relatively small shop (average or mean sized?) we simply don’t have the same level of staffing resources. This has led us to a somewhat non-traditional alerting system.

ArcSight 2010 User Conference breakout session list has been posted

The ArcSight 2010 User Conference breakout session list is out for those that haven't seen it yet (Conference information can be found here). I really enjoyed last year's conference and am certainly looking forward to this one. If you are on the fence about going and haven't gone to one yet - send someone. Actually send 2 someones; a manager and an ArcSight admin type. This way, in theory, you can absorb and later plan at the strategic and tactical level. If you send 2 people see if your company can spring for travel for a 3rd person by tapping into ArcSight's "BOGO" deal - send 2, get the third ticket free. If you are going to be deploying or have just deployed you REALLY need to send someone(s). I mentioned to my boss last year that if we had gone it would have escalated our development/grasp of the tool by at least 3 or 4 months since the conference happened between when we made the decision to go with ArcSight and when professional services came out to install it. Granted that curve gets smaller the longer you have had the product in house and how much time/FTE you have dedicated to the tool.

Reports and what you put in them

I don't know about you but I sometimes have mixed emotions when it comes to reports. Most tend to fall into one of two buckets. Either they are a one page "executive" type summary with colored eye candy charts or they are a ridiculous number of pages showing the gory details of every port, path, or transaction between end points that is so far into the weeds you can lose sight of the bigger picture. In either case the report would probably cause you to open your SIEM in order to do further investigation because in either case a piece of the puzzle for the initial series of follow up questions are probably missing. My top whatever is this, this, and that. Great - is that distributed or focused to just one or a hand full of machines?

So what can you do to make the report itself more stand alone or actionable?

Tactically implementing Strategic goals

Yesterday my kids went to the pool. With that as the background here is a snippet of conversation between my 8 year old son and me.


Son: These Doritos chips taste hotter than normal.
Me: Are your lips chapped?
Son: ...no...my tongue is on fire!
What does that have to do with SIEM stuff? Not a thing but I find the story funny as crap. That is right up there when I asked him years ago how much he had just thrown up; he said "10." He and I did have a conversation the other day though that was slightly more relevant and has led me to the following analogy.