A little ArcSight conference breakout session self promotion

I figure since I have a blog upon which to write why not do a little promotion for the breakout session I am leading at the ArcSight 2010 User Conference.

I knew going into the 2009 User Conference that based on our daily event count ArcSight thought of us as being a medium sized company – and on the lower end at that. Certainly, I thought, we weren’t really “that” small. In short, we were. The reality is even though our event count has increased since then, we still are. At last year’s conference I was quickly struck by the number of very large companies who use this product and their multiple hundred million EPD. By and large the historic ArcSight tool and mindset has been with this sort of company in mind. One can generalize they have a 24x7 SOC with staff ready to receive alerts and respond in (near) real time. (accurate?) As a relatively small shop (average or mean sized?) we simply don’t have the same level of staffing resources. This has led us to a somewhat non-traditional alerting system.

Regardless of size, there will always be a list of things you need to drop everything and respond to ASAP. The reality is beyond that everything changes and is unique based on the resources you have - charter/focus, people, hours, etc.  While (near) real time alerting is possible across the board as your shop size decreases so does the % of SIEM content you are acutally going to respond to in that same timeframe (yes that verges on fight’n words with some). The crux of my session is designed to address a methodology to triage alerts generated by the other 70/80/90/95% of your SIEM content.

• At a practical, you can’t be in two places at once, level there will be times when you have to choose between multiple machines exhibiting other than ordinary behavior – which one should you work?
• Since you generally don’t have the console open anyway, if you don’t see an alert for several hours (eg., alerts came in at night) how best do you find relevant data in the console quickly?

While the system we have used for a year now isn’t the only way to approach this problem; it is “a” system and one we have used with great success. For many, having a starting point or point of reference is enough to get the ball rolling. Honestly speaking that is one of my primary goals for doing the session – that this opens a door for further discussion. Hopefully larger shops won’t be off put by the title or description and will come as well. While the general response methodology might blur at the high end, we have developed a few things that do scale like a way to do a quick analysis as it relates to evaluating the threat a system might pose.