Thursday, September 30, 2010

Protect 10 and Logger 4.5

What does this picture have to do with the ArcSight Protect 10 user conference? Absolutely nothing. This is the mental image I had going in today to get the stints taken out from my sinus surgery last Friday. (picture is from the movie Total Recal if you aren't familar). The most amazing thing happened later this morning - I was eating something and didn't have to stop chewing and crack my mouth open to get a breath of air. Lord love a duck (not sure where that came from); its been almost 6 months since I could breathe like this.

Thursday, September 23, 2010

Back from ArcSight Protect 10

ArcSight Protect 10 was a blast. Would like to write more but feeling like crap. Got CT scan and saw the ENT today; going in for sinus surgery tomorrow. Lovely.

Thursday, September 16, 2010

Of Logs...and crap. Or is that the crappyness of logs?

The problem with looking through logs is its a little like looking through a whole lot of poop. Metaphorically speaking. I mean I have never really spent a whole lot of time looking through or pondering poop so I’m reaching here a bit. That isn’t to say there isn’t value in looking at it. Once you get a baseline, changes in color, volume, frequency, consistency etc can all point to a person’s general health. There comes a point though where all it is really saying is someone ate something sometime. The point is logs generally tend to fall into the same category. They are evidences of things that have happened. The problem is “what happened” doesn’t always translate well to “why something happened”. That might sound a bit crazy but walk with me a bit. The sales pitch of a SIEM vendor generally goes like this. “What if a user goes to a malicious site…or gets an infected file…or the user plugs in an infected USB, gets infected, and then the computer starts doing X, Y, and Z. Wouldn’t you want to see/alert on that?” Of course. But while the scenario sounds good what you have heard, even on a subconscious level, is the SIEM will be able to work backwards and tell you why something happened. In reality not only do you not (generally) start out knowing the computer is infected (aka why it generated the logs), the events it does create are drowning in a steaming cesspool…cessocean of crap from all over. The damn dingleberrys (ahem..sorry) are hiding in millions and millions of events.

Monday, September 13, 2010

ArcSight to be purchased by HP

Just got an email a few minutes ago saying HP and ArcSight entered a "definitive agreement" state where HP will purchase ArcSight (news release linky on AS' site). Will be interesting to see how this changes or doesn't change the user conference this weekend.  Longer term it will be interesting to see how and when this changes the ArcSight software suite.

Ironically I was RIFed by HP soon after the HP / Compaq merger years ago. Was the lowest man on the totem relative to time in the group. If it wasn't for that I wouldn't be here /shrug. (and what a long and winding road it has been from that event to "here")