A little ArcSight conference breakout session self promotion

I figure since I have a blog upon which to write why not do a little promotion for the breakout session I am leading at the ArcSight 2010 User Conference.

I knew going into the 2009 User Conference that based on our daily event count ArcSight thought of us as being a medium sized company – and on the lower end at that. Certainly, I thought, we weren’t really “that” small. In short, we were. The reality is even though our event count has increased since then, we still are. At last year’s conference I was quickly struck by the number of very large companies who use this product and their multiple hundred million EPD. By and large the historic ArcSight tool and mindset has been with this sort of company in mind. One can generalize they have a 24x7 SOC with staff ready to receive alerts and respond in (near) real time. (accurate?) As a relatively small shop (average or mean sized?) we simply don’t have the same level of staffing resources. This has led us to a somewhat non-traditional alerting system.

ArcSight 2010 User Conference breakout session list has been posted

The ArcSight 2010 User Conference breakout session list is out for those that haven't seen it yet (Conference information can be found here). I really enjoyed last year's conference and am certainly looking forward to this one. If you are on the fence about going and haven't gone to one yet - send someone. Actually send 2 someones; a manager and an ArcSight admin type. This way, in theory, you can absorb and later plan at the strategic and tactical level. If you send 2 people see if your company can spring for travel for a 3rd person by tapping into ArcSight's "BOGO" deal - send 2, get the third ticket free. If you are going to be deploying or have just deployed you REALLY need to send someone(s). I mentioned to my boss last year that if we had gone it would have escalated our development/grasp of the tool by at least 3 or 4 months since the conference happened between when we made the decision to go with ArcSight and when professional services came out to install it. Granted that curve gets smaller the longer you have had the product in house and how much time/FTE you have dedicated to the tool.

Arcsight '10 User Conference - Presentation Idea

Sadly its not looking good for the presentation idea I submitted for the ArcSight '10 User Conference. Don't get me wrong - I know I am a little fish in a big pond but I really think there is some value. How much value there is relative to other items on the plate is another topic and one ultimately they will decide.

What I had hoped to talk about was the framework/system I designed to let anomalous activity "bubble up" to the surface without elaborate and extensive use cases. Anomalous activity and systems almost in a sense will triage themselves. While many large, 24x7 SOC operations probably have people watching events scroll by and react in near real time there are many SMB types out there that simply can't sustain that type of op / op tempo. Of the few companies and individuals I have interacted with who also use ArcSight or another SIEM/LM tend to fall into the category where if they don't have a 24x7 shop they spit out daily reports that are reviewed in the morning w/o really leveraging all that their SIEM can provide. There aren't a whole lot who have comfortably found the middle ground. Granted my data set for that observation is fairly small.

Don't get me wrong - this isn't a silver bullet or an especially magical use of the product. It does however provide an extensible framework that will alert users and then provides quick access to pertinent live and historically siloed data when they open the ESM console without having to rout around.

Of course one of my hidden agendas was for other experts to tell me how much better their systems are. That would give me additional insight and help me add to and refine my own. I also hoped it would spark discussion along the lines of best SIEM/ArcSight use for SMB types.

Update: I gave up hope too soon. ArcSight has accepted the presentation idea and asked me to run one of the breakout sessions. Am excited!