SIEM dashboards and what time slices you use to display data

This isn’t what I was going to post but I’m still toying with that one. There are some discussions, topics, and people that make me just a lil frustrated and full of hate so instead of possibly tipping my hand too far I’ll divert and post this since it seems like forever since I have posted anything. Lots going on at work and at home (I know I’m unique there right?).

One of the challenges of being in a smaller shop is having tools but maybe not having them open all the time. Anyone in a smaller shop have their SIEM console open all day while at work? One thing I struggle with for dashboards covering things like firewall drops or failed logins is what timeframe should the information cover. If you aren’t looking at the dashboard but once a day having it focus on the last hour’s events doesn’t make a whole lot of sense to me. One option is to have the timeframe cover midnight to the current time. Another, maybe more common(?), is to cover all of yesterday. The third is a continuously rolling timeframe of say the last 24hr hours. All have their strengths. Ideally you would have a multi column approach where the first shows the current count going back however far you like with subsequent columns covering previous time slices. Last hour, previous 24hrs, average per day over the last week for example. This would allow for a quick visual on a rise or fall relative to its own average. That’s a little beyond tricky to do in ArcSight (or other/many/some/lots of other SIEMs).

In the mean time one thing you can do if you have ArcSight ESM 4.5 or beyond is develop these sorts of dashboards to cover whatever time slice ya please and then develop and link a series of query viewers to perhaps break up those counts by hour over the last 24hrs. That quick drill down capability would at least allow you to dive into what otherwise is just a number.

I would be curious how others have tackled this.

Protect 10 and Logger 4.5

What does this picture have to do with the ArcSight Protect 10 user conference? Absolutely nothing. This is the mental image I had going in today to get the stints taken out from my sinus surgery last Friday. (picture is from the movie Total Recal if you aren't familar). The most amazing thing happened later this morning - I was eating something and didn't have to stop chewing and crack my mouth open to get a breath of air. Lord love a duck (not sure where that came from); its been almost 6 months since I could breathe like this.

Back from ArcSight Protect 10

ArcSight Protect 10 was a blast. Would like to write more but feeling like crap. Got CT scan and saw the ENT today; going in for sinus surgery tomorrow. Lovely.

Of Logs...and crap. Or is that the crappyness of logs?

The problem with looking through logs is its a little like looking through a whole lot of poop. Metaphorically speaking. I mean I have never really spent a whole lot of time looking through or pondering poop so I’m reaching here a bit. That isn’t to say there isn’t value in looking at it. Once you get a baseline, changes in color, volume, frequency, consistency etc can all point to a person’s general health. There comes a point though where all it is really saying is someone ate something sometime. The point is logs generally tend to fall into the same category. They are evidences of things that have happened. The problem is “what happened” doesn’t always translate well to “why something happened”. That might sound a bit crazy but walk with me a bit. The sales pitch of a SIEM vendor generally goes like this. “What if a user goes to a malicious site…or gets an infected file…or the user plugs in an infected USB, gets infected, and then the computer starts doing X, Y, and Z. Wouldn’t you want to see/alert on that?” Of course. But while the scenario sounds good what you have heard, even on a subconscious level, is the SIEM will be able to work backwards and tell you why something happened. In reality not only do you not (generally) start out knowing the computer is infected (aka why it generated the logs), the events it does create are drowning in a steaming cesspool…cessocean of crap from all over. The damn dingleberrys (ahem..sorry) are hiding in millions and millions of events.

ArcSight to be purchased by HP

Just got an email a few minutes ago saying HP and ArcSight entered a "definitive agreement" state where HP will purchase ArcSight (news release linky on AS' site). Will be interesting to see how this changes or doesn't change the user conference this weekend.  Longer term it will be interesting to see how and when this changes the ArcSight software suite.

Ironically I was RIFed by HP soon after the HP / Compaq merger years ago. Was the lowest man on the totem relative to time in the group. If it wasn't for that I wouldn't be here /shrug. (and what a long and winding road it has been from that event to "here")