Tuesday, 9/15: Breakout Sessions

Document created by jmerrill on Aug 24, 2009Last modified by jmerrill on Jul 8, 2014
Version 5Show Document
  • View in full screen mode

Have a question? Ask the presenters!

Please tag your inquiry with the session # so that your

question may be routed to the appropriate presenter.

Primer: Writing Rules Not Meant to be Broken
Speaker: Chris Brown, Worldwide Technical Trainer-ArcSight
This primer session will demonstrate how rules are constructed. We will review considerations when creating rules, and how rules can be used to identify events that require further investigation.
Level: Basic

Primer: Using Variable$
Speaker: Mauricio Julian, Instructor-ArcSight
This primer session will explain what variables are and how to use them appropriately. Using variables with list information will also be examined. We will explore the types and functions within variables, as well as how to use variables to extract information from lists. Examples will be demonstrated.
Level: Basic

ArcSight Logger
Speaker: Wei Huang, Senior Architect, ArcSight; Alan Bavosa, Senior Product Management Director, ArcSight
See what the future holds for ArcSight Logger. The Logger team is hard at work on a number of groundbreaking technologies which will make their way into future Logger product releases. Areas of focus include major innovations in core functions of the Logger application, including search methodologies and performance, storage architecture, usability, security, authentication, and ESM integration. These new technologies have broad implications and uses within both federal and commercial applications.
Level: Basic

How to Become a Rock Star ArcSight Manager Administrator
Speaker: Christian Beedgen, Security Engineer and Chief Architect-ArcSight
ArcSight Manager provides a wealth of information about its runtime status in the log files located within the ArcSight Manager log directory. In this triple session, we will take a close look at what those logs contain and what information an ArcSight administrator can leverage. We will also explain how to use the Logfu tool, which crunches and aggregates the ArcSight Manager log files. Finally, we will address the always popular topic of memory management in Java and how it relates to ArcSight Manager and other ArcSight products. This is a hardcore technical session for those whose job it is to administer and troubleshoot ArcSight deployments. If you have attended this interactive session at prior conferences, you will want to consider joining after the first hour.
Level: Advanced

SOC for Sale
Speaker: Chris Triolo, Security Operations Consulting Director-ArcSight
You believe that your organization would benefit from building its own SOC to help mitigate risk. Your management chain doesn’t want to spend money on foot apparel (SOCs). This session will help you understand which business requirements matter, how to structure the costs in a manageable way, and then translate the necessity of a SOC into executive approval.
Level: Intermediate

Understanding Partition Management in ESM
Speaker: Dhiraj Sharan, Software Development Manager-ArcSight
This session will cover the life cycle of event storage in the database as it goes through hot, warm, and cold partitions. You will get an understanding of how the core partition maintenance tasks function, including partition management, archival, reactivation, deactivation, compression, and statistics update. You will learn some troubleshooting tips and best practices to ensure smooth sailing of your installation when it comes to managing partitions.
Level: Advanced

Best Practices for Scaling Log Management
Speaker: John Bradshaw, Principal Federal Sales Engineer-ArcSight
This session will discuss the differences between Agent and Agentless log collection and how each provide capabilities and benefits that should be considered before deploying a SEIM or Log Aggregation solution. The focus of this discussion will cover centralized vs. de-centralized deployments, considerations for guaranteeing log/event delivery, and network performance issues administrators should consider when making deployment decisions.
Level: Basic

Correlating Efficiently: Tips, Techniques and Troubleshooting for Writing Content
Speaker: Monica Jain, Senior Software Engineer-ArcSight
This session will focus on how to troubleshoot and write content to maximize performance and efficiency. Various correlation-related areas of ArcSight ESM, including rules, reports, trend reports, filters and data monitors will be examined. This session will cover many rules, reports and data monitors, in addition to comparing different approaches to help understand which will have better performance with fewer resource requirements.
Level: Intermediate

Advanced ArcSight Logger Techniques
Speaker: Marylou Orayani, Senior Software Development Manager-ArcSight
This session will demonstrate troubleshooting techniques by analyzing logs retrieved from ArcSight Logger. Attendees will learn how to use Logfu to correlate logs from various components within ArcSight Logger. This session will cover what to look for when perusing Logger logs and how to use other tools to analyze the logs. This presentation is designed for people managing log files on a daily basis.
Level: Advanced

Tiered Architectures
Speaker: Brook Watson, Solutions Architect-ArcSight
This session will focus on the possible ArcSight architectures, including the use of ArcSight ESM, ArcSight Logger and ArcSight Connector Appliance. It will be geared towards ArcSight administrators and authors in charge of maintaining the health and content of each of the ArcSight components. Several potential architectures will be discussed, including: multiple tiered ESM instances, multiple Loggers with a single ESM instance and the traditional single Logger with a single ESM instance. The pros and cons surrounding each architecture and best practices will be discussed.
Level: Intermediate

Introducing Query Viewers
Speaker: David Wiser, Software Architect-ArcSight
New in ArcSight ESM, Query Viewers provide benefits of both active channels and reports, and add a few new capabilities of their own. This session will discuss how to best use them to monitor your environment.
Level: Basic

Mastering ArcSight Platform Security
Speaker: Yanlin Wang, Software Architect-ArcSight
Wondering how to secure your ArcSight deployment? Learn ArcSight security from all aspects. ArcSight products are on the path to support multiple levels of security configurations: Basic, FIPS 140-2 and Suite B. ArcSight also provides different access control options to satisfy the needs from business user to government user, for example Common Access Card (CAC).
Level: Intermediate

ArcSight Logger: Addressing Cyberspace Policy Review for Government
Speaker: Varun Kohli, Senior Manager, Product Marketing-ArcSight
“The Nation’s approach to cyber-security over the past 15 years has failed to keep pace with the threat… The status quo is no longer acceptable.” (Cyberspace Policy Review). Are you doing enough to break the status quo of failed cyber-security? ArcSight Logger can help address most of the guidelines in the Cyberspace Policy Review. This session gives an in-depth look at the seven-step plan for achieving a “safe, secure, and resilient digital environment.” A discussion will be held on the most efficient and cost-effective ways to address the guidelines, as well as their impact on your day-to-day job. Come learn how to keep pace with fast mutating cyberspace!
Level: Basic

Physical and Logical Security
Speaker: Colby DeRodeff, Enterprise Strategist-ArcSight
Learn how monitoring features are used with physical security systems. This session will demonstrate how to monitor and correlate physical and logical security, from detecting the whereabouts of an employee to the presence of a new computer or access point. By correlating information from physical and logical security systems, your organization can achieve a more granular physical security view and identify specific physical access points to the network.
Level: Basic

Monitoring Applications without Application Development
Speakers: Brian Wolff, Principal Sales Engineer, Western Region-ArcSight and Jon Inns, Sales Engineer-ArcSight
Demand for the logging of applications has grown; however, many applications today do not log transactions. This session will discuss how to enable application logging through the database, without changing the application code. Examples using the Oracle database will be utilized.
Level: Intermediate

Using ArcSight to Manage Compliance Expectations
Speaker: Rich Worth, Information Security Engineer-Priority Health
Now that you have ArcSight ESM deployed in your environment, what can you do to tune your environment to meet your organization’s compliance initiatives? In this session, learn how Priority Health has leveraged ArcSight ESM and ArcSight Logger to meet HIPAA, SAS70 Type II, and NAIC Model Audit Rule compliance.  Priority Health has achieved compliance initiatives by creating specific content around the following log sources: syslog, windows domain events, Oracle audit logs, and its claims payment system. The session will touch on how each connector has been deployed (including a FlexConnector for its claims payment system), review channel tuning, rules and reporting. Additionally, there will be a brief overview of Priority Health’s case management workflow and reporting.
Level: Basic

Was that Network Change Approved?
Speakers: Ben Spader, Security Consultant-Spader Consulting; Scott Parkinson, Enterprise Specialist-ArcSight
See ways to enable ArcSight to do advance correlation between network changes and the change ticket system to determine if the change was done by an authorized person, as well as if it was within the proper change window specified in the change ticketing system. Anyone with the need to enhance current rules to take them to the next level should attend this session. This use case covers advance techniques that can be applied to many other use cases to enhance the capabilities and automation. You will learn to identify if the network change was done by an approved person, within or outside an approved change window, and if the network change did not have a change record. Attendees should have an in-depth understanding of active lists and how variables work within rules.
Level: Advanced

Policing the Police
Speaker: Brett Kilroe, Global Network Security Engineering-Citi
Learn how to leverage ArcSight built-in functionality in order to monitor itself. This session will cover how to set up ArcSight so that it is easy to control and track what changes your ArcSight users are making to your ESM instance. Topics include user entitlement reporting–monitoring who has access to what in your ArcSight system; resource change reconciliation–monitoring what has been modified, when it was modified and by whom; user administration–monitoring user account creation, modification and deletion.
Level: Intermediate

Building a SOC: Maximizing the Value of a SIEM Implementation
Speakers: James Pasquale, CISSP Director, Managed Security Operations-Verizon Business; Matt Shelton, Principal Engineer, Information Security-Verizon Business
Verizon Business has ten years of experience in building and running security operation centers using industry leading tools such as ArcSight.  This experience has allowed us to teach organizations how to maximize the value of their SIEM implementations within their own SOC. Attend this session and benefit from our vast experience in working with companies of all sizes. Learn tips and tricks of the trade, including developing security policies for detecting actionable events, creating reports for operations and management, designing a workflow for incident response, and integrating with external systems for transferring knowledge outside of the SOC.  This session is geared towards those who are interested in building out or maturing a security operations center.
Level: Intermediate

Security Incident Handling: Benefits from ArcSight
Speaker: Marc Seiffert, Senior IT Specialist-BMW Group
Is your staff ready to react on security breaches? Are processes and standards in place? Do you know how much money you lose if your data is being compromised? IT security is a business concern. Breaking the boundaries between IT and business is mandatory to add value to your company. When implemented right, standards like ITIL, CMMI, NIST can help. See how BMW, one of the biggest automobile producers in the world, implemented ArcSight ESM and Connectors to support BMW’s Security Operation Centre. Learn about our Critical Security Incident Response Team, our Security Event Monitoring Team and how this works together with standards like ITIL and tools from ArcSight.
Level: Basic

Using Metrics to Build Cross-Departmental Partnerships
Speaker: Neil Desai, Senior Information Security Analyst-TIAA-CREF
Metrics and efficiency are two keys to success in a down economy. In this presentation we will go over determining the right metrics for you; how to measure success; differences between presentations, dashboards and metrics; and efficiency improvements. ArcSight ESM gives users total flexibility to find the information they need, helps determine the best place to get metrics from, and ways to automate the gathering of the data. By pairing the ESM infrastructure with Logger, the security team can help the company become over all more efficient by allowing other IT groups to have access to certain data. These types of partnerships help management see the benefits of their investments outside of the security context.
Level: Basic

Justifying and Proving ROI
Speaker: Brett D. Arion, Architectural Engineer-BlueCross BlueShield of South Carolina
Justifying a software expenditure that will help automate security analysis can be difficult. BlueCross BlueShield of South   Carolina experienced this problem, and this session will review the way the solution was ultimately justified. We will cover the trials and tribulations for the security staff and security management in working to quantify the needs for log analysis; deployment scenarios used, as well as the issues related with the deployment; the role of ArcSight in getting to the ultimate solution; the outcome of the ROI and simplification of security log reviews within the organization. Anyone needing ROI discussion points or interested in seeing how BCBSSC triumphed with the ArcSight Solution should attend.
Level: Basic

How the Department of Justice Is Leveraging ArcSight to Combat Network Threats
Speaker: Holly Ridgeway, Deputy CISO and Director of the Justice SOC-Department of Justice.
DOJ monitors thousands of events every second from various feeds. It needed a better way to analyze these events and pinpoint suspicious activity on its network. Hear how ArcSight helped the DOJ identify threats and stay one step ahead of the bad guys. You’ll also learn how the DOJ gained a true picture of threat activity on its network – and saved time and money by eliminating false positives and long, drawn-out investigations.
Level: Basic

Intrusion Incident Response: Lessons Learned
Speaker: Jim Jaeger, Director of Cyber Systems-General Dynamics Advanced Information Systems (GDAIS)
The General Dynamics computer network defense arena investigates the big hacks and big breaches. Many of the largest breaches in US history have been investigated by this division. Attend this session and learn how hackers got in and why they weren’t caught by the monitoring systems in place. Here about post-breach network remediation done to help our clients dramatically achieve an enhanced level of network security by architecting ArcSight ESM into the solution.
Level: Intermediate

Next-Generation Fraud Monitoring
Speakers: Carl Froggett, Global Engineering Lead/SVP-Citi; Colby DeRodeff, Enterprise Strategist-ArcSight; Raju  Gottumukkala, ArcSight Expert-ArcSight
This session will present the top fraud prevention scenarios that our customers have in production today. Examples include the banking, mortgage, healthcare and tax authority industries. If fraud is a major concern in your industry, attend this session to learn about the common types of attacks and how to catch and prevent them.
Level: Basic