Monday, 9/14: Breakout Sessions

Document created by jmerrill on Aug 24, 2009Last modified by jmerrill on Jul 8, 2014
Version 6Show Document
  • View in full screen mode

Have a question? Ask the presenters!

Please tag your inquiry with the session # so that your

question may be routed to the appropriate presenter.

Primer: Get With the Event Flow—ArcSight Data Monitors
Speaker: Brock Pearson, Instructional Designer-ArcSight
Data monitors are a key component in the ArcSight environment for monitoring security. This primer session will explore data monitors in detail—starting from the beginning and showing how to set up and debug data monitors. Methods to allow efficient operation of data monitors will be provided. Interaction between data monitors and other resources within ESM will be demonstrated.
Level: Basic

Primer: Got Reports?
Speaker: Mauricio Julian, Instructor-ArcSight
This primer session will explain how reporting is used to compile a large amount of data into useable information. The resources used to create a report will be discussed and explained to allow participants to understand how reporting can be utilized in their own environment.
Level: Basic

Scaling ArcSight Deployments—The Whole Family is Invited
Speakers: Christian Beedgen, Security Engineer and Chief Architect-ArcSight, Hector Aguilar, Vice President Software Development-ArcSight, and Marylou Orayani, Senior Software Development Manager-ArcSight
ArcSight provides a platform and an ecosystem for enterprise event management. Attend this session and meet the architects of the ArcSight products. Uncover best practices to deploy an ArcSight ecosystem addressing multi-national companies with multiple sites and complex dataflows. Come prepared with your questions for the panel discussion!
Level: Intermediate

Best Practices in Using and Understanding Trends
Speaker: David Wiser, Software Architect-ArcSight
This session will be an in-depth look at trend reporting. Details will be provided on how trends manage data, how to debug trends, advanced editor attributes, and the use of trends on trends. This session will also provide tips for utilizing trends to improve overall reporting performance.
Level: Intermediate

Shedding Light on Side Tables
Speaker: Stefan Zier, Manager, Platform Engineering Team-ArcSight
ArcSight ESM stores parts of any event in side tables.  This session explains how side tables and side table caches benefit system performance and save disk space. You'll learn how to proactively monitor and control the size of side tables as well as tips and tricks for building or customizing connectors and building rules.
Level: Advanced

Deep Dive into Windows Auditing
Speakers: Till Jäger, Principal Sales Engineer, ArcSight; Fabian  Libeau, EMEA Director, ArcSight
Microsoft Windows has the ability to audit various user activities by default, including authentication, authorization and administration information. This session will demonstrate how to get the most out of the standard auditing functionalities of Windows, and show how different audit events belong together but for which limitations also exist. Furthermore, several use cases will be developed and highlighted to show how Windows auditing functions can be implemented in ArcSight ESM to increase the security posture and to deliver meaningful data.
Level: Advanced

Best Practices for Content Development in ESM
Speaker: Ryan Thomas, Engineering Manager-ArcSight
This presentation will teach you the best practices for content development used by our own ArcSight Solutions team. These practices will help you consistently build logical and efficient content that increases the effectiveness of your ESM implementation. You will learn the “do’s and don’ts” of developing content with a use case-oriented approach. To get the most from this session, you should have experience with content development in ESM.
Level: Advanced

The All New Windows 2008 Event Log
Speaker: Doron Keller, Senior Solutions Engineer-ArcSight
In Windows 2008 and Vista, Microsoft revamped their event log. They introduced many more audit categories and a whole new event ID schema, as well as modified the information included in the events. This session will highlight the new features of the Windows 2008 event log, compare it to the Windows 2003/XP event log, point out the challenges and suggest solutions. This session is a must for anyone who has Windows-based servers in their environment and would like to maximize the value that is concealed in their logs.
Level: Intermediate

Top 10 Ways to Ensure Your SOC Fails
Speaker: David Mackey, Managing Principal-ArcSight
The business of running a SOC is a difficult one. It takes motivated and experienced people, a full set of mature processes and procedures, and a powerful SIEM solution to pull in the right security events. Wouldn’t be easier just to let your SOC fail? This session will give you the 10 easy steps to help your SOC fail.
Level: Intermediate

Troubleshooting Connectors: Traditional Way and the Connector Appliance Way
Speakers: Dilraba Ibrahim, Manager of Software Development-ArcSight and Hector Aguilar, Vice President Software Development-ArcSight
In this session, you'll learn how to improve connector effectiveness in a stand-alone environment as well as a connector appliance environment.
Level: Advanced

Network Modeling Best Practices
Speaker: Al Veach, Professional Services Senior Security Strategist-ArcSight
Learn network modeling best practices and how the new network modeling tool in ArcSight 4.5 makes the process easier. Customer success stories will be included in this session.
Level: Intermediate

Make Your SmartConnectors Smarter with CEF
Speaker: Morgan DeRodeff, Security Analyst-ArcSight
The ArcSight Common Event Format (CEF) allows you to easily integrate your custom applications with ArcSight using your existing SmartConnector. In this session you will learn how to construct a CEF message and send your events to ArcSight in minutes. If you can control the log formats of your applications and learn how to use CEF, you will have an efficient alternative to developing FlexConnectors.
Level: Basic



Risk Monitoring in Real-Time

Speaker: Marc Blackmer, Principal Sales Engineer-ArcSight

Every organization’s success is dependent upon a number of business processes each of which are exposed to risk. In-house audits, third-party reviews and risk analysis solutions all help to provide insight and mitigation, but how do the outputs of these translate into real-time risk monitoring? Discover the power of Common Event Format (CEF) and the out of the box capabilities of ArcSight ESM to provide realtime operational dashboards reflecting current risk posture; calculate threats in real-time based upon thirdparty risk metrics; and report on current risk status by line of business, severity, asset and more.
Level: Intermediate


Been There, Done That. And Now That I Know, I Would...
Speaker: Don Murdoch, Security Engineer, Principal II-Amerigroup
With two years of an ArcSight ESM installation under my belt, I've definitely learned some lessons. This session addresses "if I had only known" topics such as reporting and tracking for your environment, meeting the call of compliance, deciding which default content is needed and when, and building trends and FlexConnectors. I will discuss managing growing pains and present several security monitoring wins achieved along the way. You will gain practical examples to aid you in your own ArcSight implementation.
Level: Intermediate


ArcSight Reports; No More Coffee Breaks for the Analyst!
Speaker: Thomas D. Cajohn, Security Analyst, Northrop Grumman
Many times I have heard analysts say, “I just started my ArcSight report, time to get coffee.” Well, not anymore!  By understanding what the analyst is looking for, new database indexes and utilizing new features in ArcSight, the wait can be eliminated. This session is geared towards the user who is familiar with modifying ArcSight configuration files. Attend and learn how to support data retention policies, better understand ArcSight queries and hints, and see successful examples.
Level: Intermediate

Using Regular Expressions in Rules
Speaker: Pete Babcock, Lead Security Analyst-Fortune 200 Financial Company
In the ArcSight ESM manual, there is a section that describes “Matches” that has a very intriguing definition: “For extended regular expression pattern-matching for string types using Perl 5 syntax. Supports regular expressions (regex). Note that Matches is used in rules only.” I was curious and developed the perfect use case to learn more: detecting when users accidentally expose their passwords in log files. This session will share what I have learned using RegEx in ESM rules and how to automate the detection of those exposures. Attendees should be familiar with at least basic rules writing to receive the full value of the session.
Level: Intermediate

Turning ArcSight into a Critical Business Application
Speaker: Paul Baartz, Senior Information Security Officer-World Bank
This presentation focuses on how a small ArcSight team utilizes the features of an ArcSight infrastructure to deliver meaningful and valued results within a large and dynamic organization. Topics will include targeted service delivery, event tagging, automation, rules sharing, event notification structure, critical data source integration, organization structure, and lessons learned in deployment of an ArcSight infrastructure.
Level: Basic

Innovators Panel: Identity and Fraud Monitoring
Moderator: Glen Sharlun, VP of CSO, ArcSight
Attend this interactive panel of industry leaders in a candid discussion on fighting the battle against cyberfraud, cybertheft and cyber espionage. Hear how the ArcSight SIEM Platform is a strategic tool in their arsenals, enabling comprehensive enterprise monitoring of IT infrastructure, users and identity, data and applications.
Level: Intermediate

Innovators Panel: Critical Infrastructure
Moderator: Reed Henry, Marketing Senior Vice President, ArcSight
This panel will gather a group of your peers and experienced thought leaders who will discuss security issues surrounding critical infrastructure. Attacks are often sensationalized in the media. But the truth is, organizations that run critical infrastructures are at risk. Because of the widespread impact and level of devastation that successful attacks may yield, it is essential to address the issues before a catastrophic incident occurs. Hear what experts from both public and private sector backgrounds have to say. What does the future hold and what can be done to protect your critical infrastructure?
Level: Basic

Innovators Panel: Security in the Cloud
Moderator: Nils Puhlmann,Co-Founder Cloud Security Alliance
With the increased adoption of cloud computing, many companies are evaluating what type of cloud services and offerings might be attractive to them. But there also seems to be a broad spectrum of potential security concerns when choosing a cloud service or provider that comes into play. How does a potential customer ask a cloud provider the right questions, make sure that the right security controls are in place? What level of transparency about the cloud provider’s security controls and architecture is expected? How can a security team continue to assure the confidentiality and integrity of data and assets if some of them move “into the cloud”? And are there potential security benefits by using cloud based services? In this panel we will ask experts to talk about some of the most common security concerns around cloud computing and will provide guidance on how to address and understand them.
Level: Basic

SIEM Evolution: A Day in the Life of a Security Architect
Speaker: Stijn Vande Casteele, Senior Security Architect, Telindus
Back in 2003, Telindus developed a business case for delivering SIEM managed security services to the enterprise market. This session sheds light on the different tooling migrations and explains in depth the different evolutions we achieved from an architecture, security operations, services and content evolution standpoint. It is geared towards application developers, architects, SOC employees, business consultants and program managers.
Level: Intermediate