Protect '10 Breakout Sessions

Document created by ektapartani on Jun 2, 2010Last modified by jmerrill on Jul 8, 2014
Version 29Show Document
  • View in full screen mode

ArcSight Protect '10 has something to offer all levels of ArcSight customers! Here is a sneak peek of the presentation line up...


Have a question? Ask the presenters!

Please tag  your inquiry with the session # so that your

question may be routed to the appropriate presenter.


Basic Sessions


SN01

Primer: Auditing Oracle Database Activity
Level: Basic
Speaker: Thomas D'Aquino
Databases can generate a fair amount of data. This primer session focuses on using the different types of logs to effectively audit Oracle database activity. Strategies to accomplish your goals will be explained, as well as a demonstration of useful content for monitoring collected data.

 


SN02

Primer: Auditing Microsoft SQL Database Activity
Level: Basic
Speaker: Thomas D'Aquino
Databases can generate a fair amount of data. This primer session focuses on using the different types of logs to effectively audit Microsoft SQL database activity. Strategies to accomplish your goals will be explained, as well as a demonstration of useful content for monitoring collected data.

 


SN03

Primer: Got Reports? The ABCs
Level: Basic
Speaker: Mauricio Julian
There is a difference between data and useful information. This primer session explains the basic elements of reporting and show to use reporting to turn large amounts of data into useable information.

 


SN05
Primer: Auditing Network and Firewall Activity
Level: Basic
Speaker:
Thomas D'Aquino
Network routers, switches and firewalls can generate a bewildering amount of data. This primer session explains how to separate the important data from the noise.We will demonstrate how to create a good use case so that you can collect the data you need, safely ignore the data you don’t need and improve the efficiency of ArcSight ESM by reducing the events it has to process.

 


SN06

Primer: Got FIPS?
Level: Basic
Speaker: Normand Bourgeois

Many organizations are required to be Federal Information Processing Standards (FIPS) compliant. This primer session explains how to implement and manage FIPS across ArcSight ESM, ArcSight Logger and applicable connectors.

 


SN07

Primer: Using Variable$
Level: Basic
Speaker: Javier Inclan
One size does not fit all. This primer session explains what variables are, including global variables. We will demonstrate how to use variables appropriately, including how to extract information from lists.

 


SN08

Primer: Writing Rules Not Meant to be Broken
Level: Basic
Speaker: Javier Inclan
Rules can help you determine what to investigate. This primer session demonstrates how to construct rules. It will focus on what to consider when building rules and how to use rules to identify events that require further investigation.

 


SN13

Best Practices for Scaling Log Management
Level: Basic
Speaker: John Bradshaw
This session will discuss the differences between agent and agentless log collection—how each provide capabilities and benefits that should be considered before deploying a SIEM or a log aggregation solution. We will cover centralized vs. de-centralized deployments, considerations for guaranteeing log/event delivery and network performance issues administrators should consider when making deployment decisions.

 


SN21

How it Works: Assets, Zones, Networks and Customers
Level: Basic
Speaker: Fabian Libeau
ArcSight ESM excels in its ability to assign information to the monitored environment. This presentation will show how this process works, covering both challenges and solutions. Connector map files and variables in filters will also be discussed.


SN39

The Last 1000 Engagements—Lessons from the Field
Level: Basic
Speaker: Ricky Allen
Compiled from the past 1000 engagements, ArcSight global services wants to share best practices with you from around the world. If you are considering a new deployment or just expanding, these best practices will help you plan for the maximum performance and fastest deployment. Details such as identifying the engagement scope, potential deployment risks, detailed project planning, environment sizing, hardware selection, device prioritization, tuning expectations, growth estimates and lessons learned will all be covered during this session. This session is packed with the information that you need to know to make the most out of your SIEM investment.


SN41

Moving Enterprise Security Monitoring to the Next Stage
Level: Basic
Speaker: Paul Brettle
A common issue with security monitoring projects is that they are often justified, budgeted and implemented to resolve a limited number of key issues. The real advantages for security monitoring with ArcSight ESM is that it can be expanded upon easily to cover much more. But how does a customer move this forward and expand on their initial investment and make it do more? What are the steps that they would normally go through and what are the "quick wins" that can be used? How are customers doing this today and where did they start? Attend this session to find out.


SN42

Investigating Financial Application Modeling Techniques in ArcSight ESM
Level: Basic
Speaker: Damian Skeeles
ArcSight ESM provides a range of features such as Active Lists, Session Lists, Trend Reports, and Dynamic Variables—while individually powerful—can be brought together to create sophisticated content that supports functionality such as stateful tracking, risk scoring, closed feedback loops and real-time, statistics-based correlation. We will discuss a number of techniques developed in the field, explaining the functionality and benefits, while highlighting any useful tips and tricks along the way. You will learn sophisticated analysis techniques applicable to financial data. Note that this presentation focuses on the analysis of financial transaction data, rather than IP-based security data, although some methods may be applicable to both.


SN48

Let Logger Leverage your Logs
Level: Basic
Speaker: Aaron Kramer
Imagine how you will feel when you know the answers to questions your boss will ask you in the future! In this session, you will learn different approaches to adjust to new systems that get added to your list of responsibilities. Get on top of that heap of systems, network and security stuff. This presentation and will be most valuable to those with some systems, network or security experience—but novices will benefit, too. Learn how to sift logs like the pros do!


SN59

Optimizing ArcSight Express
Level: Basic
Speaker: Jim Rutherford
ArcSight Express allows you to harness the power of ArcSight ESM in an easy-to-use, pre-configured package. A key element for ease of use was the creation of a wide variety of out-of-the-box content and pre-defined use cases specific to ArcSight Express. In this session, you will learn what makes the default Express content such as pre-packaged use-case-driven filters, rules, dashboards and reports tick, as well as how to start down the path of custom content creation. This session is for administrators who want to get more out their off-the-rack Express deployment as well as ArcSight Logger customers that are considering whether to make the leap to the world of correlation and sophisticated use cases.

 


CSN2
Threat Response Triage System
Level: General
Speaker: Mark Runals -
Battelle
One of the challenges faced by companies that don’t have a 24x7 SOC is prioritizing investigative time. Attend this session and see the Battelle solution that triages systems exhibiting anomalous behavior, without extensive or rigid, pre-defined, chronological order of events use cases. Highlights include how to scale with available hours, how to quickly add or remove use case triggers, and how to modify individual use case triggers independently of others.

 


CSN6
Using Reporting to Optimize IT Security
Level: General
Speaker:
Amir Alsbih - Kabel Baden-Württemberg
This session discusses how to represent and layout data for maximum report usability and goal achievement. Learn why it is essential to have different reporting and abstraction levels for each level within an organization. IT security key performance indicators that have worked well for Kabel Baden-Württemberg are revealed, as well as lessons learned along the way.

 


CSN8
Realizing End-to-End Encryption in the Payments Industry
Level: General
Speaker: Steve Elefant - Heartland Payment Systems
Discover how Heartland Payment Systems has successfully tackled PCI issues. This session reviews the challenges and opportunities facing the payments industry to secure sensitive card data through end-to-end encryption. Also covered is the prospect of applying end-to-end technologies to reduce/limit the scope and cost of PCI.

 


CSN14
What Are Your End Points Telling You?
Level: General
Speaker:
Chun Hoer (Nicholas) Lim & Chee Peng (CP) Teh - Intel Corporation
This session shares a basic framework on how ArcSight ESM can be used to detect, monitor and recover end point incidents. Essential components of the framework will be revealed, encompassing event parsing (input), incident detection, correlation, monitoring (process), response, handling and reporting (output). The POC will be demonstrated and use cases discussed. The demo takes participants through an end-to-end implementation – event extraction, parsing via FlexConnectors to the security event manager, correlation and necessary actions.

 

 

CSN17
The Evolution of Malware Detection
Level:  General
Speaker: Dereck Louis Haye - Unisys
Use the correlation power of ArcSight solutions specifically for malware detection. Learn about the core behavior of malware and how to break it down into components for base detection. Specific examples will be illustrated on how analysts can use devices to detect previously unseen malware hiding in the departments of your organization’s log files. A general knowledge of the ArcSight ESM console and familiarity with rule filters and data monitors will be helpful in getting the most out of this session.

 


CSN24
Driving Content Creation with Use Case Forms
Level: General
Speaker: Cynthia Jones - USAA
How many times have you hear something like this: "Compliance says to bring this new feed into ArcSight ESM and monitor it for bad stuff"? However, if you don't have a plan for what to look for, how do you even know that your new feed can provide it - whatever data that is? A generic “look for bad stuff” statement can be very dangerous for analylsts. It transfers all responsibility to you and absolves the feed provider. This presentation provides a general use case form and covers how to extract this information from your customers to help secure your network environments.

 


CSN29

Implementing ArcSight Logger for Sustainable PCI DSS 1.2 Compliance
Level: General

Speaker: Michael Hoehl - Godiva Chocolatier
This session will cover PCI project implementation details, as well as operational experiences with ArcSight Logger.  Specific topics include building a business case for ArcSight Logger, implementation technical details, GRC use cases, and lessons learned. These insights will be useful for IT staff and management of merchants intending to implement a sustainable approach for PCI compliance and safeguard customer credit card data.

 


CSN30
Security Operations that Cross International Boundaries
Level: General
Speaker:
Patty  Long - ING Americas
Building a Security Operations capable for a large company is always a major challenge. From business case creation to implementation, the path requires a good deal of commitment and understanding from the organization. When operations include centers in other countries, the linguistic, cultural and monetary challenges increase exponentially the complexity of the project. Hear from ING on how they addressed the challenges and lessons learned from their endeavor.

 

CSN32

Achieving Continuous Compliance of Privileged Identities in Challenging Environments
Level: General

Speaker: Philip Lieberman - Lieberman Software Corporation
Learn how to quickly gain (and prove) continuous control over privileged identities in large, complex, highly regulated and extremely secure environments by implementing a solution that provides continuous proof of compliance, as well as near instantaneous alerting of out-of-compliance scenarios. In this session, we will show you how to combine ArcSight technology with Lieberman Software technology to move you into a realm of continuous compliance, with a security SLA, in usually less than a week even in the most complex heterogeneous environments. Gain the upper hand on privileged identities and put auditors on your side! Attendees should understand the high objectives of IT security, the audit process and its findings, business cases for/against security remediation and basic identity management and account usage tracking.

 

Back to Top

 

 

Intermediate Sessions


SN04
Primer: Got Reports? Beyond the Basics
Level: Intermediate
Speaker: Mauricio Julian
There is a difference between data and useful information. This primer expands on Got Reports? The ABCs and explains how to use resources to create reports in their own environment.

 


SN09

From Water to Wine (or Use Cases to Content)
Level: Intermediate
Speakers: Lisa Huff & Terry Bishop
Learn the best practices to building use cases, starting from requirement gathering through use case build out. We will take you through all the steps to build out an actual use case right before your eyes, including deliverables such as reports and dashboards.


SN11

Correlating Efficiently: Tips, Techniques and Troubleshooting for Writing Content
Level: Intermediate
Speaker: Monica Jain
This session will focus on how to troubleshoot and write content to maximize performance and efficiency. Various correlation-related areas of ArcSight ESM will be examined—including rules, reports, trend reports, filters and data monitors. This session will cover many rules, reports and data monitors, in addition to comparing different approaches to help understand which will have better performance with fewer resource requirements.


SN12

Monitoring Applications without Application Development
Level: Intermediate
Speaker: Brian Wolff
Demand for application logging has grown. However, many applications today do not log transactions. This session will cover how to enable application logging through the database without changing the application code. Examples using the Oracle database will be discussed in this session.


SN14

Network Modeling Best Practices
Level: Intermediate
Speaker: Al Veach
This session will cover network modeling best practices and how the new network modeling tool in ArcSight ESM makes the process easier. Attend this session to hear ArcSight customer success stories.


SN17

Tiered Architectures
Level: Intermediate
Speaker: Brook Watson
This session will focus on the possible ArcSight implementation architectures, including the use of ArcSight ESM, ArcSight Logger and ArcSight Connector Appliance. It will be geared towards ArcSight administrators and authors in charge of maintaining the health and content of each of the ArcSight components. Several potential architectures will be discussed, including: multiple tiered ESM instances, multiple Loggers with a single ESM instance and the traditional single Logger with a single ESM instance. The pros and cons surrounding each architecture and best practices will be discussed.


SN18

Mastering ArcSight Platform Security
Level: Intermediate
Speaker: Yanlin Wang
Wondering how to secure your ArcSight deployment? Learn ArcSight security from all aspects. ArcSight products are on the path to support multiple levels of security configurations: Basic, FIPS 140-2 and Suite B. ArcSight solutions also provide different access control options to satisfy the needs from business user to government user, for example Common Access Card (CAC).


SN24

Jump Start with Use Cases
Level: Intermediate
Speaker: Philip Qian
This session explores the concept of an ArcSight use case, guiding the audience through a number of actual use cases, as well as demonstrating the configuration of the user-friendly Use Case Wizard.


SN25

Best Practices in Using and Understanding Trends
Level: Intermediate
Speaker: David Wiser
This session will be an in-depth look at trend reporting. We will see how trends manage your data. Tips on debugging trends will be provided, including using some undocumented information. This session will also provide tips for using trends to improve overall reporting and ArcSight ESM performance.


SN28

Flex Connector Development Methodology
Level: Intermediate
Speaker: Mark Johnston
Clients are often faced with the prospect of having to implement non-standard log formats into ArcSight ESM, but unsure how to approach the problem. This session focuses on how to go about creating a flex connector from a holistic view rather than a technical perspective. This session aims to help those clients achieve the ability to understand the process and therefore deliver a better valued flex connector.


SN31

Inside an ArcSight Connector—the Journey of a Security Event
Level: Intermediate
Speaker: Girish Mantry
This session covers how the security events acquire information critical for your asset and network modeling, how they are categorized and corrected for the device reported times for accurate correlation, and how the connector protects itself against denial of service attacks while preserving the integrity of the raw event. Take a deeper look at how a raw security event from a device is transformed and enriched to affect your correlation and network modeling in ArcSight ESM.


SN36

CyberCrime Investigator: Forensic Use of ESM Integration Commands
Level: Intermediate
Speakers: Gary Freeman & Paul Bowen
Many security analysts are tasked with assisting HR, corporate governance or law enforcement agencies with intercepting network information to establish evidence that may be used in employee termination or in a court of law. This session explores the concept of network forensic investigations and how ArcSight ESM establishes a chain-of-custody through integration commands and case management. This session will introduce the Integration resource and a number of scripts that can be used to collect additional data during an investigation. This session is intended for security analysts that conduct regular investigations in effort to collect and preserve digital evidence. We will discuss practical experiences with using Integration commands to proactively scan rogue systems, capture traffic from specific network addresses and respond to Web attacks, all while providing the methodology and best practices for preserving digital evidence with ArcSight ESM.


SN47

Windows Unified Connector Planning, Implementation and Troubleshooting
Level: Intermediate
Speakers: Brook Watson & Lisa Huff
As ArcSight customers expand their security focus from perimeter defense to insider threat, the first device they typically look at is Windows servers. Windows servers contain a wealth of information about what the businesses users are doing. Most customer environments consist of hundreds if not thousands of Windows servers and look to ArcSight solutions to provide best practices on how to collect this information. This session will focus on the planning, implementation and troubleshooting best practices surrounding the Windows Unified Connector in large enterprise environments. At the end of this session, you will be able to accurately plan, implement and troubleshoot your own deployment of the Windows Unified Connector.


SN49

IdentityView—Make Identity Context a Part of Everyday Monitoring
Level: Intermediate
Speakers: Ryan Thomas & Colby DeRodeff
ArcSight IdentityView integrates the information about your user population with events monitored in ArcSight ESM to gain critical identity context to what is happening on your network. Learn how to leverage this identity context to satisfy a myriad of use cases such as identify and monitor high risk users, track administrative user activity, detect access privilege violations, monitor role violations, and more. This session will cover how ArcSight ESM enables you to integrate identity into your everyday monitoring, and includes case studies drawn from real-world customer deployments.


SN50

Advanced Persistent Threat Episode 1: Rise of the Bots
Level: Intermediate
Speakers: Duc Ha & Rishi Divate
At 2:14 am Eastern Time, December 21, 2012, SkyBot becomes self-aware and begins to take over the network. In a panic, the network administrators try to pull the plug, but it is too late. As a member of the Resistance, you are sent back to September 2010 with a sole mission—to seek and destroy the bots, thereby preventing Judgment Day. Your only weapon—ArcSight ESM and its powerful features. In this talk, you will learn to develop creative ArcSight ESM content to detect and track bot activities. Specifically, we will look at constructing ArcSight ESM resources based on different bot communication methods, using real-life examples such as Kraken, Conficker and Zotob. Finally, we will examine how to leverage advanced tools such as Pattern Discovery to detect bot patterns and ArcSight Threat Response Manager to provide automated response action in case of an incident.¬ After this talk, you will be ready for your mission!


SN51

Got Patterns?—Creative Uses of Pattern Discovery  
Level: Intermediate
Speakers: Suranjan Pramanik & Rishi Divate
Pattern Discovery is a powerful ArcSight ESM feature intended to detect subtle, specialized or long-term patterns that might otherwise go undiscovered amongst millions of events. This session will begin by showing how to create basic Pattern Discovery profiles and identify patterns through snapshots. Following, we will show how Pattern Discovery can be used across various use cases in the fraud, identity, operations and network areas.


SN53

Flows Here, Flows There, Flows Everywhere—Using ArcSight Express to Analyze Flow Events
Level: Intermediate
Speakers: Steve Maxwell & Gary Freeman
Flow support is available in just about every router and switch in your network. The impact to those devices when you enable it is minimal—it's free to turn on and there is incredibly valuable information that you can gather from analyzing it. In this session, you’ll learn how ArcSight Express can be used to analyze flow events. We'll cover using ArcSight Express resources such as dashboards, data monitors, active channels and reports to address common use cases around flow events. Who are the top bandwidth users and applications in your environment? What countries are you communicating with? What ports and protocols are being used per server, host or segment? If you're interested in how to analyze flow events, you'll want to attend this session!


SN65

ESM Tools and Integration with Logger and TRM 
Level: Intermediate
Speaker: Ken Mermoud & Dhaval Shah
The ArcSight ESM console is used as the centralized management console for security information and event management. Wouldn’t it be great if the console could show snap in views or to launch contextual actions with any other external application being used in the SOC or NOC? In this session, you will see how to integrate in the ArcSight ESM console contextual views and actions from ArcSight TRM, ArcSight NCM and ArcSightLogger. You will also learn how to integrate any third-party tool or interface with the ArcSight ESM console. This session aims to help those clients achieve the ability to understand the process and therefore deliver a better valued flex connector.

 


CSN4
Bots/Malware Detection by Leveraging Open Source Resources
Level: Intermediate
Speaker: Chuck Moran - Southern Company
This session reviews methods for leveraging open-source community resources, such as Snort and BotHunter, within ArcSight implementations to help detect and pinpoint previously undetected threats. Come learn about malware threat feeds, and how to create simple scripts and ArcSight ESM rules to automate them. Join us if you are working within the confines of a budget or would like to leverage open-source detection capabilities within your current ArcSight implementations to reduce risk and eliminate previously undetected cyberthreats.

 


CSN5
How to Write Anything to CEF (Easy Integration with ArcSight)
Level: Intermediate
Speaker: Eric Parker - BAE Systems
Attend this session and learn how to write your own FlexConnectors easily from scratch using CEF. This session discusses techniques for reading simple and complex log files, and explores how to send any script, program output, errors or alerts to CEF. Attendees should have a basic understanding of Perl scripting or other scripting/programming languages.

 


CSN12
Achieving PCI Compliance Without Modifying Your Applications
Level: Intermediate
Speaker: Florian Leibenzeder - Lufthansa Systems
Learn how Lufthansa Systems achieved PCI provider compliance by utilizing its self-developed PCI Compliance Engine and the power of ArcSight ESM, ArcSight Logger and the ArcSight ESM Compliance Insight Package for PCI. See how relevant audit data needs to be collected, how it is provided to ArcSight ESM and how the workflow around the Lufthansa solution was created by making heavy use of ArcSight ESM internal workflow tools. Basic PCI DSS knowledge is helpful to get the most out of this talk.

 


CSN13
Mozilla’s Use of CEF in Their Web Applications
Level: Intermediate
Speaker: Christopher Lyon - Mozilla
Mozilla is leveraging CEF in their Web applications for general logging and to identify potential security issues. The use of CEF creates a foundation for applying security correlation to narrow down potential security issues, and ArcSight Logger provides the the ability to search upon this data. This session covers why, where and how Mozilla is using CEF, the types of alerts and various use cases. Reasons and technical limitations that drove these changes with Mozilla Web applications will also be discussed. Attendees should have a basic understanding of CEF, ArcSight ESM and ArcSight Logger.

 


CSN15
Using ArcSight ESM for  Malicious Domain Detection
Level: Intermediate
Speaker: Chris Watley - U.S.  Government Agency
The traditional way for detecting traffic to  malicious domains involves writing Snort-based signatures to monitor DNS  and HTTP traffic. This style of detection can have a high  false-positive rate and deteriorate the performance of the sensors. By  migrating detections into ArcSight ESM, false-positives no longer exist,  and the sensors can be used for more proactive signatures. This session  discusses how to utilize ArcSight ESM for domain detections: the  interaction between active lists, filters and rules, with a heavy focus  on the variables used. Attendees of this session should have an  understanding of ArcSight rules, active lists and filters.


CSN18
Measuring Security Using ArcSight
Level:  Intermediate
Speaker: We! Consulting - Dori Fisher
In order to demonstrate ROI or improve your security posture, quantifying and comparative measures need to be put in place that cover timeframes across the whole organization. This session discusses the challenges and pitfalls, and illustrates the role of ArcSight solutions in implementing security metrics.

 


CSN19
Building Your Baseline Rule Development
Level:  Intermediate
Speaker: Nathan Shanks - Strategic Enterprise Solutions
After you have completed the task of designing and deploying your SIEM, it’s time to get to work building logic that’s right for your enterprise. One of the advantages of centralizing data is the ability to normalize and categorize all the information. Leave your single signature-based rules behind and learn how to develop category-based rules that will give you the framework needed to stay general or specific as needed.


CSN20
Death by Acronym – How to Survive HIPAA, HITECH, and FTC Red Flag Rules with ArcSight
Level: Intermediate
Speakers: Paul Melson  - Priority Health and
Chris  Bothelo - Parkland Health & Hospital System 
The past decade has seen a steep increase in federal, state and international regulation of personal data with no signs of slowing in the immediate future. Finding ways to automate monitoring and auditing, as well as streamlining investigations, is necessary just to keep up. This session covers how Parkland Health and Priority Health have moved from a reactive to a proactive stance in monitoring and protecting personal information, and how they conduct incident responses in the event of a breach. Specific examples will be shown for how to monitor and report on the security controls in place to effectively protect personal information.


 

 

CSN22
Vulnerability Management with ArcSight ESM
Level: Intermediate
Speaker: Larry Wichman - Unitrin

Vulnerability scanners can provide deep insight into the network, but the amount of data can be overwhelming. This session details how the use of trend queries, query viewers, active lists, asset modeling and drill down menus can help you to quickly sort through the data to pinpoint and prioritize problems. The ability to assess threats and attacks is critical, but only half the battle. We will also discuss how to use ArcSight user groups, cases and reports to assign tasks and verify remediation. Attend this session for a great tool to help thwart hackers, malware and insider threats.

 


CSN23
Context is King!
Level: Intermediate
Speaker: Pete Babcock - USAA
A single successful login is logged on one of your UNIX servers – do you care? Most SOCs consider that to be normal activity and would not be alarmed. But, what if the user ID is for an employee that was terminated last week? Now do you care? Context is everything when evaluating security events. This presentation will walk through several scenarios, from terminated users to advanced persistent threats, and show how to use context to make better decisions for protecting your organization.

 


CSN25
Realizing the Value-Add: Operationalize Your ESM Deployment
Level: Intermediate
Speaker: Fernando Patzan - General Dynamics
Deployment of ArcSight ESM and integration of disparate data sources streams a flood of event data and triggers the default content all day long. However, training analysts for role-based responsibilities, creating a supporting workflow for watch operations, developing content tailored to the target infrastructure, and implementing streamlined processes to manage content is key to unlocking the value of ArcSight ESM. From developing repeatable processes to managing I&W’s, this session shares best practices and lessons learned for collaborative SOC environments to take the ArcSight ESM deployment to a future state that focuses on mitigating risk to the infrastructure.

 


CSN26
Achieving Situational Awareness by Integrating NetWitness and ArcSight ESM
Level: Intermediate
Speaker: Eddie Schwartz - Netwitness
According to recent reports, most enterprises believe that advanced cyberthreats are evading all existing prevention and detection approaches, and situational awareness is critical to fighting them. Using a U.S. Government customer implementation of ArcSight and NetWitness, this session details how to improve cybersituational awareness for detection of these threats. Learn new incident management paradigms for innovative and agile approaches to enterprise-wide situational awareness using ArcSight ESM and NetWitness. A technical case study will be explored describing the scope of the implementation, the people and process requirements and actual, compelling results.

 


CSN28
Research to Detection: Developing Content to Counter APT-Class Threats
Level: Intermediate
Speaker: Michael Cloppert - Lockheed Martin Corpporation
This session discusses the lifecycle of new detection methods, from initial analysis through functional custom data feeds and content in ArcSight ESM. Understanding and executing this lifecycle is critical for combating the most sophisticated adversaries who use custom tools to steal sensitive data. Skills and approaches to be covered include analysis of a particular sophisticated backdoor, development of custom tools to augment existing logs, enhancement of existing connectors to accommodate new attributes added to logs by custom tools, and ArcSight ESM content to support alerting and analysis within the Arcsight infrastructure. Those familiar with command-line analysis methods, Perl, Connector configuration and ArcSight ESM content development are encouraged to attend.

 

CSN34
Integrating ESM with Network Access Control to Help Manage 100,000+ Endpoints
Level: Intermediate
Speaker: Daniel Conroy - Bank of New York Mellon
Securing a global financial enterprise with 180,000+ endpoints is an ongoing challenge, especially at a bank where the risk exposure is extremely high. This interactive session discusses how the Bank of New York Mellon (BNYM) leverages the power of ArcSight ESM and the Forescout global network access control system. With this solution, BNYM is able to manage and enforce policy dynamically across the enterprise – thereby improving its security posture, operational efficiency, speed and agility. Attend this session and learn how BNYM is combating today’s threats and preparing for the threats of tomorrow, while maximizing compliance reporting and visibility.

 

 


Back to Top

 

 

Advanced Sessions

 


SN10

Tips and Tricks in ESM
Level: Advanced
Speaker: Raju Gottumukkala
In this very advanced session you will learn super user tricks that address displaying the same field in a correlation event from multiple base events; using Negative events; checking and populating a field in an Active List from another field in a different Active List; manipulating Date type field in an Active List; and understanding the quirks in Every Threshold and Time Unit triggers.


SN23

Advanced ArcSight Logger Techniques
Level: Advanced
Speaker: Marylou Orayani
This session will demonstrate troubleshooting techniques by analyzing logs retrieved from ArcSight Logger. Attendees will learn how to use Logfu to correlate logs from various components within ArcSight Logger. We will discuss what to look for when perusing ArcSight Logger logs and how to use other analysis tools. If you manage log files on a daily basis, this presentation is for you.


SN58

ArcSight, Monitor Thyself
Level: Advanced
Speakers: Ken Mermoud & Rashaad Steward
ArcSight components provide a wealth of internal audit events on the status of various ArcSight resources. In this session, we will take a close look at what those internal audit events contain and what information an ArcSight administrator can leverage to automatically monitor and restore the health of their ArcSight infrastructure. This session will have a particular focus on ArcSight ESM content and integration tools using audit events across ArcSight ESM, ArcSight Logger and ArcSight Connector Appliance. Anyone needing to monitor critical components of ArcSight solutions at a glance should attend this session.
.

SN62

Gain Rock Star Status as ESM Manager Administrator
Level: Advanced
Speakers: Dhiraj Sharan & Gagan Taneja
Expand your knowledge and tools to become a successful ESM Manager administrator. The session will start with describing flow of events inside the Manager. Then we will look at the wealth of information the Manager provides through its run-time status, logs and audit events. Making use of the history of support tickets, we will take a close look at how to investigate performance, stability and memory management issues. This is a hardcore technical session for those who administer and troubleshoot ArcSight deployments.


SN68 

Maximize Connector Deployment with Connector Appliance
Level: Advanced
Speaker: Dilraba Ibrahim
With the latest innovations, the connector appliance is becoming a truly turnkey solution to deploy and manage connectors in large-scale environment. Come to learn revolutionarily new features like connector exchange, clone remote management configuration, clone connectors across hundreds of locations, troubleshooting connectors with diagnostic tools and more.

 


SN71

ESM Database Performance from the Bottom-Up
Level: Advanced
Speaker: Kerry Adkins
Do you wonder how to achieve optimal performance with your ArcSight ESM Database? If your answer is yes, this is the session for you! We will cover all of the layers that affect database performance, starting with storage hardware, RAID levels and how to layout data-files. Moving up, we will cover how to tune your Oracle instance, to benefit from indexing and to optimize for performance. We will also discuss the tools Customer Support DBAs and developers use to troubleshoot database related performance and stability issues

 


CSN3
Synergizing New Threats with ArcSight
Level: Advanced
Speaker: Joseph Peruzzi - Northrop Grumman
Using external open source data that is available through the Internet, it is possible to find new threats on your network. In this session you will be shown how to exfiltrate data from various sources and import it into ArcSight ESM. You will also discover how to use that information to locate unknown threats, prioritize incidents and cut malware response time to mere seconds. Those attending this session should have a good working knowledge of ArcSight Connectors, active lists and filters.

 


CSN27

Automated ESM Content Replication
Level: Advanced
Speaker: Aaron Wilson - SAIC
Learn step-by-step how to successfully automate the replication of content to one or more ESM instances and aviod the pitfalls of ad hoc content replication. Automated content replication is useful in numerous scenarios, such as business continuity, disaster recovery, test instances, dedicated reporting and other multi-instance architectures (also refer to session SN17). This deep dive details tips and tricks around: 1) example project requirements and assumptions; 2) best practices for package design and content administration; 3) built-in archive and package tools; 4) scripting and scheduling; and 5) XML hacking. ArcSight ESM administrators with advanced- or expert-level experience with all content will want to attend. Experience with the *nix command line is recommended, but tips could also be extended to Windows environments.

 

 

Back to Top

Attachments

    Outcomes