Just got back from the annual ArcSight user conference.  They were bought by HP and the conference was called HP Protect 2011.  The conference was excellent as usual.  You get to hear from developers, support staff, consultants, and other customers.  My focus this year was attending sessions on performance tuning and using threat intelligence to enhance correlation.

I gave a presentation at the conference this year on using ArcSight ESM to catch malware that was not caught by anti-virus software.  My slide deck will be available on this site soon.  Thank you to everyone that attended the session.  It was a packed room.  I hope it was worth your time.  Any feedback is appreciated!

P2P .... what P2P?

Here is a summary of an email thread between our team and an end user today:

• Security: You have P2P software installed. This is the third time we told you.
• User: I don't know what you're talking about. I didn't do it, nobody saw me do it. Can't prove a thing.
• Security: How about all these movies you have been downloading. Here is the file listing including time stamps.
• User: Oh, those. Oh, right. It was not P2P the movies came from email. Sorry about that. Never happen again.

This is fairly typical. People just want their tunes and movies, man.

The trouble is two-fold:

1. Bad guys use the same protocols to get data about your company.
2. Set up one of these P2P clients wrong and your HR person just shared employee data out to the Internet.
   

Fun with a mirror

From our beach trip earlier in the summer.



- Posted using BlogPress from my iPad

Location:Carolina Beach

We just got back from Costa Rica a couple of days ago. Flew back the day of the earthquake. The last night we stayed at the Peace Lodge which is in the La Paz Waterfall Gardens. It seems like the hotel and gardens were mostly destroyed by the earthquake. Our thoughts and prayers go out to the victims and their families.

Here is a slide show of our trip highlights!

A new chapter at work

Ok, so I dropped off the planet for a few weeks. Shortly after my last blog post, my boss called to congratulate me on a promotion to manager. While not totally unexpected, it was still a shock. Needless to say, since then I have been planning, reading, listening, and sitting in a lot more meetings that I used to.

Out of all the things I could say, I'd like to highly endorse the Manager Tools website and podcasts. These guys not only know what they are doing, but really convey that knowledge in a way that you can put to use immediately.

ArcSight Logger in front or behind ESM?

This is something I pondered on for quite a while. The mystery was not solved, but revealed quite clearly at the recent user conference. There was a breakout session with architects of the various pieces (ESM, Logger, SmartConnectors, etc) and they discussed the variations.

To me it simply boiled down to this: If you want high performance above all else, put Logger in front of ESM. If you being able have all your correlated events properly connected with EventIDs, then put Logger behind ESM.

For most companies, having Logger in front of ESM may well be what the doctor ordered. This will make sure you have the highest performance and best assurance of not losing events if the database or ESM can not keep up.

If anyone else has other thoughts or I got this confused, let me know in the comments!

2008 ArcSight User Conference

ArcSight hosted it’s annual user conference just outside Washington, DC. This year the hotel had a shuttle to the Pentagon City Metro stop which was nice.

The keynote was from the MCI/WorldCom whistleblower, Cynthia Cooper. She tells a great story and really gives you something to think about. It really is amazing to hear about some of the decisions people have to make everyday. I have been lucky not having to deal with anything that heavy, but hope I would make the right decisions if that time ever comes.