ArcSight 2007 User Conference

Breakout Sessions

The ArcSight 2007 User Conference breakout sessions cover a range of topics, with something for everyone. There are deep dive technical tracks for the experienced ArcSight user, and higher level tracks for someone who is new to using ArcSight solutions. The sessions are divided into two groups: Technical Sessions which review the products in detail and ArcSight in Action which feature customer case studies and use cases.

Technical Sessions | ArcSight in Action

TECHNICAL SESSIONS

04 - How it Works: Assets, Zones, Networks and Customers
One strength of ArcSight ESM is its ability to assign information to the monitored environment. This session will show how this works, challenges and solutions. Included in this session are connector map files and variables in filters.
Level: Basic

07 - Building an Overview Dashboard
Many ArcSight Solutions (including the ArcSight ESM Compliance Insight Package for PCI 2.0 and the ArcSight ESM Compliance Insight package for IT Governance 3.0) make use of an overview dashboard which shows the overall state of compliance. This session will show how an overview dashboard will not only help when configuring ArcSight Solutions, but how an overview dashboard can also be used for other applications.
Level: Basic

08 - ArcSight Interactive Discovery: Identify Malicious Insider Activity
This session will take the user from generating data in ArcSight ESM to loading it into ArcSight Interactive Discovery. It will also introduce and discuss why visual analysis of event data is an important and useful addition to reviewing textual log files. An insider threat demonstration will highlight the solution.
Level: Advanced

10 - Understanding ArcSight CEF - Common Event Format
This presentation will discuss the infrastructure of ArcSight Common Event Format. We will introduce the standard format and outline the benefits ArcSight customers receive from device vendors. We will also look at the standards landscape and discuss the future.
Level: Basic

13 - NOC-SOC Synergy: Integrating ArcSight ESM, TRM and NCM
This presentation will discuss the integration between ArcSight ESM, ArcSight TRM and ArcSight NCM. We will explain how it will bring convergence between the NOC and the SOC and empower organizations to have a comprehensive enterprise threat solution, from detection to remediation. You will learn how the ArcSight ESM console can quarantine nodes, run network configuration wizards, correlate based upon network topology and have a single console for network and security management.
Level: Advanced

19 - Get More Value Out of Your SAP ERP Audit Log
This presentation will demonstrate how ArcSight ESM can help you use the SAP audit log to fulfill regulatory compliance, detect insider threat or increase your overall security health status.
Level: Advanced

22 - Report Performance Tuning
This presentation is a collection of practical suggestions directly related to the ArcSight environment. Attend and learn how to tune your environment to produce quicker running reports while reducing stress on system utilization.
Level: Advanced

23 - Deep Dive into ArcSight ESM Rules
This presentation highlights the capabilities of rules. It explores advanced features including: velocity expressions, negated aliases, OS command interaction and active list use cases. These features provide a powerful arsenal of tools to capture and correlate security information.
Level: Advanced

24 - Session Lessons: Correlation, Lists and Rules
This presentation highlights the use of session information in event correlation. It will delve into session lists, active lists with values and their use in various correlation pieces like rules and reports. It will also discuss non-real time session information using scheduled rules.
Level: Basic

26 - Where in the World Is That Field?
One of the most critical things to understand when writing content for ArcSight ESM is where information is populated within the ArcSight ESM schema. In this presentation we will discuss where information is stored, how to parse events, override values and add custom mappings. Knowing this helps ensure your FlexConnectors map consistently to the ArcSight ESM schema and the content that you build will provide maximum value. Whether you're looking for the username from a logon or the database table name in a select statement, you must know where to look for it before you can write content or build FlexConnectors.
Level: Basic

27 - Deep Dive into Data Monitors
Data monitors are a key component in the ArcSight environment for monitoring security. This session will explore data monitors in detail - starting from the beginning and showing how to set up and debug data monitors. Various tips will be provided to ensure efficient operation. Changes introduced into ArcSight ESM 4.0 will be covered. Once the data monitor is running, the presenter will show how it can interact with other key ArcSight resources to provide additional correlation capabilities.
Level: Advanced

28 - Using FlexConnectors to Import Vulnerability Scan Reports and Leveraging the Imported Data for Correlation
FlexConnectors for vulnerability scanners are very similar to other FlexConnectors, but also have some unique aspects. This session will explain the key components of the FlexConnector specification for importing scan reports from different vulnerability scanner devices saved in the form of XML files, text files and databases. Once the data is imported, this presenter will demonstrate how an organization's assets and vulnerabilities are modeled in ArcSight ESM and how this information is used in correlation and event prioritization.
Level: Advanced

29 - Deep Dive into XML FlexConnectors
This session will discuss the newly added XML FlexConnector to the ArcSight suite of FlexConnectors. These FlexConnectors allow you to specify the information you want to pull in from an XML report or stream into ArcSight ESM in an elegant way using W3C XML query languages of XQuery and XPath.
Level: Advanced

31 - The Three Amigos: Configuration, Logging and Flow
In this session we cover ArcSight ESM configuration files, ArcSight ESM log files and walk you through major components of ArcSight ESM as security events flow through a system. You will learn from meaningful explanations designed to extensively inform you in configuration, logging and flow.
Level: Advanced

36 - Best Practices for Content Development
This presentation will teach you the best practices for content development used by the internal ArcSight Solutions team. These guidelines will help you quickly build quality content to increase the effectiveness of your ArcSight implementation and increase ROI.

38 - ArcSight Pattern Discovery: Advanced Forensic Technique for Mining Log Data
The presentation will describe the concept of a pattern in the context of network events. Included is a step-by-step demonstration of the ArcSight Pattern Discovery workflow in ArcSight ESM and how to use the patterns to write new rules and raise alerts.
Level: Basic

39 - Deep Dive into Trend Reporting
This session will be an in-depth look at trend reporting. Details will be provided on: how trends manage data, debugging trends, advanced editor attributes, and the use of trends on trends. The session will also provide tips for using trends to improve reporting performance. (Recommended prerequisite: session #98)
Level: Advanced

40 - Upgrading to ArcSight ESM 4.0
This session will walk you through the process of upgrading an ArcSight ESM 3.0 or ArcSight ESM 3.5 installation to ArcSight ESM 4.0.
Level: Advanced

41 - Deep Dive into Windows Domain Event Log
This session delves into the Windows domain event log connector. Topics include: how Windows audit events are retrieved from remote domain controllers and servers, how each event is decoded through Windows system DLL, how security ID or globally unique ID is translated to user, computer or other active directory object name and how to do diagnostics.
Level: Advanced

43 - Monitoring Business Significance Leveraging Variables
This session covers all types of dependent variables (DVs) and goes through real-world use cases. It will discuss how DVs provide a finer control to users in creating reports, rules and filters, and are useful when checking intersection of asset categories.
Level: Advanced

47 - Report Authoring in ArcSight ESM 4.0
This presentation will cover the new workflow of building a report using ArcSight ESM 4.0. Workflow has been broken out into three separate resources (templates, query, and report) to allow for greater controls over the appearance and content of a report.
Level: Basic

50 - Content Management Using Packages
This session will cover how packages work and the requirements to have successful content management, updates and migration. Learn how packages make the management of ArcSight system and solution content more straightforward.
Level: Advanced

52 - Harness the Full Power of ArcSight SmartConnector
This session will describe new advanced features in the ArcSight SmartConnector framework and how they could be used. New features include map files, the event integrity component and aggregating and filtering events.
Level: Advanced

53 - Deep Dive into Resource Validation
This session will provide an in depth review of resource validation in ArcSight ESM 4.0 and demonstrate how to effectively use resource validation to protect the ArcSight ESM system.
Level: Advanced

54 - Log Management Simplified with ArcSight Logger
Colin Henderson, CISSP, Senior Security Analyst, Tyson Foods
This session will provide an overview of ArcSight Logger, an easily searchable, high performance and cost effective raw log data repository for regulatory compliance, forensics, IT troubleshooting and more. You will also learn how ArcSight Logger can complement your ESM investment and significantly reduce database management effort. The session will include a customer case study and will provide a technical introduction to the ArcSight Logger architecture.
Level: Basic

64 - Shedding Light on Side Tables
ArcSight ESM stores parts of any event in side tables. This session explains how side tables and side table caches benefit system performance and save disk space. You'll learn how to monitor and control the size of the side tables proactively and tips and tricks for building or customizing connectors and building rules.
Level: Advanced

67 - Correlating Efficiently: Tips and Techniques for Writing Efficient Content
This session will focus on how to write content to maximize performance and efficiency. Various correlation-related areas of ArcSight ESM (including rules, reports, trend reports, filters and data monitors) will be examined. The session will cover many rules, reports and data monitors, and compare different approaches to help understand which approaches will have better performance and be less resource intensive.
Level: Advanced

69 - What Is the "Logfu?"
This session introduces Logfu, a tool that processes Connector logs to present a visual representation of the data. With this tool, users can graphically analyze logs by selecting different bits of information that can be plotted against each other to identify potential problems or simply to analyze Connector performance over time. A live demo explains how users can leverage the power of Logfu in real life scenarios.
Level: Advanced

70 - ArcSight Connector Troubleshooting
Using real-life scenarios, this session will demonstrate troubleshooting techniques by analyzing Connector logs. Attendees will learn how to use the troubleshooting tools ArcSight provides and will get an advanced understanding of the Connector logging infrastructure. This mid-to-advanced-level presentation is designed for people managing Connectors on a day-to-day basis.
Level: Advanced

71 - Automating Import of Assets and Active List Values
This session will introduce tools to automate populating active lists and importing large numbers of assets into ArcSight ESM. The focus will be on using information in Active Directory. A use case will be shown on leveraging Active Directory information can be used for user modeling in ArcSight ESM.
Level: Advanced

82 - Audits and Reporting - How to Leverage Configuration Control for Compliance and Audit Success in a PCI World
This session will highlight the audit and reporting capabilities of ArcSight TRM and ArcSight NCM. Topics will include an outline of the standard content (default reports) provided "out of the box" with each product, how to adjust standard report definitions to produce customized reports, how to support audit processes with configuration change information logged by ArcSight TRM and ArcSight NCM, and how to author new reports as required. Attendees will learn what information is available to support audit requirements, how to run, maintain and author reports, and how customers have used these capabilities to satisfy their compliance mandates.
Level: Basic

84 - Overview of ArcSight NCM
This session will describe how ArcSight NCM increases the efficiency and effectiveness of IT and network staff by simplifying and controlling the processes of installing, updating, auditing and reporting on network infrastructure devices such as routers, switches, firewalls, VPN access points, wireless access points and more. Attendees will learn about major ArcSight NCM functions and features, how the appliance platform simplifies installation and administration and how it provides the controls, audits and reports necessary to support compliance initiatives.
Level: Basic

88 - Overview of ArcSight TRM: Now that You've Found the Problem, What Do You Do?
ArcSight ESM processes millions of raw events each day to find the small number of threats that must be dealt with immediately. This real-time threat detection can now be matched with an equally precise and timely threat remediation product called ArcSight TRM. Attendees will learn how to further leverage their ArcSight ESM investments with a surgically precise threat response, how to build incident response workflow around ArcSight TRM and how to use it to facilitate cooperation between the security and networking teams.
Level: Basic

91 - Connector Management Simplified - ArcSight's New C-Series Connector Appliances
Learn about ArcSight's new series of turnkey appliances for remote collection and centralized management of Connectors. Any organization planning on expanding their ArcSight ESM or ArcSight Logger deployments as well as those with existing large, distributed connector infrastructure will benefit from the new remote collection appliances and the universal, centralized connector configuration capabilities. In addition to common use cases, this session will also provide an architectural and functional overview of the new Connector appliances.
Level: Basic

93 - User Correlation: The ArcSight Perspective
Identity and role correlation add an entirely new dimension to addressing both security and compliance. ArcSight is uniquely positioned with its core capabilities to offer a range of capabilities that are geared to tracking suspicious user activity not just focused on IP/MAC addresses. This presentation will address the entirety of the user correlation process including which event sources to collect from and how, and how to use this additional information with rules, active/session lists, dashboards and reports. The session will conclude with case studies that explore various scenarios.
Level: Advanced

94 - ArcSight with Identity Management Solutions
Identity management solutions continue to grow in popularity and their value is only amplified by SIEM. This presentation will cover: what IDM can provide that integration with LDAP/Active Directory and similar solutions do not; how to integrate ArcSight products with IDM, how this will make SIEM better and IDM better; and case studies that illustrate integration scenarios.
Level: Basic

95 - Risk Assessment Dashboards
From CXOs and Legal to HR and compliance-focused managers, security is playing a critical role in making business decisions. One way to arm these individuals with valuable data is to provide real-time dashboards that can represent various aspects of the organizations status. In this presentation you will learn why this information is so useful to non-security and non-IT consumers, and how this information can be made available through various dashboards and graphical data representations. Case studies will highlight key aspects of ArcSight's capabilities.
Level: Basic

96 - A World of Possibilities: Connector Appliance and ArcSight Logger
ArcSight Logger can receive and forward events from/to different sources/destinations. This presentation will describe the complex environments and data flows that involve interfacing with ArcSight Connectors. Attendees will learn how to take infrastructure to the next level by harvesting the full power of connectors in combination with the connector management appliance, and learn how to remotely configure fail over and redundant destinations as well as bandwidth limitation, aggregation, raw event processing and other advanced Connector features in ArcSight Logger environments. The session also presents use cases of integration between ArcSight Logger and Connectors via Connector Appliance, ArcSight Logger receivers and forwarders.
Level: Advanced

97 - Strangers in My Yard, Be Gone! Moving Untrusted Systems into an Isolation VLAN
Devices that have left your enclave environment and connected to public networks cannot truly be trusted - but what should you do when someone plugs an untrustworthy device to your network? In this session, attendees will be presented with a detailed use case and technical solution that automates the process of moving untrusted systems into an isolated VLAN where they can be triaged and evaluated before being granted access to production networks. The session will cover the technical details behind ArcSight ESM and ArcSight TRM that provide these capabilities.
Level: Basic

98 - Using Trend Reporting in ArcSight ESM 4.0
Trend reporting is new functionality in ArcSight ESM 4.0 that provides the ability to monitor long-term changes in a security environment. This session will show how the data is gathered, and what the various fields that users see on the console do "under the covers." Basic query construction for trends and report construction using trends will also be covered. (Note: Recommended that the attendee be familiar with report authoring in ESM 4.0 or attended session #47).
Level: Basic

ARCSIGHT IN ACTION

02 - Use Case Education: What the Heck is a Use Case, Anyway?
Through examples, this presentation provides a framework that teaches every one from executives to technical team members how to develop Use Cases. It will first frame the big picture problems people are trying to solve, and then how to define these problems into discreet objectives that can be analyzed and reported in ArcSight. The session will conclude with a whiteboard discussion that will encourage everyone to think and share ideas and information about their own environments.

05 - More Regulations, Less Work: Making Compliance to Work for You
This session will explore how to best manage multiple regulations and standards within a single platform, and develop a continuous compliance methodology using ArcSight that will increase your audit efficiencies and reduce your support costs. Specifically addressed will be: keys to mapping regulations and standards together to avoid overlap, how to manage ad hoc compliance-related requests by leveraging previous investments, why regulations with separate business drivers doesn't have to mean more work and how to reduce cost, risk exposure and workload.

14 - Uncovering Social Engineering Attempts in E-mail with ArcSight ESM
Lancer Mott, Cyber Warfare Specialist, Department of Defense
This award-winning ArcSight customer will discuss:

The Threat - Targeted Phishing (a.k.a. Spear Phishing)
The Approach - Insight into the thought process behind this solution and the methodology developed
The Tool - Demonstrate how ArcSight ESM has been configured to reveal the threat for successful mitigation and a solid defense

Network administrators, security officers, business managers and executives will all benefit from the overview of this growing concern and understand an effective way to help manage it within their own organizations.

30 - Correlating ArcSight Software with Business Objectives
This session will share best practices gained through customer experiences for relating ArcSight ESM to business requirements and objectives. The session focuses on the people and processes that support the technology within an organization. It will provide a framework for integrating the software into the business addressing business requirements, user roles and responsibilities, workflow, supporting processes and procedures, business-relevant metrics and training. The session is highly recommended for management and leadership personnel.

90 - ArcSight Logger Directions
From a powerful new reporting engine and compliance reporting packages to high speed indexed searches and a rich API for third-party integration. ArcSight Logger has significant enhancements planned in the upcoming releases. In this session you will have the opportunity to learn about the new use cases that these capabilities will enable and also to contribute ideas towards the future of ArcSight Logger. A technical introduction to the new reporting engine will be included.

92 - Understanding Compliance Solution Building
In this session, Dave will explore the structure of the ArcSight Compliance Insight Packages, how they support individual standards and regulations, and how they can best be utilized to automate compliance monitoring, analysis and reporting requirements. This will also show how the ArcSight Compliance Insight Packages can be leveraged to increase your audit efficiencies and reduce your support costs.

99 - Best Practices in Security Operations or "Help! I Need to Build a SOC and Don't Know Where to Start."
A primer in effectively using ArcSight as a solution to enable your enterprise security operations center. We'll discuss ArcSight solutions for aligning your business requirements with daily operating procedures. We'll dive into topics including options for out-sourcing, in-sourcing and co-sourcing, service level agreements, metrics, standard operating procedures and we will spend time on various important operational aspects of your SOC such as analytical processes and workflow including escalation of incidents and incident response. Attend and learn how to use all of ArcSight's capabilities in your SOC efficiently and effectively.

100 - Moving to the Next Level of Database Monitoring
Jared M. Pratt, Consultant, Accenture
Kevin E. Bauer, Analyst, Accenture
Having application, database and/or transaction events feed into a SIEM system can add significant business value. The challenge is how to get the events from these systems and then how to make sense of them. This session will focus on database logging levels, how to approach this problem, what are the implementation challenges, and how to use ArcSight technology to provide effective database monitoring as part of an overall compliance and data privacy initiative.

101 - Achieving a New Level of Security by Taking Advantage of a Common Event Format and Dynamic Response
Jim Bearce, VP & Technical Information Security Officer, CitiStreet
Blake Sutherland, VP Product Management, Third Brigade
This session is a valuable opportunity for all audiences to hear about how CitiStreet deployed ArcSight ESM for consistent event categorization and correlation to achieve dynamic security enforcement. Attendees will learn about real-world implementation and deployment strategies, and the use of ArcSight ESM and host intrusion prevention in the network environment to drive detailed host-based security events and swift remediation.

102 - Logging and Monitoring Across a Diverse Environment for PCI Compliance
Keith Brogan, Security Engineer, Educational Testing Service
Kris Reilly, Security Engineer, Educational Testing Service
Learn how a company-wide log collection and monitoring problem is tackled using a PCI example. Any large distributed organization will find this session useful as this will discuss the architectural approaches to log collection and forwarding to a central location. This customer has a diverse environment that is also managed by a third party. See how they built their own custom "black-box"-like collector appliances to address the hands-off nature of an outsourced management arrangement Learn from their experience how able to bring together a true enterprise logging and monitoring infrastructure in a relatively short timeframe.

103 - Getting to the Most Significant Events - Event Throttling and Suppression
Pete Babcock, Team Lead Security Event Management Team, IBM
This session will discuss how to improve your ability to find a needle (valid security event) in a haystack by getting rid of hay (unneeded "false positives.)" This will focus on what to do when the amount of "needles" is still too much. The session will provide tips on how to reduce event volumes on the analyst screens in worm outbreaks and scans, with repeat offenders and possible new or changed WAP (a WIDS scenario). Some of the techniques discussed include aggregation, rule actions and active lists. Specific examples of each scenario will be cited.

104 - ArcSight ESM Strikes Back
David Hazekamp, Managed Security Services, Motorola
This session will embark upon a deep dive into an assortment of the new features in ArcSight ESM including identity correlation with session management, active lists on steroids, rules, variables and the Common Event Format. The session will empower all those who attend to apply these concepts to their own content in order to save time and money.

105 - Integrating Custom Application Logs into ArcSight
Anthony Spina, System Security Administrator, Assent LLC
In this session, attendees will learn how a financial services business integrated custom application logs and database tables into ArcSight to correlate with network logs/security events providing a complete security overview. Information gathering as well as architectural implications will be discussed.

106 - Legacy Application Change Detection Architecture Using ArcSight ESM - Addressing a Key Control as Part of an Annual SOX Audit
Colin Henderson, CISSP, Senior Security Analyst, Tyson Foods
The Change Management group at Tyson Foods has come to rely on ArcSight for daily reporting as well as real-time detection of unauthorized changes. This presentation will describe how ArcSight ESM can be used as part of an over-arching Change Management strategy. The case study will show how several technologies were used to create a cost-effective and efficient strategy for legacy applications which had no inherent application-level logging capability. Attendees will find out how Tyson Foods was able to join several technologies with disparate capabilities, including customized scripts and alerts, to create a complete preventative/detective controls solution.

107 - SOX Compliance Using ArcSight ESM
Philip Theruvakattil, Security Architect, Managed Security Services Engineering, Unisys Corporation
This presentation will cover the use of ArcSight ESM to provide a service that enables Unisys. customers to meet SOX compliance requirements. The session will focus on a customer where ArcSight ESM is being used as the basis for a consolidated compliance solution, replacing several disparate components and outputs. The presenter will discuss the use of the ArcSight Compliance Insight Package and specific resources that have been developed to monitor event flow and generate compliance reports. The session will conclude with details of the consolidated view available to access compliance related data.

108 - Real-World FlexConnector Development: How to Process Events from Unsupported Devices, Unexpected Log Formats and Constraints on Device Access
Jim Truitt, Director, Managed Security Services Development, Unisys Corporation
This presentation will describe how custom FlexConnectors have helped overcome unsupported devices, unexpected log formats and more. This session will review some of the more complicated devices Unisys had to support and the odd log formats encountered, and how FlexConnectors can address these challenges. The session will cover FlexConnector best practices, show examples of tricks and internal structures that work, as well as examples of those that don't.

109 - SIEM Implementation Best Practice Methodology
Doron Frenkel, CEO and Founder, We! Secure
Raz Alon, CTO and Founder, We! Secure
One of the key considerations of making a SIEM project successful is connecting the Technology to the Organization. We! Secure has developed a SIEM best practice project methodology that summarizes three years. of experience in SIEM projects for enterprises across many different sectors using the ArcSight platform. The methodology covers every aspect of the project from design to the acceptance tests and creates a working SIEM solution tailored made to the customers' needs. Attendees will learn how to improve visibility and exposure to the important things a SIEM solution can bring to the business and management team.

110 - External Fraud Detection and Prevention for E-Banking and other Online Presences
Vladi Yarovoy, SIEM Team Leader, We! Secure
This session will describe how to better protect an online business by detecting online fraud using ArcSight technology. Attendees will learn how to develop a framework to monitor and prevent fraud by utilizing every piece of information that exists in the online and internal business environment. This session will explain how to better cope with online fraud using ArcSight technology as well as other related online fraud detection technologies.

111 - Internal Fraud Protection - How to Protect Customer Data in a Call Center Environment
Raz Alon, CTO and Founder, We! Secure
In this session, attendees will learn how to detect and prevent internal fraud in a call center environment using ArcSight technology. Since most call centers are staffed with poorly compensated, low-loyalty personnel - but yet they still have access to sensitive consumer as well as confidential information - it is imperative to identify anomalous behavior indicative of fraud. Attendees will learn how to gather every piece of information generated by the call center IT environment to establish a framework to protect consumer data.

112 - Meeting FFIEC Compliance Objectives
Denis Hein, Senior InfoSec Engineer, Information Security Technology, Wells Fargo
Learn how Wells Fargo addressed FFIEC guidance and in doing so streamlined the audit review process resulting in huge cost and time savings throughout the company. Discussion includes how the institution's goals were met with a combination of Connectors, FlexConnectors and Reports. Attendees will learn how Wells Fargo used ArcSight ESM to comply with the standard and implement a solution which can detect and report on customer authentication and account logon/logoff activity, reported policy violations and system and security administrative activity. Shown it the wrapper of a financial institution, this creative solution will appeal to all large companies struggling under extensive log review requirements.

113 - Applying Security Metrics to the Business
Rebecca Quinn, Senior IT Security Engineer, Lehman Brothers
Security metrics are an important part of benchmarking and trending the status of the enterprise's systems. This presentation looks at the various sources of security data and how to present the results in a manner that gives a holistic view of the various systems in use across the enterprise. Security threats, product coverage and control, availability and reliability of systems and application security are covered and discussed with examples. Tips and tricks on creating automated processes and procedures are discussed as well as how to create presentable and actionable lists of threats and system health checks.

114 - National Incident Response: Methodology to Better Manage Risk and Compliance
Joonho Lee, AVP and Incident Response Officer, Federal Reserve Bank of New York
The industry is now better equipped to filter out false positive and to automate security operational workflow. The challenge now is to build a bridge between security operations triggered by SIM and the business lines in your corporation. This effort is not just about showing the value of information security, but to guide the business lines on how to focus their risk management and enforce compliance requirements. It is critical for information security professionals to assess and prioritize risk and its impact on the business. This presentation shows the methodology built by the National Incident Response Team for the Federal Reserve System to address this very challenge.

115 - Managing a Highly Distributed Architecture
Jim Pasquale, Director, Managed Security Solutions, Verizon Business
This presentation will discuss a 3-tier hierarchal architecture scaled to handle large security event volumes from a disparate set of security devices from a global enterprise customer user base. The session will highlight innovative technologies that are part of a SEM platform to help with event reduction. Described will be how global company requirements are met with the use of ArcSight Logger. Technical experts in the field of threat discovery and incident response will lead the discussion focusing on in-depth technical knowledge of ArcSight.