ArcSight Insight

Wednesday, August 26, 2015

5 Sessions to see at HP Protect 2015

By: George Boitano, Founder and President

Well, HP’s yearly security products extravaganza is almost upon us.  And while we are in no position to opine on the musical talents of OneRepublic, we will take the liberty of highlighting five sessions which appear likely to introduce some important new concepts and discuss important trends:

TK5296 – Fireside chat with HP ArcSight leadership on strategy and roadmap for 2016
Wed, Sep 2 11:30 AM – 12:15 PM in Baltimore 5

Although these types of sessions can descend into salesmanship, we think this year the relatively new product management at ArcSight will likely articulate pieces of their grand three-year vision, including needed updates to the ESM Console user interface, cool visualization tools and the important issue of how SIEM will deal with the challenge posed by emerging pure-play security data analytics tools.

B3825 – Automating common event handling tasks using the ActionConnector
Wed, Sep 2 2:30 – 3:15 PM in Annapolis 2

Full disclosure: this is a session being presented by SEMplicity founder George Boitano.  Building on last year’s TurboTalk, this presentation combines a general overview of the ActionConnector framework, which is a little known non-charged ArcSight feature which allows analysts and rules to run scripts remotely via integration commands and rule actions. The second half of the presentation presents an end-to-end use case for creating Remedy tickets automatically in real time based on Unix vulnerabilities detected by a RedSeal scanner. Experienced engineers and content authors may learn some new tricks from the deep dive, while managers and generalists at mature ArcSight implementations may find this session useful in scoping this cheaper and less resource-intensive alternative to other full-blown automation tools available from emerging vendors.

B4111 – CISO panel – what CISOs expect from the security operations organization
Thu, Sep 3 9:00 – 9:45 AM in Baltimore 4

Panel discussions, especially with customers, are often the most interesting (and sometimes most entertaining) sessions in the conference. Jesse Emerson, head of the HP SIOC practice, promises to be a thoughtful moderator with vast domain expertise. As for the CISOs themselves, one never knows what they will say, which is part of the fun. In all seriousness, management justification is a critical, and often overlooked, objective for any SOC or security department. ArcSight managers and senior engineering personnel will likely learn a lot about how other managers approach the SOC, how to keep them happy, and perhaps make some important networking contacts.

TT3818 – Search 1000x faster with HP ArcSight ESM 6.8c – Bloom filtering
Thu, Sep 3 9:30 – 9:50 AM in TurboTalk Theatre 2

If we are wrong, and the CISO panel above is putting you back to sleep, duck out for more coffee and consider this TurboTalk.  Despite its sales-y title, this session is likely to contain a lot of valuable information on Bloom filters, which are now used both on the Logger and the ESM. Bloom filters offer less deterministic search: records matching your filter might be in this data, or there are definitely no filter results in this data. Searching through huge quantities of time-chunked log data is a great application for Bloom filters, and has the potential to greatly speed-up ESM performance and Logger searching. That would be a good thing.

B3745 – Machine learning for security
Thu, 10:00 – 10:45 AM in Woodrow Wilson D

OK, this is a TippingPoing session, but the abstract promises a general introduction to machine learning techniques as applied to data security. This is a fascinating topic. Although machine learning is currently very much over-hyped, behind this may well lurk future applications that provide great value in insider threat detection and event response.  We believe machine learning has many applications within ArcSight, and are currently working on some packaged solutions along those lines.

Hope to see you there!

Leave a Reply

Your email address will not be published. Required fields are marked *