Академический Документы
Профессиональный Документы
Культура Документы
MAP
Protect 10 SeSSionS
Fort Washington Boardroom Baltimore 5 3 1
Keynotes and Panels BreaKout sessions Private meetings case study room information desK
Woodrow Wilson 3 1 Annapolis
Magnolia
Presidential Boardroom
Protect 724
Protect '10 Promos Customer Rewards Documentation Product Showcase Partner Showcase
Partner Showcase
N A Tr SC uc AR k
Registration
netWorking eventS
WATERFRONT STREET
CyberSecurity Hall
Registration
WATERFRONT STREET
NATIONAL PLAZA
Sunset Room
gala dinner - sunset room, national harBor welcome recePtion - orchard terrace, convention center atrium level Protect 724 Jazzfest - Pose lounge, 18th floor Partner Booth crawl & recePtion - cyBersecurity hall registration
AGENDA
The UlTimaTe
AGENDA
arcsight esM
Enterprise-wide solution for capturing and analyzing security information to increase visibility and reduce risks. A serious security platform for todays serious threats.
AgenDA
conference overvieW
sunday, sePtemBer 19
Noon 7:00pm 6:00pm 8:00pm Registration Welcome Reception
monday, sePtemBer 20
7:00am 8:00pm 7:00am 8:00pm 9:00am Noon 2:30pm 5:30pm 6:00pm 8:00pm 8:00pm 11:00pm CyberSecurity Hall Partner Showcase Keynotes Conference Sessions Partner Booth Crawl & Reception ArcSight Protect 724 JazzFest
Monday, September 20
Tuesday, September 21
Birds-of a-Feather
12:00pm 2:00pm; CyberSecurity Hall (Lunch Area)
tuesday, sePtemBer 21
7:00am 5:00pm 7:00am 5:00pm 8:00am 11:00am 11:00am 6:00pm 6:30pm 11:00pm CyberSecurity Hall Partner Showcase Keynotes Conference Sessions Gala Dinner
wednesday, sePtemBer 22
7:00am 2:00pm 7:00am 2:00pm 9:00am 5:30pm CyberSecurity Hall Partner Showcase Conference Sessions
SunDAy, SePteMber 19
tiMe
Noon 8:00pm 6:00pm 8:00pm
eVeNt
Registration Open Welcome Reception
rooM
CyberSecurity Hall Orchard Terrace, Gaylord
MonDAy, SePteMber 20
general sessions
tiMe
7:00 8:30am 7:00am 8:00pm 9:00 10:00am
eVeNt
Registration; Breakfast CyberSecurity Hall the Formula for CyberSecurity Success Speaker: Tom Reilly, President and CEO, ArcSight
rooM
CyberSecurity Hall CyberSecurity Hall Woodrow Wilson Ballroom
10:00 11:00am
international Perspectives on CyberCrime How Governments with borders Deal with an internet that has None Speaker: Dr. Prescott Winter, CTO, Public Sector, ArcSight
11:00am Noon
infrastructure Protection & advanced Persistent threat Management lessons learned in the Private & Public Sector Moderator: William Crowell, Former CEO, CyLink Corporation; Former Deputy Director of Operations and Deputy Director of the NSA
Noon 2:30pm
Lunch
CyberSecurity Hall
evening events
tiMe
6:00pm 8:00pm 8:00pm 11:00pm
eVeNt
Partner Booth Crawl & Reception ArcSight Protect 724 JazzFest
rooM
CyberSecurity Hall Pose Lounge
MonDAy, SePteMber 20
BreaKout sessions
NuM title leVel rooM 2:30pm 3:20pm
SN53 CSN08 SN01 SN39 CSN20 CSN30 Using ArcSight Express to Analyze Flow Events Realizing End-to-End Encryption in the Payments Industry Primer: Auditing Oracle Database Activity The Last 1000 Engagements Lessons from the Field Death by Acronym How to Survive HIPAA, HITECH, and FTC Red Flag Rules with ArcSight Security Operations that Cross International Boundaries Intermediate Basic Basic Basic Basic Basic Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
3:30pm 4:20pm
SN59 CSN33 SN03 SN72 CSN04 CSN15 Optimizing ArcSight Express Bridging the Gap between Security Monitoring and Security Management Primer: Got Reports? The ABCs ArcSight FraudView The Next Generation Bots/Malware Detection by Leveraging Open Source Resources Using ArcSight ESM for Malicious Domain Detection Basic Intermediate Basic Intermediate Intermediate Intermediate Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
4:30pm 5:20pm
SN42 CSN31 SN04 SN68 CSN27 CSN03 Investigating Financial Application Modeling Techniques in ArcSight ESM Ensuring Inactive IDs Stay Inactive Primer: Got Reports? Beyond the Basics Maximize Connector Deployment with the ArcSight Connector Appliance Automated ArcSight ESM Content Replication Synergizing New Threats with ArcSight ESM Basic Basic Intermediate Advanced Advanced Advanced Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
tueSDAy, SePteMber 21
general sessions
tiMe
7:00 8:30am 7:00am 8:00pm 8:00 9:15am
eVeNt
Breakfast CyberSecurity Hall arcSight Product Showcase Speaker: Hugh Njemanze, CTO and EVP of Research and Development, ArcSight
rooM
CyberSecurity Hall CyberSecurity Hall Woodrow Wilson Ballroom
9:15 10:00am
the Future of Global CyberCrime Moderator: Joseph Menn, Author of Fatal System Error
10:00 10:45am
enterprise threat and risk Monitoring in the real World Moderator: Colby DeRodeff, Enterprise Strategist, Worldwide Strategic Solutions, ArcSight
10:45 11:00am
Break
evening event
tiMe
6:30pm 11:00pm
eVeNt
Gala Dinner
rooM
Sunset Room at National Harbor
BreaKout sessions
NuM title leVel rooM 11:00am 11:50am
SN73 CSN02 SN02 SN65 CSN34 CSN23 Preparing for Your ArcSight ESM Upgrade Threat Response Triage System Primer: Auditing Microsoft SQL Database Activity ArcSight ESM Tools and Integration with ArcSight Logger and ArcSight TRM Integrating ArcSight ESM with Network Access Control to Help Manage 100,000+ Endpoints Context is King! Basic Basic Basic Intermediate Intermediate Intermediate Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
11:50am 2:00pm
Lunch and Birds-of-a-Feather
*Sessions marked CSN are customer-led sessions.
CyberSecurity Hall
tueSDAy, SePteMber 21
BreaKout sessions
NuM title leVel rooM 2:00pm 2:50pm
SN41 CSN13 SN06 SN10 CSN28 CSN25 Moving Enterprise Security Monitoring to the Next Stage Mozillas Use of CEF in their Web Applications Primer: Got FIPS? (ends at 3:50pm) Tips and Tricks in ArcSight ESM Research to Detection: Developing Content to Counter APT-Class Threats Realizing the Value-Add: Operationalize Your ArcSight ESM Deployment Basic Intermediate Basic Advanced Intermediate Intermediate Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
3:00pm 3:50pm
SN52 CSN17 SN64 CSN01 CSN5 All About Actors The Evolution of Malware Detection Dynamic Multidimensional Schemas with ArcSight ESM 5.0 The Who User Activity Monitoring in SIEM How to Write Anything to CEF (Easy Integration with ArcSight) Basic Basic Intermediate Intermediate Intermediate Baltimore 1 Baltimore 3 Annapolis 1 Annapolis 3 Magnolia 3
4:00pm 4:50pm
SN12 CSN12 SN07 SN47 CSN35 CSN29 Monitoring Applications without Application Development Achieving PCI Compliance Without Modifying Your Applications Primer: Using Varable$ (ends at 5:50pm) Windows Unified Connector Planning, Implementation and Troubleshooting ArcSight IdentityView 2.0 Make Identity Context a Part of Everyday Monitoring Implementing ArcSight Logger for Sustainable PCI DSS 1.2 Compliance Intermediate Intermediate Basic Intermediate Intermediate Basic Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
5:00pm 5:50pm
CSN26 SN66 SN58 CSN19 CSN22 Achieving Situational Awareness by Integrating NetWitness and ArcSight ESM APIs, SDK and Service-Oriented Architecture in ArcSight ESM ArcSight, Monitor Thyself Building Your Baseline Rule Development Vulnerability Management with ArcSight ESM Intermediate Advanced Advanced Intermediate Intermediate Baltimore 1 Baltimore 3 Annapolis 1 Annapolis 3 Magnolia 3
WeDneSDAy, SePteMber 22
general sessions
tiMe
7:00 9:15am 7:00am 2:00pm 9:00 9:50am
eVeNt
Breakfast CyberSecurity Hall Closing Ceremonies Speaker: Tom Reilly, President and CEO, ArcSight
rooM
CyberSecurity Hall CyberSecurity Hall Woodrow Wilson Ballroom
BreaKout sessions
NuM title leVel rooM 10:00am 10:50am
CSN32 CSN18 SN08 SN09 SN17 CSN24 Achieving Continuous Compliance of Privileged Identities in Challenging Environments Measuring Security Using ArcSight Solutions Primer: Writing Rules Not Meant to be Broken (ends at 11:50am) From Water to Wine (or Use Cases to Content) (ends at 11:50pm) ArcSight Architectures Driving Content Creation with Use Case Forms Basic Intermediate Basic Intermediate Intermediate Basic Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
11:00am 11:50am
CSN06 SN21 SN18 SN48 Using Reporting to Optimize IT Security How it Works: Assets, Zones, Networks and Customers Mastering ArcSight Platform Security Let ArcSight Logger Leverage your Logs Basic Basic Intermediate Basic Baltimore 1 Baltimore 3 Annapolis 3 Magnolia 3
11:50am 1:30pm
Lunch
*Sessions marked CSN are customer-led sessions.
CyberSecurity Hall
WeDneSDAy, SePteMber 22
BreaKout sessions
NuM title leVel rooM 1:30pm 2:20pm
SN51 SN67 SN54 SN11 SN62 SN30 Got Patterns? Creative Uses of Pattern Discovery ArcSight Logger All You Can Feed! ArcSight ESM 5.0 Image Dashboards Correlating Efficiently: Tips, Techniques and Troubleshooting for Writing Content Gain Rock Star Status as ArcSight ESM Manager Administrator (ends at 3:20pm) Use Cases for Automating Integration with ArcSight ESM and Remedy Intermediate Intermediate Intermediate Intermediate Advanced Advanced Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Annapolis 3 Magnolia 3
2:30pm 3:20pm
SN36 SN13 SN05 SN31 SN23 Cybercrime Investigator: Forensic Use of ArcSight ESM Integration Commands Best Practices for Scaling Log Management Primer: Auditing Network and Firewall Activity (ends at 4:20pm) Inside an ArcSight Connector the Journey of a Security Event Advanced ArcSight Logger Techniques Intermediate Basic Basic Intermediate Advanced Baltimore 1 Baltimore 3 Baltimore 5 Annapolis 1 Magnolia 3
3:30pm 4:20pm
SN50 SN14 SN25 SN71 SN28 APT Episode 1: Rise of the Bots Network Modeling Best Practices Best Practices in Using and Understanding Trends ArcSight ESM Database Performance from the Bottom-Up ArcSight FlexConnector Development Methodology Intermediate Intermediate Intermediate Advanced Intermediate Baltimore 1 Baltimore 3 Annapolis 1 Annapolis 3 Magnolia 3
4:30pm 5:20pm
SN73 SN24 SN10 SN52 SN12 Preparing for Your ArcSight ESM Upgrade (2nd Showing) Jump Start with Use Cases Tips and Tricks in ArcSight ESM (2nd Showing) All About Actors (2nd Showing) Monitoring Applications without Application Development (2nd Showing) Basic Intermediate Advanced Basic Intermediate Baltimore 1 Baltimore 3 Annapolis 1 Annapolis 3 Magnolia 3
10
A variety of topics led by the ArcSight consulting team. Security Operations for the Federal Set
Rich learning tips and tricks presented by ArcSight instructors. Building a Successful ArcSight Team Solution Building by Example
Concept to Implementation Real-World Use Cases Protect 724, Your Problem Solved: Correlation in ArcSight Logger Create a Report with Session Information Shedding Light on Side Tables Goals, Needs and Motives: Detecting Patterns and Behaviors ArcSight ESM 5.0 Overview Improvements to Correlated Event Forwarding
Threat Intelligence Integration with DeepSight Detecting APT with ArcSight ThreatDetector
SOC Blueprint
Protect 724, Your Problem Solved: Going Over the Waterfall How Overlapping Session Lists Help with Correlation Fast Start with ArcSight ESM Protect 724, Your Problem Solved: Security Operations How to Preserve Values from the as a Service (SOaS) Same Field from Multiple Events in a Join Rule Correlation Event Idefense Integration in ArcSight ESM Console
3:30pm 4:00pm
4:30pm
11
Rich learning tips and tricks presented by ArcSight instructors. Solution Building by Example High Risk User Monitoring
Advance Techniques in Populating Wiki What!?! Active Lists Why Wikis Work for SOC Protect 724, Your Problem Solved: Use Conditional Evaluations to Create a Pivot Report Has Your SOC Hit Puberty?
Enhancing the Value of McAfee HIPS with ArcSight Customer Success Roadmap
No Sessions: Visit the Development Team at the Birds-of-a-Feather Tables in the Lunch Area.
Its a Cluster! Installing and Managing ArcSight ESM on Windows High-Availability Clusters
1:30pm 2:00pm 2:30pm ArcSight ESM 5.0 Upgrade at-aGlance Advanced ArcSight Logger Searching with the Rex Pipeline Operator How to Get the Most Out of Your Console Microsoft Windows Event Log Unified SmartConnector Enhancements ArcSight FlexConnector Wizard What You Need to Know for Connector Upgrades Going Over the Waterfall Seeing the Woman in the Red Dress Security Operations for the Federal Set
3:00pm 3:30pm
4:00pm 4:30pm
12
A variety of topics led by the ArcSight consulting team. Security Operations as a Service (SOaS)
Rich learning tips and tricks presented by ArcSight instructors. Planning a Successful Upgrade High Risk User Monitoring ArcSight ESM HealthCheck
11:30am 12:00pm
12:30pm 1:00pm
Enhancing the Value of McAfee HIPS with ArcSight Detecting APT with ArcSight ThreatDetector
1:30pm
13
The sysTem doesnT care who logs in. But you do.
arcsight identityView
Your employees now have a digital face and you have control. Get easy, complete visibility of user activity by linking the user, role and group information in directory, HR, and IdM systems with the users activity logs.
KEYNOTES
HALL
ARCSIGHT CYBERSECURITY
Experience 35,000 square feet of pure adrenalin. Located in Prince Georges Exhibition Hall B
KEYNOTES
14
International Perspectives on CyberCrime How Governments with Borders Deal with an Internet that has None
10:00 11:00am, Woodrow Wilson Ballroom
We all say the Internet is borderless, but what does that really mean in terms of developing the kinds of international cooperation required to identify and respond to threats, eliminate botnets, track and prosecute cybercriminals, and make the Internet safe and reliable for public and private use? Given the global nature of cybercrime, supranational institutions are likely to carry enormous power in the fight against such crimes. Hear the latest perspectives and thinking on how we can take the management of cybersecurity and countermeasures to combat cybercrime across international boundaries.
Special Guest:
Eneken Tikk
Head of legal and Policy branch, Cooperative Cyber Defence Centre of excellence
Eneken Tikk holds a Magister Juris degree from the University of Tartu and is pursuing a PhD degree. After working many years for both government and private sector enterprises, advising on information law, she joined the Cooperative Cyber Defence Centre of Excellence activation team, later becoming the head of the Centres Legal Task Team. Eneken headed the Cyber Defence Legal Expert Team involved in the drafting of Estonian Cyber Security Strategy; she is also a frequent lecturer on information technology and information law in Estonian universities and author of an information law textbook. Currently she is acting Legal and Policy Branch Chief at CCD COE. Her areas of research interest include information technology and cyber security law, as well as legal policy.
15
Infrastructure Protection & Advanced Persistent Threat Management Lessons Learned in the Private & Public Sector
11:00 Noon, Woodrow Wilson Ballroom
Protecting your enterprise network infrastructure requires first understanding the threat. This panel will break down the hype around todays top security concerns. Based on lessons learned from breaches in both the private and public sector, you will gain the knowledge you need to prepare your organizations defenses against advanced persistent threats.
Moderator: William Crowell, Former CEO, CyLink Corporation; Former and former Deputy Director of Operations and Deputy Director of the NSA
Mr. Crowell has served as an ArcSight Director since 2003. He is an independent consultant in the areas of information technology, security and intelligence systems, and served as the Chairman of the Senior Advisory Group to the Director of National Intelligence. He also worked at the National Security Agency (NSA), where he held a series of senior executive positions, including Deputy Director of Operations and Deputy Director of the NSA. He also serves as a director of several private companies.
Panelists:
Kris Herrin
Chief technology officer, Heartland Payment Systems
Kris is responsible for delivering secure and reliable IT services for Heartlands state-of-the-art payments processing platforms and enterprise applications, including product development, infrastructure and operations. He joined Heartland in April 2008 as chief security officer and transitioned to the role of chief technology officer in August 2009 where his work to drive operational efficiencies and delivery of innovative services using industry IT Service Management best practices won him recognition in the InfoWorld CTO 25 Awards. Kris is an adjunct professor at the University of Dallas Graduate School of Management and an advisory board member for their Information Assurance Program.
Tim McKnight
Vice President and CiSo, Northrop Grumman
Mr. McKnight is responsible for developing the strategy and vision of the Northrop Grumman global computer and network information security systems, and enhancing the security of the companys products, services and infrastructures. He has completed training with the National Security Agency (NSA) in the areas of information security assessment methodology, operating secure networks and advanced system security and exploitation. Mr. McKnight served as a police training instructor and on the computer analysis response and evidence response teams of the FBI. He holds a bachelors degree from Rutgers College.
16
tueSDAy, SePteMber 21
ArcSight Product Showcase
8:00 9:15am, Woodrow Wilson Ballroom
From ArcSight Express to ArcSight Logger and ArcSight ESM, the product family has become more advanced. Hear from the founder and CTO as he discusses and shows exciting, recently released products and new developments on the horizon.
Speaker: Hugh Njemanze, CTO and EVP of Research and Development, ArcSight
Mr. Njemanze co-founded ArcSight in 2000 and has served as EVP of Research and Development and CTO since 2002. He leads product development, information technology deployment and product research, and is an advisor at Silicon Valley Internet Capital. Prior to ArcSight, Mr. Njemanze served as CTO at Verity, a provider of knowledge retrieval software products. Mr. Njemanze also worked at Apple Computer in software engineering, where he was one of the key architects of the Apple Data Access Language (DAL). Prior to that, he co-architected CL/1 (Connectivity Language One) at Network Innovations and co-developed several language compiler products at Hewlett Packard. Mr. Njemanze is a CISSP and holds a B.S. in computer science from Purdue University. Hugh was honored as the 2010 Ernst & Young Entrepreneur Of The Year.
Panelists:
Andy Crocker
Coo, Cybyl technologies; Former investigator, uk National Hi-tech Crime unit
Mr. Crocker, a former member of the elite UK National Hi-Tech Crime Unit and the UK Serious Organised Crime Agency, led the most successful collaborative cyberprobe in history involving multinational law enforcement groups across the globe. His unprecedented three-year investigation alongside the Russian MVD, or national police, resulted in the capture and imprisonment of the three men who were at the heart of an Internet-enabled extortion ring. Mr. Crocker is a leader in combating the evolving technology employed by organized crime in mass identity theft, financial fraud and the misappropriation of trade secrets.
17
Barrett Lyon
Ceo 3Crowd technologies; entrepreneur, influential technologist and CyberProtector
Mr. Lyon has tracked Russian denial of service attack extortion groups; his work has been featured around the globe and is included in the cyberthriller, Fatal System Error. He provided details and helped coordinate with multinational law enforcement groups, resulting in the capture of the three men who were at the heart of an Internet-enabled extortion ring. Mr. Lyon created Opte Project, an Internet mapping project, which is featured at the Boston Museum of Science and the Museum of Modern Art in New York. He is working on his third start-up, 3Crowd Technologies, which improves the economics of delivering large amounts of data across the Internet.
Panelists:
Patty Long
Director of information Security, iNG americas
Ms. Long is responsible for the security operations center for ING Americas. She has over 20 years of information technology and information security experience, and served as CISO of CitiStreet for four years prior to its acquisition by ING Americas in July 2008. Ms. Long is a CISSP and holds a bachelors degree in economics from Columbia University and an MBA from New York University.
Steve Brown
Director of enterprise information Management operations, Wells Fargo
Mr. Brown leads Information Management Operations at Wells Fargo, including Enterprise Security Operations and Services, Information Security Risk Assessment Services, and Security Architecture Consulting. He has been with Wells Fargo for 10 years in a variety of leadership roles within the areas of information security and network engineering, and brings more than 20 years of information management expertise to this critical enterprise role.
Nick Galletto
Partner, information & risk, Deloitte
Mr. Galletto is a Partner with Deloitte Information and Technology Risk Services in Canada. Mr. Galletto has over 20 years of experience in information technology, networking, systems management and information security. He has extensive experience in the management, design, development and implementation of information security and risk management programs. He has helped organizations assess the threats, risks and overall security posture of their applications, infrastructure architecture and IT environment. Mr. Galletto has worked with a number of large organizations, helping them implement enterprise wide security strategies, security governance frameworks, policies, procedures and end-to-end security programs.
18
If you registered early then you have official VIP status! VIPs enjoy premier seating at breakout sessions, a special express line for meals, a fast pass to the Genius Bar and get exclusive VIP swag. Look for the VIP signs throughout the conference and
ACTIVITIES
arcSight express
Comprehensive security and fast response with fewer resources. Now you get can have it all: complete security, compliance and a life.
ACTIVITIES
ActivitieS
netWorking eventS
Lets face it. Most people dont get what you do. But everyone at Protect 10 does. From formal activities to spontaneous gatherings, throughout the conference youll encounter endless opportunities to relax, unwind and connect with peers on your top security issues.
Welcome Reception
September 19, 6:00pm 8:00pm
orchard terrace at the Gaylord National resort Start Protect 10 off right! Join the ArcSight community and ArcSight executives while taking in the views of the Potomac River. Get to know your fellow attendees while enjoying an array of hors doeuvres and refreshments.
Mealtime Mixers
September 20-22, daily breakfast and lunch
CyberSecurity Hall Connect with people who share your interests while you fuel up for the day. Mealtime mixers offer a time to meet, greetand eat!
Birds-of-a-Feather
September 21, Noon 2:00pm
CyberSecurity Hall (lunch area) Grab your lunch and grab a chair. ArcSight engineers will be on hand to lead group discussions on product and related topics that concern you the most.
20
Customer Rewards
The ArcSight Customer Rewards Program is a great way to showcase your organizations accomplishments and extend your reputation, while also stretching your training budget. With so many ways to get involved, you cant miss join our growing list of participants and start reaping the rewards!
Product Showcase
The product showcase is the launching pad for the hottest new products making their debut at Protect 10. This is a great opportunity to be the first to see whats new and give feedback to the ArcSight product and technical teams.
Genius Bar
Youve got questions and weve got answers. Bring your toughest questions and hardest challenges to the genius bar and get the answers you need. This is your opportunity to tap into the brightest minds at ArcSight. After thousands of successful deployments, upgrades and customizations, weve seen it all and are ready to share!
Video CyberShots
Tell your story. Cloaked in your favorite spy costume, record your heroism in an undisclosed video case study on how you battle cyberthreats and secured your network with ArcSight solutions. Or just stop by to tell us how you like the conference and give a shout out to ArcSight!
CyberBookstore
A full selection of publications will be available for purchase throughout the conference. You will find takehome solutions to your network and cybersecurity questions and reference materials to keep you up-todate on todays most pressing issues, trends and whats happening now.
21
Meet Arcie
Come meet the newest member of the ArcSight family, Arcie! The ArcSight mascot is ready to pose with you for your very own photo.
ArcSight Documentation
See a demo of our new integrated multi-book ArcSight ESM online help and get an update on DocView 360, the interactive documentation portal slated for integration with Protect 724. While youre here, take our survey and receive a special gift.
Technical Support
Come meet the folks of Technical Support and put a face to the name! Drop by to follow up on tickets and complete our annual ArcSight company survey. Also, get registered for Protect 724 the ArcSight Community.
Global Services
Stop by to discuss our proven methodologies and the in-depth experience gained from over 1,000 successful implementations. Hear how to optimize your ArcSight investments, mitigate project risks, accelerate business objectives, and increate IT productivity. Learn about our customer success roadmap. Representatives will be onhand from our consulting, federal and solutions groups.
get your picture taken with nascar driver, nelson Piquet Jr.!
22
CYBERSECURITY HALL
Turbo Talks
Dont miss these fast, 20-minute talks in the Turbo Talk Theater. These engineering-led turbo talks distill complex topics into just the highlights. This is the perfect solution for the on-the-go attendee.
SOC Talks
Meet the Security Operations Consulting team at our SOC Talk Theater. These expert-led talks will cover a variety of security operations topics to help you build and manage your security operations center.
Customer Success
Visit the Customer Success Theater for rich learning snippets covering a wide range of topics. Youll experience the latest eLearning offerings and see the new professional certification program.
Located in the ArcSight CyberSecurity Hall. See the complete schedule in this guide.
ArcSight Logger meets the needs of diverse teams and use cases for security, compliance, IT operations and application development.
SESSIONS
Take in the cool sounds of jazz with colleagues at the Protect 724 community party.
SeSSionS
ArcSight leD-SeSSionS
over 80 educational technical sessions are packed with insights and information you cant afford to miss.
bASic SeSSionS
SN01
SN06
Tom DAquino, Senior Curriculum Developer Monday, September 20; 2:30pm 3:20pm; Baltimore 5
Databases can generate a fair amount of data. This primer session focuses on using the different types of logs to effectively audit Oracle database activity. Strategies to accomplish your goals will be explained, as well as a demonstration of useful content for monitoring collected data.
Normand Bourgeois, Senior Instructor Tuesday, September 21; 2:00pm 3:50pm; Baltimore 5
Many organizations are required to be Federal Information Processing Standards (FIPS) complaint. This primer session explains how to implement and manage FIPS across ArcSight ESM, ArcSight Logger and applicable connectors.
SN02
SN07
Javier Inclan, Senior Instructor Tuesday, September 21; 4:00pm 5:50pm; Baltimore 5
One size does not fit all. This primer session explains what variables are (including global variables). It demonstrates how to use them appropriately, including how to extract information from lists.
Databases can generate a fair amount of data. This primer session focuses on using the different types of logs to effectively audit Microsoft SQL database activity. Strategies to accomplish your goals will be explained, as well as a demonstration of useful content for monitoring collected data.
SN08
SN03
Javier Inclan, Senior Instructor Wednesday, September 22; 10:00am 11:50am; Baltimore 5
Rules can help you determine what to investigate. This primer demonstrates how to construct rules. It will focus on what to consider when building rules and how to use rules to identify events that require further investigation.
Mauricio Julian, Senior Instructor Monday, September 20; 3:30pm 4:20pm; Baltimore 5
There is a difference between data and useful information. This primer session explains the basic elements of reporting and how to use reporting to turn large amounts of data into usable information.
SN13
SN05
Tom DAquino, Senior Curriculum Developer Wednesday, September 22; 2:30pm 4:20pm; Baltimore 5
Network routers, switches and firewalls can generate a bewildering amount of data. This primer session explains how to separate the important data from the noise. It also demonstrates how to create a good use case so that you can collect the data you need and safely ignore the data you dont need.
John Bradshaw, Principal Federal Sales Engineer Wednesday, September 22; 2:30pm 3:20pm; Baltimore 3
This session will discuss the differences between agent and agentless log collection, and how each provides capabilities and benefits to be considered before deploying a SIEM or log aggregation solution. The focus of this discussion will cover centralized vs. decentralized deployments, considerations for guaranteeing log/event delivery, and network performance issues administrators should consider when making deployment decisions.
24
bASic SeSSionS
SN21
SN48
Fabian Libeau, Principal Sales Engineer Wednesday, September 22; 11:00am 11:50am; Baltimore 3
ArcSight ESM excels in its ability to assign information to the monitored environment. This presentation will show how this works, covering both challenges and solutions. Included in this session are connector map files and variables in filters.
Aaron Kramer, Senior Systems Engineer Wednesday, September 22; 11:00am 11:50am; Magnolia 3
Learn how to sift logs like the pros do! In this session, you will learn different approaches to adjust to new systems that get added to your responsibilities. Get on top of that heap of systems, network and security stuff.
SN52
SN39
Ricky Allen, Global Services Regional Manager Monday, September 20; 2:30pm 3:20pm; Annapolis 1
Compiled from the past 1000 engagements, the ArcSight global services team wants to share best practices with you from around the world. Details such as identifying the engagement scope, potential deployment risks, detailed project planning, environment sizing, hardware selection, device prioritization, tuning expectations and growth estimates will be covered.
Anurag Singla, Software Development Manager Tuesday, September 21; 3:00pm 3:50pm; Baltimore 1 Wednesday, September 22; 4:30pm 5:20pm; Annapolis 3
Actors are representations of humans or agents in ArcSight ESM, and the actors feature links users and their activity to events from applications and network assets. This session will show how user information can be imported into ArcSight ESM from external identity management systems, and then correlated with security information in events. Also covered is how actors can be organized into various hierarchical models for use in identifying policy violations.
SN41
SN59
Paul Brettle, Sales Engineer Tuesday, September 21; 2:00pm 2:50pm; Baltimore 1
A common issue with security monitoring projects is that they are often justified, budgeted and implemented to resolve a limited number of key issues. A real advantage for security monitoring with ArcSight ESM is that it can be easily expanded. Learn how to expand your investment to take security monitoring to the next stage.
Jim Rutherford, Sales Engineering Manager Monday, September 20; 3:30pm 4:20pm; Baltimore 1
ArcSight Express allows you to harness the power of ArcSight ESM in an easy-to-use, pre-configured package. A key element for ease of use was the creation of a wide variety of out of the box content and pre-defined use cases specific to ArcSight Express. In this session, you will learn what makes the default ArcSight Express content such as pre-packaged use-case-driven filters, rules, dashboards and reports tick, as well as how to start down the path of custom content creation.
SN42
SN73
Damian Skeeles, Pre-Sales Consultant Monday, September 20; 4:30pm 5:20pm; Baltimore 1
ArcSight ESM provides a range of features that can be brought together to create sophisticated content that supports stateful tracking, risk scoring, closed feedback loops, and real-time and statistics-based correlation.
Morris Hicks, Senior Director of Services Engineering, Global Services Maritza Perez, Product Manager Tuesday, September 21; 11:00am 11:50am; Baltimore 1 Wednesday, September 22; 4:30pm 5:20pm; Baltimore 1
This talk will walk you step-by-step through the ArcSight ESM 5.0 upgrade process. Attendees will learn how to successfully plan, coordinate and execute an upgrade to ArcSight ESM 5.0, as well as understand what resources are available from ArcSight to assist them. The upgrade process will be covered holistically including prerequisites, technical dependencies, step-by-step instructions for executing the upgrade wizard, common pitfalls and best practices for reducing risk. This session is relevant for both technical and project management staff, as it covers many aspects of the upgrade: estimated level of effort, tasks and timeline, technical expertise required, along with a step-by-step sample upgrade leveraging the upgrade wizard.
25
interMeDiAte SeSSionS
SN04
SN17
Mauricio Julian, Senior Instructor Monday, September 20; 4:30pm 5:20pm; Baltimore 5
There is a difference between data and useful information. This primer expands on Got Reports? The ABCs and explains how to use resources to create reports in your own environment.
ArcSight Architectures
Brook Watson, Solutions Architect Wednesday, September 22; 10:00am 10:50am; Annapolis 3
This session will focus on ArcSight implementation architectures. It will be geared towards administrators and authors in charge of maintaining the health and content of each of the ArcSight components. Several architectures will be discussed, including multiple tiered ArcSight ESM instances, multiple ArcSight Logger instances with a single ArcSight ESM instance, and the traditional single ArcSight Logger with a single ArcSight ESM instance. The pros and cons surrounding each architecture and best practices will be discussed.
SN09
Lisa Huff, Director, ArcSight Enterprise Specialist Terry Bishop, Senior Sales Engineer Wednesday, September 22; 10:00am 11:50am; Annapolis 1
Learn the best-practice approach to building use cases, starting from requirements gathering through use case build-out. We will take you through all the steps to develop a real use case right before your eyes, including deliverables such as reports and dashboards.
SN18
Yanlin Wang, Software Architect Wednesday, September 22; 11:00am 11:50am; Annapolis 3
Wondering how to secure your ArcSight deployment? ArcSight products support multiple levels of security configurations: Basic, FIPS 140-2 and Suite B, along with different access control options to satisfy the needs from business user to government user.
SN11
Monica Jain, Senior Software Engineer Wednesday, September 22; 1:30pm 2:20pm; Annapolis 1
This session will focus on how to troubleshoot and write content to maximize performance and efficiency. Various correlation-related areas of ArcSight ESM, including rules, reports, trend reports, filters and data monitors will be examined. This session will also compare different approaches to help understand which will have better performance with fewer resource requirements.
SN24
Philip Qian, Senior Solutions Engineer Wednesday, September 22; 4:30pm 5:20pm; Baltimore 3
In this session we will explore the concept of an ArcSight use case. Attend and see a number of actual use cases and how to use the Use Case Wizard.
SN12
SN25
Brian Wolff, Principal Sales Engineer Tuesday, September 21; 4:00pm 4:50pm; Baltimore 1 Wednesday, September 22; 4:30pm 5:20pm; Magnolia 3
Demand for the logging of applications has grown; however, many applications today do not log transactions. This session will discuss how to enable application logging through the database, without changing the application code. Examples using the Oracle database will be utilized.
This session will be an in-depth look at trend reporting. We will see how trends manage your data. Tips on debugging trends will be provided, including using some undocumented information. This session will also provide tips for using trends to improve overall reporting and ArcSight ESM performance.
SN28
SN14
Al Veach, Principal Security Strategist Wednesday, September 22; 3:30pm 4:20pm; Baltimore 3
Learn network modeling best practices and how the new network modeling tool in ArcSight ESM makes the process easier. Customer success stories will be included in this session.
Are you faced with the prospect of having to implement non-standard log formats into ArcSight ESM, but unsure how to approach the problem? This session will aim to help you achieve the goal of understanding the process, and therefore, delivering a better-value ArcSight FlexConnector.
26
interMeDiAte SeSSionS
SN31
SN50
Girish Mantry, Principal Software Engineer Wednesday, September 22; 2:30pm 3:20pm; Annapolis 1
This session covers how security events acquire information critical for your asset and network modeling, how they are categorized and corrected for the device-reported times for accurate correlation, and how the ArcSight Connector protects itself against denial of service attacks and preserves the integrity of the raw event.
Duc Ha, Senior Security Solutions Engineer Rishi Divate, Senior Security Solutions Engineer Wednesday, September 22; 3:30pm 4:20pm; Baltimore 1
Learn to develop creative ArcSight ESM content to detect and track bot activities. Specifically, we will look at constructing ArcSight ESM resources based on different bot communication methods, using real-life examples such as Kraken, Conficker and Zotob. Finally, we will examine how to leverage advanced tools such as pattern discovery to detect bot patterns and ArcSight TRM to provide automated response action in case of an incident.
SN36
SN51
Gary Freeman, Senior Sales Engineer Paul Bowen, Principal Sales Engineer Wednesday, September 22; 2:30pm 3:20pm; Baltimore 1
Many security analysts are tasked with assisting HR, corporate governance or law enforcement agencies with intercepting network information to establish evidence that may be used in employee termination or a court of law. This session explores the concept of network forensic investigations and how ArcSight ESM is used to establish a chain of custody through integration commands and case management.
Pattern discovery is a powerful ArcSight ESM feature intended to detect subtle, specialized or long-term patterns. This session will show how to create basic pattern discovery profiles and identify patterns through snapshots, and how pattern discovery can be used across various use cases in the fraud, identity, operations and network areas.
SN53
SN47
Brook Watson, Solutions Architect Lisa Huff, Director, ArcSight Enterprise Specialist Tuesday, September 21; 4:00pm 4:50pm; Annapolis 1
As ArcSight customers expand their security focus from perimeter defense to insider threats, the first device they typically look at is Windows servers. This session will focus on the planning, implementation and troubleshooting best practices surrounding the Windows Unified Connector in large enterprise environments.
Flow support is available in just about every router and switch in your network its free to turn on, and there is valuable information that you can gather through analysis with ArcSight Express. In this session, well cover ArcSight Express resources such as dashboards, data monitors, active channels and reports to address common use cases around flow events.
27
interMeDiAte SeSSionS
SN54
SN67
Gary Freeman, Senior Sales Engineer Wednesday, September 22; 1:30pm 2:20pm; Baltimore 5
This session focuses on creating image dashboards, an exciting new feature of ArcSight ESM 5.0. We will explore the concept of visualization and how you can leverage ArcSight ESM 5.0 image dashboards to create custom dashboards for use cases such as SOC, compliance metrics, global threats and MSSPs. This session is intended for ArcSight ESM administrators responsible for developing content on a daily basis.
Wei Huang, Senior Architect Alan Bavosa, Senior Director Product Management Wednesday, September 22; 1:30pm 2:20pm; Baltimore 3
This session will showcase the new search and reporting features in ArcSight Logger. Included are the new pipeline search language, charting, sorting, aggregating and reporting against all data types, including raw and CEF data. You will also learn about the new software version of ArcSight Logger! This session is a must-see for any ArcSight Logger customers.
SN64
SN72
Dhiraj Sharan, Software Development Manager Tuesday, September 21; 3:00pm 3:50pm; Annapolis 1
Have you ever needed a particular event schema field, but didnt have it available? Or have you wanted to monitor applications that generate events very different from traditional network security events? Attend this session and find out how ArcSight ESM 5.0, with the new domain field sets feature, not only answers these requirements, but also allows you to monitor events from different industry verticals.
Colby DeRodeff, Enterprise Solutions Strategist Monday, September 20; 3:30pm 4:20pm; Annapolis 1
This presentation will take users through the ArcSight FraudView product offering with customizable schemas and enhanced risk modeling capabilities. We will explore fundamental fraud concepts across multiple business verticals, and will look in-depth at the most prevalent threats for the coming years as well as advanced prevention, detection and response mechanisms. Several real-life use cases where ArcSight FraudView was instrumental in detection will be shown.
SN65
ArcSight ESM Tools and Integration with ArcSight Logger and ArcSight TRM
Ken Mermoud, Senior Security Engineer Dhaval Shah, Software Development Manager Tuesday, September 21; 11:00am 11:50am; Annapolis 1
The ArcSight ESM console is used as the centralized management console for security information and event management. Wouldnt it be great if it could be extended to show snap-in views or to launch contextual actions with any other external application being used in the SOC or NOC? In this session, you will see how to integrate in the console contextual views and actions from ArcSight TRM, ArcSight NCM and ArcSight Logger.
28
ADvAnceD SeSSionS
SN10
SN62
Raju Gottumukkala, ArcSight Expert Tuesday, September 21; 2:00pm 2:50pm; Annapolis 1 Wednesday, September 22; 4:30pm 5:20pm; Annapolis 1
In this very advanced session, you will learn super user tricks that address displaying the same field in a correlation event from multiple base events; using negative events; checking and populating a field in an active list from another field in a different active list; manipulating date type field in an active list; and understanding the quirks in every threshold and time unit triggers.
Dhiraj Sharan, Software Development Manager Gagan Taneja, Senior Software Engineer Wednesday, September 22; 1:30pm 3:20pm; Annapolis 3
This session will equip users with knowledge and tools to add to their arsenal for becoming a successful ArcSight ESM manager administrator. The session will start with describing flow of events inside the ArcSight manager. Then we will look at the wealth of information the ArcSight manager provides via its run-time status, logs and audit events. Making use of the history of support tickets, we will take a close look at how to investigate performance, stability and memory management issues.
SN23
Marylou Orayani, Senior Software Development Manager Wednesday, September 22; 2:30pm 3:20pm; Magnolia 3
See troubleshooting techniques by analyzing logs retrieved from ArcSight Logger. Attendees will learn how to use Logfu to correlate logs from various components within ArcSight Logger. Discover what to look for when perusing ArcSight Logger logs and how to use other tools for analysis.
SN66
Yanlin Wang, Software Architect Tuesday, September 21; 5:00pm 5:50pm; Baltimore 1
ArcSight ESM 5.0 exposes a service layer that supports protocols such as SOAP, REST and other industry standards. Programmers and integrators can now access ArcSight ESM data through exposed APIs that will allow them to perform resource searches, run reports and access other ArcSight ESM services via Web services or clients that make use of the ArcSight ESM SDK.
SN30
Use Cases for Automating Integration with ArcSight ESM and Remedy
Scott Parkinson, ArcSight Enterprise Specialist Wednesday, September 22; 1:30pm 2:20pm; Magnolia 3
This session discusses complex use cases involving the ArcSight ESM and Remedy solution, allowing you to keep track of events already sent to Remedy and preventing duplicate events; to know if a Remedy ticket goes beyond your SLA; and to produce a report of current open Remedy tickets triggered by ArcSight ESM. Use cases will be displayed side-byside in ArcSight ESM versions 4.5 and 5.0 to show the simplification and positive impact of the new global variables feature.
SN68
SN58
Ken Mermoud, Senior Security Engineer Rashaad Steward, ArcSight Enterprise Specialist, Public Sector Tuesday, September 21; 5:00pm 5:50pm; Annapolis 1
ArcSight components provide a wealth of internal audit events on the status of various ArcSight resources. In this session, we examine what those internal audit events contain and what information an ArcSight administrator can leverage to automatically monitor and restore the health of their ArcSight infrastructure. This session will cover advance techniques that can be applied to many other use cases to enhance automation. Attendees should have an in-depth understanding of active lists and how variables work within rules.
With the latest innovations, the ArcSight Connector appliance is becoming a truly turnkey solution to deploy and manage connectors in large-scale environments. Come to learn revolutionary new capabilities like ArcSight Connector Exchange, remote management for large-scale distributed deployment and troubleshooting ArcSight Connectors with diagnostic tools.
SN71
Kerry Adkins, Senior Customer Support Engineer Wednesday, September 22; 3:30pm 4:20pm; Annapolis 3
If you want to achieve optimal performance with your ArcSight ESM database, this session is for you! We will cover all of the layers that affect database performance, starting with storage hardware, RAID levels and how to layout data files. Moving up, we will cover how to tune your Oracle instance, benefit from indexing and optimize for performance. We will also discuss the tools customer support DBAs and developers use to troubleshoot database-related performance and stability issues.
29
cuStoMer-leD SeSSionS
ArcSight customers on the frontlines who are protecting their organizations present their real-world experiences and use cases.
bASic SeSSionS
CSN02
CSN17
Mark Runals, Network/System Analyst, Battelle Tuesday, September 21; 11:00am 11:50am; Baltimore 3
One of the challenges faced by companies that dont have a 24x7 SOC is prioritizing investigative time. Attend this session and see the Battelle solution that triages systems exhibiting anomalous behavior, without extensive or rigid, pre-defined, chronological order of events use cases. Highlights include how to scale with available hours, how to quickly add or remove use case triggers, and how to modify individual use case triggers independently of others.
Dereck Haye, Global Lead Analyst, Unisys Tuesday, September 21; 3:00pm 3:50pm; Baltimore 3
Use the correlation power of ArcSight solutions specifically for malware detection. Learn about the core behavior of malware and how to break it down into components for base detection. Specific examples will be illustrated on how analysts can use devices to detect previously unseen malware hiding in the departments of your organizations log files. A general knowledge of the ArcSight ESM console and familiarity with rule filters and data monitors will be helpful in getting the most out of this session.
CSN06
CSN20
Amir Alsbih, IT Security Engineer, Kabel Baden-Wrttemberg Wednesday, September 22; 11:00am 11:50am; Baltimore 1
This session discusses how to represent and layout data for maximum report usability and goal achievement. Learn why it is essential to have different reporting and abstraction levels for each level within an organization. IT security key performance indicators that have worked well for Kabel Baden-Wrttemberg are revealed, as well as lessons learned along the way.
Death by Acronym How to Survive HIPAA, HITECH, and FTC Red Flag Rules with ArcSight
Paul Melson, Manager of Information Security, Priority Health Chris Botelho, Security Analyst, Parkland Health and Hospital System Monday, September 20; 2:30pm 3:20pm; Annapolis 3
The past decade has seen a steep increase in federal, state and international regulation of personal data with no signs of slowing in the immediate future. Finding ways to automate monitoring and auditing, as well as streamlining investigations, is necessary just to keep up. This session covers how Parkland Health and Priority Health have moved from a reactive to a proactive stance in monitoring and protecting personal information, and how they conduct incident responses in the event of a breach. Specific examples will be shown for how to monitor and report on the security controls in place to effectively protect personal information.
CSN08
Steve Elefant, CIO, Heartland Payment Systems Monday, September 20; 2:30pm 3:20pm; Baltimore 3
Discover how Heartland Payment Systems has successfully tackled PCI issues. This session reviews the challenges and opportunities facing the payments industry to secure sensitive card data through end-toend encryption. Also covered is the prospect of applying end-to-end technologies to reduce/limit the scope and cost of PCI.
30
bASic SeSSionS
CSN24
CSN31
Cindy Jones, Senior Security Analyst, United Services Automobile Association (USAA) Wednesday, September 22; 10:00am 10:50am; Magnolia 3
How many times have you heard something like this: Compliance says to bring this new feed into ArcSight ESM and monitor it for bad stuff? However, if you dont have a plan for what to look for, how do you even know that your new feed can provide it whatever data that is? A generic look for bad stuff statement can be very dangerous for analysts. It transfers all responsibility to you and absolves the feed provider. This presentation provides a general use case form and covers how to extract this information from your customers to help secure your network environments.
Azzam Zahir, Manager, Enterprise IT Risk Management, Turner Broadcasting System, Inc. Monday, September 20; 4:30pm 5:20pm; Baltimore 3
With todays complex infrastructures, problems around managing employee terminations and inactive IDs can run rampant. Attend this session and find out how Turner Broadcasting successfully meets this challenge, taking into consideration its highly diversified business units, decentralized network and international aspects. When employees are termed, you can set up the ability to ingest a report into ArcSight ESM and look for that user ID to appear on the network and ensure it doesnt.
CSN29
CSN32
Michael Hoehl, CISO, Godiva Chocolatier Tuesday, September 21; 4:00pm 4:50pm; Magnolia 3
This session will cover PCI project implementation details, as well as operational experiences with ArcSight Logger. Specific topics include building a business case for ArcSight Logger, implementation technical details, GRC use cases, and lessons learned. These insights will be useful for IT staff and management of merchants intending to implement a sustainable approach for PCI compliance and safeguard customer credit card data.
Philip Lieberman, President, Lieberman Software Corporation Wednesday, September 22; 10:00am 10:50am; Baltimore 1
Learn how to quickly gain continuous control over privileged identities in large, complex, highly regulated and extremely secure environments by implementing a solution that provides continuous proof of compliance, as well as near instantaneous alerting of out-of-compliance scenarios. In this session, we will show you how to combine ArcSight technology with Lieberman Software technology to move you into a realm of continuous compliance, with a security SLA, in less than a week. Gain the upper hand on privileged identities and put auditors on your side! Attendees should understand the high objectives of IT security, the audit process and its findings, business cases for/against security remediation, and basic identity management and account usage tracking.
CSN30
Patty Long, Director of Information Security, ING Americas Monday, September 20; 2:30pm 3:20pm; Magnolia 3
Building a Security Operations capable for a large company is always a major challenge. From business case creation to implementation, the path requires a good deal of commitment and understanding from the organization. When operations include centers in other countries, the linguistic, cultural and monetary challenges increase exponentially the complexity of the project. Hear from ING on how they addressed the challenges and lessons learned from their endeavor.
new this year! visit the genius Bar and get answers from the top minds at arcsight.
31
interMeDiAte SeSSionS
CSN01
CSN12
Chuck Moran, IT Security Analyst, Southern Company Ryan Kalember, Director of Product Marketing, ArcSight Tuesday, September 21; 3:00pm 3:50pm; Annapolis 3
IT security departments are constantly searching for new ways to monitor their infrastructure and provide greater value to the business. Attend this session and learn how user activity monitoring delivers business value in the form of powerful metrics, streamlined investigations, and auditable access rights. Southern Company will discuss how they use ArcSight IdentityView, logs and directory data to produce executive dashboards that organize security metrics by department so that security executives can better target their risk mitigation programs. The presentation will also cover two other ArcSight IdentityView use cases in production: monitoring risky users like offshore developers and employees using shared accounts.
Florian Leibenzeder, Senior IT Security Engineer, Lufthansa Systems Tuesday, September 21; 4:00pm 4:50pm; Baltimore 3
Learn how Lufthansa Systems achieved PCI provider compliance by utilizing its self-developed PCI Compliance Engine and the power of ArcSight ESM, ArcSight Logger and the ArcSight ESM Compliance Insight Package for PCI. See how relevant audit data needs to be collected, how it is provided to ArcSight ESM and how the workflow around the Lufthansa solution was created by making heavy use of ArcSight ESM internal workflow tools. Basic PCI DSS knowledge is helpful to get the most out of this talk.
CSN04
CSN13
Chuck Moran, IT Security Analyst, Southern Company Monday, September 20; 3:30pm 4:20pm; Annapolis 3
This session reviews methods for leveraging open-source community resources, such as Snort and BotHunter, within ArcSight implementations to help detect and pinpoint previously undetected threats. Come learn about malware threat feeds, and how to create simple scripts and ArcSight ESM rules to automate them. Join us if you are working within the confines of a budget or would like to leverage open-source detection capabilities within your current ArcSight implementations to reduce risk and eliminate previously undetected cyberthreats.
Christopher Lyon, Director of Infrastructure Security, Mozilla Tuesday, September 21; 2:00pm 2:50pm; Baltimore 3
Mozilla is leveraging CEF in their Web applications for general logging and to identify potential security issues. The use of CEF creates a foundation for applying security correlation to narrow down potential security issues, and ArcSight Logger provides the ability to search upon this data. This session covers why, where and how Mozilla is using CEF, the types of alerts and various use cases. Reasons and technical limitations that drove these changes with Mozilla Web applications will also be discussed. Attendees should have a basic understanding of CEF, ArcSight ESM and ArcSight Logger.
CSN05
Eric Parker, Principal Network Security Analyst and ArcSight Senior Engineer, BAE Systems Tuesday, September 21; 3:00pm 3:50pm; Magnolia 3
Attend this session and learn how to write your own FlexConnectors easily from scratch using CEF. This session discusses techniques for reading simple and complex log files, and explores how to send any script, program output, errors or alerts to CEF. Attendees should have a basic understanding of Perl scripting or other scripting/programming languages.
CSN15
The traditional way for detecting traffic to malicious domains involves writing Snort-based signatures to monitor DNS and HTTP traffic. This style of detection can have a high false-positive rate and deteriorate the performance of the sensors. By migrating detections into ArcSight ESM, false-positives no longer exist, and the sensors can be used for more proactive signatures. This session discusses how to utilize ArcSight ESM for domain detections: the interaction between active lists, filters and rules, with a heavy focus on the variables used. Attendees of this session should have an understanding of ArcSight rules, active lists and filters.
32
interMeDiAte SeSSionS
CSN18
CSN25
Dori Fisher, Security Department CTO, We! Consulting Wednesday, September 22; 10:00am 10:50am; Baltimore 3
In order to demonstrate ROI or improve your security posture, quantifying and comparative measures need to be put in place that cover timeframes across the whole organization. This session discusses the challenges and pitfalls, and illustrates the role of ArcSight solutions in implementing security metrics.
Fernando Patzan, Information Assurance Manager, General Dynamics Tuesday, September 21; 2:00pm 2:50pm; Magnolia 3
Deployment of ArcSight ESM and integration of disparate data sources streams a flood of event data and triggers the default content all day long. Training analysts for role-based responsibilities, creating a supporting workflow for watch operations, developing content tailored to the target infrastructure, and implementing streamlined processes to manage content is key to unlocking the value of ArcSight ESM. From developing repeatable processes to managing I&Ws, this session shares best practices and lessons learned for collaborative SOC environments to take the ArcSight ESM deployment to a future state that focuses on mitigating risk to the infrastructure.
CSN19
Nathan Shanks, Chief Security Architect, Strategic Enterprise Solutions Tuesday, September 21; 5:00pm 5:50pm; Annapolis 3
After you have completed the task of designing and deploying your SIEM, its time to get to work building logic thats right for your enterprise. One of the advantages of centralizing data is the ability to normalize and categorize all the information. Leave your single signature-based rules behind and learn how to develop category-based rules that will give you the framework needed to stay general or specific as needed.
CSN26
Rocky DeStefano, Director of Professional Services, NetWitness Tuesday, September 21; 5:00pm 5:50pm; Baltimore 1
According to recent reports, most enterprises believe that advanced cyberthreats are evading all existing prevention and detection approaches, and situational awareness is critical to fighting them. Using a U.S. government customer implementation of ArcSight ESM and NetWitness, this session details how to improve cybersituational awareness for detection of these threats. Learn new incident management paradigms for innovative and agile approaches to enterprise-wide situational awareness using the ArcSight ESM and NetWitness solution. A technical case study will be explored describing the scope of the implementation, the people and process requirements, and actual, compelling results.
CSN22
Vulnerability scanners can provide deep insight into the network, but the amount of data can be overwhelming. This session details how the use of trend queries, query viewers, active lists, asset modeling and drill down menus can help you to quickly sort through the data to pinpoint and prioritize problems. The ability to assess threats and attacks is critical, but only half the battle. We will also discuss how to use ArcSight user groups, cases and reports to assign tasks and verify remediation. Attend this session for a great tool to help thwart hackers, malware and insider threats.
CSN28
CSN23
Context is King!
Pete Babcock, Lead Security Analyst, United Services Automobile Association (USAA) Tuesday, September 21; 11:00am 11:50am; Magnolia 3
A single successful login is logged on one of your UNIX servers do you care? Most SOCs consider that to be normal activity and would not be alarmed. But, what if the user ID is for an employee that was terminated last week? Now do you care? Context is everything when evaluating security events. This presentation will walk through several scenarios, from terminated users to advanced persistent threats, and show how to use context to make better decisions for protecting your organization.
Michael Cloppert, Intel Fusion Team Lead, LM-CIRT, Lockheed Martin Corporation Tuesday, September 21; 2:00pm 2:50pm; Annapolis 3
This session discusses the lifecycle of new detection methods, from initial analysis through functional custom data feeds and content in ArcSight ESM. Understanding and executing this lifecycle is critical for combating the most sophisticated adversaries who use custom tools to steal sensitive data. Skills and approaches to be covered include analysis of a particular sophisticated backdoor; development of custom tools to augment existing logs; enhancement of existing connectors to accommodate new attributes added to logs by custom tools; and ArcSight ESM content to support alerting and analysis within the ArcSight infrastructure. Those familiar with command-line analysis methods, Perl, connector configuration and ArcSight ESM content development are encouraged to attend.
33
interMeDiAte SeSSionS
CSN33
CSN35
Jon Deats, Senior Tech Manager, Information Security Engineer, Forbes Top 5 Financial Organization Ryan Thomas, Solution Development Manager, ArcSight Colby DeRodeff, Enterprise Solutions Strategist, ArcSight Tuesday, September 21; 4:00pm 4:50pm; Annapolis 3
ArcSight IdentityView integrates the information about your user population with events monitored in ArcSight ESM to gain critical identity context to what is happening on your network. Learn how to leverage this identity context to satisfy a myriad of use cases, such as identifying and monitoring high risk users, tracking administrative user activity, detecting access privilege violations and monitoring role violations. This session will cover how ArcSight ESM enables you to integrate identity into your everyday monitoring, and includes case studies drawn from real-world customer deployments.
In large organizations, IT/security operations staff must perform at least three major tasks: monitor systems, network devices and enduser activity; rapidly detect and respond to security incidents; and maintain regulatory compliance. Attend this session and learn about the bidirectional integration between ArcSight ESM and McAfee ePolicy Orchestrator security management platform, and how Northrop Grumman is using the solution to effectively manage risk, reduce operational costs and streamline compliance lifecycle in several high security environments. Specific tips on implementation and better security workflows are included.
CSN34
Integrating ArcSight ESM with Network Access Control to Help Manage 100,000+ Endpoints
Daniel Conroy, VP Information Security and Managing Director, Bank of New York Mellon Tuesday, September 21; 11:00am 11:50am; Annapolis 3
Securing a global financial enterprise with 180,000+ endpoints is an ongoing challenge, especially at a bank where the risk exposure is extremely high. This interactive session discusses how the Bank of New York Mellon (BNYM) leverages the power of ArcSight ESM and the ForeScout global network access control system. With this solution, BNYM is able to manage and enforce policy dynamically across the enterprise thereby improving its security posture, operational efficiency, speed and agility. Attend this session and learn how BNYM is combating todays threats and preparing for the threats of tomorrow, while maximizing compliance reporting and visibility.
34
ADvAnceD SeSSionS
CSN03
CSN27
Joseph Peruzzi, Oracle Database Administrator, Northrop Grumman Monday, September 20; 4:30pm 5:20pm; Magnolia 3
Using external open source data that is available through the Internet, it is possible to find new threats on your network. In this session you will be shown how to exfiltrate data from various sources and import it into ArcSight ESM. You will also discover how to use that information to locate unknown threats, prioritize incidents and cut malware response time to mere seconds. Those attending this session should have a good working knowledge of ArcSight Connectors, active lists and filters.
Learn step-by-step how to successfully automate the replication of content to one or more ArcSight ESM instances and avoid the pitfalls of ad hoc content replication. Automated content replication is useful in numerous scenarios, such as business continuity, disaster recovery, test instances, dedicated reporting and other multi-instance architectures. This deep dive details tips and tricks around example project requirements and assumptions; best practices for package design and content administration; built-in archive and package tools; scripting and scheduling; and XML hacking. ArcSight ESM administrators with advanced- or expert-level experience with all content will want to attend. Experience with the *nix command line is recommended, but tips could also be extended to Windows environments.
35
SPEAKERS
SPEAKERS
SPeAkerS
ArcSight Protect 10 conference speakers present on the most compelling topics relevant to our industry today. Listen to their experiences and gain new insights for how to keep your organization on the leading edge.
Aaron Kramer Amir Alsbih
Aaron Wilson
Anurag Singla
Al Veach
Azzam Zahir
Brian Wolff
Alan Bavosa
36
Brook Watson
Chuck Moran
Chris Botelho
Cindy Jones
Damian Skeeles
Chris Watley
Daniel Conroy
Christopher Lyon
David Wiser
37
Dereck L. Haye
Duc Ha
Dhaval Shah
Eric Parker
Principal Network Security Analyst and ArcSight Senior Engineer, BAE Systems Inc.
Eric has been in IT security for the majority of his 15-year IT career and has worked with ArcSight products since 2005. Eric currently oversees developing and maintaining the company internal ArcSight infrastructure, supporting multiple instances of ArcSight ESM and ArcSight Logger. Eric has been developing in Perl for 10 years.
Dhiraj Sharan
Fabian Libeau
Dilraba Ibrahim
Fernando Patzan
Dori Fisher
38
Florian Leibenzeder
Jim Rutherford
John Bradshaw
Gagan Taneja
Gary Freeman
Jon Deats
Senior Tech Manager, Information Security Engineer, Forbes Top 5 Financial Organization
Jon has seven years of information security experience with a focus currently on insider security. He has been with his organization for a total of five years and in his current role for two years. Jon has been working with ArcSight for three years, and this is his second presentation at the ArcSight Protect Conference. He earned a double BBA in information systems and marketing from Texas A&M University in 2003, a CISSP in 2006, and a CEH in 2007.
Girish Mantry
Joseph Peruzzi
Javier Inclan
Ken Mermoud
39
Kerry Adkins
Marylou Orayani
Mauricio Julian
Larry Wichman
Michael Cloppert
Lisa Huff
Michael Hoehl
Maritza Perez
Mark Johnston
Monica Jain
Mark Runals
Morris Hicks
40
Nathan Shanks
Paul Brettle
Paul Melson
Pete Babcock
Normand Bourgeois
Philip Lieberman
Paul Bowen
Philip Qian
41
Raju Gottumukkala
Rocky DeStefano
Rashaad Steward
Ryan Kalember
Ricky Allen
Ryan Thomas
Ryan Walters
Rishi Divate
42
Scott Parkinson
Terry Bishop
Steve Maxwell
Tom DAquino
Suranjan Pramanik
Wei Huang
Yanlin Wang
stop by the product showcase and be the first to see whats new at arcsight.
43
SPONSORS
Protection is just a step away. to learn more or to schedule an evaluation, contact us at 703.889.8950 or info@netwitness.com.
www.netwitness.com
SPONSORS
www.deloitte.com/securityservices
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Copyright 2010 Deloitte Touche Tohmatsu Limited. All rights reserved.
SPonSorS
Partners play a vital role in the ArcSight community. Head to the CyberSecurity Hall Partner Showcase and see first hand the latest demos and offerings that can extend your investment in ArcSight solutions.
DiAMonD SPonSor
Lieberman Software
Lieberman Software provides privileged identity management solutions to secure the worlds largest cross-platform enterprises, having pioneered the first product to address this need in 1999. By automating time-intensive administration tasks, Lieberman Software increases control over the IT infrastructure, reduces security vulnerabilities, improves productivity and ensures regulatory compliance. A managed Microsoft Gold Certified Partner, Lieberman Software has developed significant technology integrations with ArcSight, Cisco, BMC, HP, IBM, Intel, Novell, and Oracle with additional integrations ongoing. The company is headquartered in Los Angeles, CA and maintains an office in Austin, TX. Product development, testing, and support are performed in the United States.
PlAtinuM SPonSorS
Cyber-Ark Software
Cyber-Ark Software is a global information security company specializing in protecting and managing privileged users, applications and highly-sensitive information to improve compliance, productivity and protect organizations against insider threats. With its award-winning Privileged Identity Management and Highly-Sensitive Information Management software, organizations can effectively manage and govern application access while demonstrating returns on security investments.
McAfee
McAfee is the worlds largest dedicated security technology company. We relentlessly tackle the worlds toughest security challenges. McAfees comprehensive solutions enable businesses and the public sector to achieve security optimization and prove compliance, and we help consumers secure their digital lives with solutions that auto-update and are easy to install and use.
NetWitness
NetWitness Corporation is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial organizations detect, prioritize and remediate complex IT risks. NetWitness solutions solve a wide variety of information security problems including: real-time situational awareness; advanced threat management; sensitive data discovery and data leakage detection; malware activity discovery; insider threat management; policy and controls verification and e-discovery.
Deloitte
Deloitte Touche Tohmatsu Limited member firms provide a full range of audit, consulting, financial advisory, risk management, and tax services worldwide. Dedicated member firm professionals work with a wide spectrum of organizations to address business risk and threat containment requirements by leveraging and expanding the ArcSight platform. Many organizations have adapted Deloitte member firms business focused methodology (eREM) in the development and maintenance of their ISMS and security operations.
44
golD SPonSorS
45
Silver SPonSorS
46
Silver SPonSorS
47
W To iN a Ha TR Wa ip ii!
CUSTOMER
Attend the general session on Wednesday at 9 am for your chance to win a VIP trip to the Daytona 500. Must be present to win.
ArcSight, Inc. | 5 Results Way, Cupertino, CA 95014, USA | www.arcsight.com | info@arcsight.com Corporate Headquarters: 1-888-415-ARST | EMEA Headquarters: +44 (0)844 745 2068 | Asia Pac Headquarters: +65 6248 4795 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.