Re: Setting up Arcsight/Tripwire

[Stephen Mullins <steve.mullins.work () gmail com>]

That's more plausible than you might think.

As far as documentation goes, the key seems to be finding someone that
has some of the ArcSight materials and making copies of it.

Other than that, you're on your own.  The program's help system is
pretty useful though.

You can plug literally everything into ArcSight, but getting useful
information from those millions of events per day is where it gets
interesting.

If you understand ArcSight (play around with it for a while), and you
understand what you should be looking for/concerned with from a
security perspective, then it's simply a matter of creating
filters/reports to get the information you want.  Not to oversimplify
things...

Steve

On Tue, Apr 7, 2009 at 12:26 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:
> --On Tuesday, April 07, 2009 02:15:13 -0600 venkatesh.selvaraju () gmail com
> wrote:
>
> > Dear All,
> >
> > I was wondering if anyone has any standard rules and policies which can be
> > instantly deployed & added to Arcsight ESM for monitoring Windows, UNIX,
> > database and network devices. I understand the rules vary and are specific
> > to
> > the OS and n/w devices. We have to setup the rules and commission Arcsight
> > in
> > our company. If anyone has prior hands-on using Arcsight or if you have
> > any
> > literature, please share.  Also, if you have any docs on how to setup
> > rules
> > on Tripwire tool for file integrity checking please share the information.
> > Thank you in advance.
>
> Arcsight is an expensive product.  Surely you got training and access to
> docs with your licenses?  If you're just now deploying, Arcsight should be
> assisting you with that - especially your salesperson.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> Check the headers before clicking on Reply.