Re: Arcsight

[Tremaine Lea <security-basics () ddiction com>]

It would be virtually impossible for you to get what you need from  
any documentation that is publicly available because of the level of  
complexity of the SIM.

There is a java based console which is used by operators/analysts for  
the most part.  There is an Oracle backend where events are stored/ 
persisted, a Manager (which the console connects to) which is  
responsible for handling inbound events, as well as multiple agent  
types to handle a variety of log events such as AD events, syslog,  
firewall/IDS/IPS etc.

Most work is done within the console itself, including managing  
certain agent parameters, creating one off and scheduled reports,  
creating and monitoring channels (events that are filtered for a very  
wide range of criteria including source, destination, targets,  
vulnerability, asset criticality, just to name a few)

If you are interviewing for a position where Arcsight figures in the  
environment, you would be best focussing on understanding incident  
handling and investigation as there is just no way one can cram for  
this SIM.

Having said all that, I am somewhat curious as to whether you are  
looking at a position in Calgary ;)

Additionally, it's rather poor form to use a completely fake email  
address that bounces when people reply to it.  If you are concerned  
about your privacy it's just as easy to create a real hotmail address  
with a randomly generated username and connect via anonymous proxy.

Cheers,

---

Tremaine Lea
Network Security Consultant

Be in pursuit of equality, but not at the expense of excellence.



On 12-Apr-07, at 5:58 AM, hello () hotmail com wrote:

> I am interviewing for security analyst position and they use  
> arcsight in their architecture. I have not use the framework yet  
> and wanted to just get familiar with it and its capabilities. From  
> what I have heard it is one of the best if not the best SIM/ESM's  
> you can learn if you want to make a career in computer security?