ArcSight certifications

Has anyone attended ArcSight training and have experience with the ArcSight certifications? I might need to get into this myself and am looking for opinions about the training and certification.

ArcSight Certified Integrator/Administrator (ACIA)
ArcSight Certified Security Analyst (ACSA)

http://www.hpenterprisesecurity.com/services/education/arcsight

Find more posts tagged with

Comments

dmoore44

I wasn't aware ArcSight was offering certifications until now... Thanks for the heads up!

JDMurray

ArcSight offers a large set of product training classes, so they might as well have a few certs to complement it.

It looks like the security cert is the closest to what I'd be doing. The implementation and admin of ArcSight I wouldn't be touching.

higherho

Pretty cool I was interested to see what arcSite is all about (. I recently had to install an arcsite connector to our security appliance. Though I just did the connector stuff, the events and all that are handled by the arcsite admins off site.

contentpros

This would be interesting to see what the material is focused around. Arcsight is doing a big transition from Oracle as the backend to their new core engine (for Arcsight enterprise, Express is already running on core). I wonder if the materials hasve been updated to reflect the new transition. +1 for Arcsight it is a monster but once you start using it the workflow makes sense and once you get used to everything you can do with it most of the other SIEMs out there look like they were made by Fisher-Price.

JDMurray

Yes, the live demos I've seen of it look fantastic. The presentations tend to focus too much on the log viewing/reporting piece for my needs. I much prefer the event correlation functionality.

The ArcSight Protect 724 user community support site is a great place to find info too.

badrottie

Having some ArcSight experience will make you a very in-demand resource, to say the least. If you get your TS/SCI clearance, you'll have Beltway recruiters beating down your door.

McAfee/Nitro and Q1 are excellent SIEM choices, but ArcSight is the best of the best. From the sound of it, it sounds like you're going down the ArcSight Certified Analyst track (ACSA) versus the ArcSight Certified Integrator/Administrator (ACIA).

Are you going through the ArcSight University online training, or are you going to supplement it with some instructor lead training? I am current going through it as well, but from the standpoint of an authorized reseller.

RTmarc

badrottie wrote: »

McAfee/Nitro and Q1 are excellent SIEM choices, but ArcSight is the best of the best.

We dumped ArcSight in favor of Nitro since we were apparently doing QA for them. YMMV.

JDMurray

badrottie wrote: »

McAfee/Nitro and Q1 are excellent SIEM choices, but ArcSight is the best of the best.

Don't necessarily correlate (pun intended) "the biggest" with "the best." Oracle, Microsoft, VMware, and Apple are all "the biggest" in their own markets, but they are not necessarily "the best" for every organization. ArcSight's prices are certainly not "the best."

badrottie

JDMurray wrote: »

Don't necessarily correlate (pun intended) "the biggest" with "the best." Oracle, Microsoft, VMware, and Apple are all "the biggest" in their own markets, but they are not necessarily "the best" for every organization. ArcSight's prices are certainly not "the best."

From a reseller/integrator standpoint, I disagree

I agree, the requirements will determine what constitutes "the best". We also sell Nitro and a few others in the SIEM space, but for my enterprise customers, ArcSight is usually their first choice. YMMV.

contentpros

This always seems to be a fun type of discussion because as others have pointed out there is no real "right" or "best" choice for SIEMs. Everyone's needs and budget are different and depending on the size of your environment. You also need to have the resources to manage the product. I think most everyone that is familiar with Arcsight will agree that it is the 800lb gorilla in the SIEM space but Q1 and Nitro(McAfee) are making gains in the space. For a mid-tier implementation of Arcsight Express (not the larger ESM) with 1 content pack, pro-services for implementation, and support you can easily be looking at a $200K spend. This is doable for larger businesses and enterprises but for a smb that does 250-300 million a year just the initial buy is probably out of their price range. I know one of the selling points that Q1 likes to tout is that they can do a full implementation (for most average sized companies) for less than the annual renewal is for Arcsight.

Pricing aside, you still have to look at resources/staffing to actually use the solution. We are lucky to have a good size security team of pretty senior people (many that have used Arcsight previously) which is a huge benefit. If you ever look the at the Arcsight interface in an environment that is pushing 5k events per second the stats and information is really overwhelming. If you are comfy with what you are looking at there is so much great information and visability you will wonder how you ever lived without it. The downside is if you think you are going to hire 20 entry level people to monitor your Arcsight deployment around the clock with little training you will be disappointed.

Nitro is great from a simplicity point of view. If you are not trying to do anything to fancy or crazy with it, it is a fine solution. It is also great from the perspective of having a warm body sitting in front of the console for monitoring and "call me if anything goes red" situations but you may not get all of the data you need to track an incident end-to-end.

Q1 has a lot of positives the pricing is generally very appealing, does better handling larger events per second then Nitro (my experience YMMV) and does a much better job then Nitro for pulling incident data. I also like the way Q1 handles expansion. For many solutions if you need more disk space just add some form of direct attached storage which is fine until you start having IO issues or other components start to bottle neck. Q1 is almost grid-like in the fact that if you want to grow add another box. This way you're not just adding storage but also cpu and ram that can be leveraged for the solution (a plus in my opinion).

Regardless of what solution for SIEM you are evaluating make sure you run a proof-of-concept in your environment. Also don't let their demo team do all the configuration have your team do the work with them providing oversight. They will make it look easy but if you had to implement it (and maintain it) how "easy" is it to work with.

The only solution that I will never recommend to anyone friend or foe is RSA Envision.

~CP

tprice5

Great write up contentpros, +1 rep.

tprice5

Has anyone here done any ArcSight administration as their main job role? Someone in my office had mentioned that there would be an opening and it comes with a 30% pay raise so I thought it would be worth looking into. I would be required to attain the certification which I've heard with training + test ballparks around $2000.
Meh, I don't think I could watch a log collector scroll all day.

LionelTeo

contentpros wrote: »

The only solution that I will never recommend to anyone friend or foe is RSA Envision. ~CP

Coming from someone who used Envision before, +10000 to this.

Has anyone here done any ArcSight administration as their main job role? Someone in my office had mentioned that there would be an opening and it comes with a 30% pay raise so I thought it would be worth looking into. I would be required to attain the certification which I've heard with training + test ballparks around $2000.
Meh, I don't think I could watch a log collector scroll all day.

Arcsight isn't really tough to learn, its about rules, reports in readable format. The false positive filter is also easy to implment. If you are doing administration, then probably you would also be touching the system on unix as well as the application. 30% salary rise for not a really tough job, I would recommend to go for it.

DeepakChopra

Hi Guys,

I am new to the field of Information Security and want to learn Arcsight tool. Can anyone please share any training videos or study guide so that I can get myself started with Arcsight.

Thanks

kiki162

I know I'm getting off topic but what about looking into Tenable's Security Center? Not sure if that would be a fit or not for what you need?

F1Senna

I have done the ArcSight Advanced Analyst course. It was excellent, great teacher and great content.

I would say SIEM skills are hard to find, many people have pen test type skills and many have SIEM skills...not many people have both.

Learning the pen test stuff is easy, as all the resources are freely available. The SIEM stuff is harder...especially ArcSight as the cost of the course is so prohibitive. Also, I have never seen a college or uni teach it.

If you get the chance to learn ArcSight take it...especially if your employer is willing to spend the 4k it costs for 4 days training and an exam.

mokaz

F1Senna wrote: »

If you get the chance to learn ArcSight take it...especially if your employer is willing to spend the 4k it costs for 4 days training and an exam.

I bet you're right but doesn't the fact that this product seems rather out of (study) reach without paying first sounds strange to you ?

F1Senna

No not really, ArcSight is a proprietary product and the vendor (HP) are very protective over it. They tightly control the product and the training for it. SIEM tools are one of the rare examples of not having a good open source equivalent. ArcSights only real competition is splunk, the closest thing to an open source platform that does anything similar is graylog…and I haven’t seen many (any) employers that are looking for graylog skills.

SIEM is a bit of a niche, so I guess education establishments do not feel there is much justification for paying the licensing and training costs associated with teaching it.

BlackBeret

The thing about ArcSight is from a user/Analyst standpoint it's just collecting your log data from everything else in to one spot. It's EXTREMELY easy to use for that purpose. From an installation standpoint it can get very strange. Because it's a nice expensive piece of software HP is good about support, so employers don't often need troubleshooting, etc. The only area that really needs hands on experience is administration. If a company wants someone to specifically administer ArcSight, they usually have to send them to the training course, it's just that full of options and tweaks. For those that are trying to get more involved with it ahead of time, the integrated commands will run powershell scripts, so start there.

For open source comparable I would look at Sguil.

Seab

Hi,

Last post about Arcsight SIEM security oriented exam is a few months old now. Anyone completed the certification?
Is there any way to learn with free or cheap material, and take the exam afterwards?

Thanks

Seab

Bumping this thread as I'm looking at this cert without HP training. Any experience, recommendation, material suggestion? There is certainly no book, just user manual and hands on experience from what I know...

Thanks

GRODT

Bump, our organization plans on purchasing Arcsight and we will need logger / administrator training. I've reached out to HP but haven't gotten a response.

LionelTeo

Why would you want to purchase Arcsight? Ever consider Splunk? Anyway, Arcsight is now managed by Microfocus, so you may want to try your luck there if you are still interested.

https://en.wikipedia.org/wiki/ArcSight

mactex

LionelTeo wrote: »

Why would you want to purchase Arcsight? Ever consider Splunk? Anyway, Arcsight is now managed by Microfocus, so you may want to try your luck there if you are still interested.

https://en.wikipedia.org/wiki/ArcSight

MicroFocus is actually developing new content for ArcSight again; and building out other tools to work with it. Also; I know of a few large enterprises that are dumping Splunk and going back to ArcSight (for SIEM purposes). We are one; and Microsoft is doing this as well. Don't need Splunk Ninjas to hunt bad guys with ArcSight. Also the ingest model is much more cost effective than Splunk. Splunk is great for log analysis, dont get me wrong, but I prefer using ArcSight for the actual SIEM. Just my opinion here.

LionelTeo

On the contrary, I had heard of organization shifting away from Arcsight to Splunk, or new security operations departments adopting Splunk over Arcsight. Your response is the first which I had heard about a company moving to Arcsight from Splunk. Then again it's based on your experience and your thoughts on whichever that you think will be better. Based on my past 8 years of working with Arcsight, I haven't seen any significant upgrades with Arcsight after HP acquires it. As for microfocus, while one individual had shared with me that Microfocus is known for buying legacy technology and leaving it as it is, I will hold my judgement for now since they had taken over fairly recently.

Splunk technically speaking isn't really a SIEM, but it has a strong advantage being able to dig up 30-180 days of logs quickly without much hassle, which can be critical to a forensic investigation if it was discovered at a later stage. As for Arcsight, I haven't seen the Arcsight logger being held up in well in similar regards for logs analysis (as you mentioned). This may be a niche consideration, but it is a critical one considering breaches sometimes requires the analyst to trace back the forensic evidence that had occurs in the past fast and reliably.

With regards to alerting wise, there are various options. While Splunk has its own SIEM (Splunk ES), Arcsight is good in the sense that it gives the analyst a lot of flexibility in displaying and showing the necessary fields information to triage the alert. If we are looking at parsing, Arcsight Smart Connectors should ideally parse the logs better than Splunk and also in a
consistent manner. The product itself also has a rather more useful case management system which is better than Splunk ES Investigation pad which is another plus point.

After thinking through on your response, my guess it has to do each organization goals on what are they prioritizing in terms of cost, investment and company objectives. I was actually quite surprised to hear about people moving from Splunk to Arcsight since I had heard/know about at least 5 organizations out there using Splunk exclusively or adopting Splunk.

McxRisley

People moving from Splunk to Arcsight?!?! Blasphemy! This is a first for me, its always been the other way around in my experiences. IMO Splunk(ES) is the superior SIEM when deployed and configured correctly along with analysts who know how to hunt.

I do however have 2 major gripes about Splunk.

#1 The way you setup your environment to use generated certificates is the most tedious and nonsensical way imaginable to do it.

#2 Splunk cannot be 100% centrally managed without the use of third party software like SCCM, Puppet, Chef, etc.

infosecs

I have seen a couple for Splunk Admins.

tprice5 wrote: »

Has anyone here done any ArcSight administration as their main job role? Someone in my office had mentioned that there would be an opening and it comes with a 30% pay raise so I thought it would be worth looking into. I would be required to attain the certification which I've heard with training + test ballparks around $2000.
Meh, I don't think I could watch a log collector scroll all day.

mactex

I know we were talking about this last month; but missed the responses to my "moving to ArcSight from Splunk" reply. So we have finished the ArcSight project and I actually like it more than Splunk for event management and writing correlation rules. For general threat hunting and log review; Splunk is still the way to go; and so we still use Splunk a lot for that. Now we are early adopters to the new ArcSight tool "Investigate" so we will see how that builds out and scales to our environment. Microsoft peeps have told me that they also went back to ArcSight from Splunk for similar reasons. So there are a few of us moving back the other way after jumping on the Splunk for security hype train. Just thought I would follow up.