Network configuration errors can prevent your log and event management solution from receiving all of its intended events. It's a common issue, and an easy one to overlook. We review how to locate missing events in ArcSight environments.

There is a certain degree of complexity to every average medium-to-large sized corporate network. Over the years various personnel have been involved in the design and implementation of network management and security equipment, network access controls, cabling.  Although an objective for an event management solution's (such as ArcSight Logger) is to collect log messages from across the enterprise, and most network devices may have been configured to send log messages to SIM/LM, how do we know we're really receiving everything we should?  With ArcSight, we should be able to the discern if all of the intended event traffic is being delivered to Logger or ESM/Express.

Whether or not most ArcSight SIEM customers underutilize their solutions is an excellent question, although the answer may be completely subjective.  As information security consultants, we know that the InfoSec infrastructure has to adhere to Corporate Security Program objectives, which are driven by business priorities and the critical infrastructure, which supports business.  Therefore, an answer to "Is the SIEM implementation leveraged to its full potential?" depends not as much on the incredible SIEM capabilities, but much on what were the original business drivers behind the deployment, or to put it simply, why was the solution procured?  Reviewing the original goals and motivations may provide a direct answer to whether or not your organization's SIEM solution is used to its full intended potential.

Of course, these objectives may not always be clear due to organizational changes or complexity of internal decisions (or, let's face it, politics).  So let us take a look at the most common scenarios which we have seen to drive customers to invest into enterprise-grade SIEM solutions, such as ArcSight in particular.

As IT infrastructure demands grow, so does the increasing need to monitor and control the IT environment. Information security professionals are dealing with increasingly high rates of security-significant events within the SIEM infrastructures, which presents advanced challenges to both engineers and architects.