ArcSight and Litigation Quality Data

Summary:

This document focuses on how ArcSight enhances its capabilities in handling event data for potential litigation purposes by ensuring compliance with legal evidence standards such as the Federal Rules of Evidence. ArcSight's research ensures raw event data is normalized and stored accurately, maintaining integrity through multiple checks. Unlike other vendors that may use less secure protocols or lack detailed audit trails, ArcSight uses connection-based encryption and provides robust chain of custody for security log information. Its advanced features ensure high reliability in legal evidence handling, making it a preferred choice for organizations needing to rely on such data in court cases.

Details:

This document highlights ArcSight's capabilities in handling event data for potential litigation purposes, emphasizing its compliance with the Federal Rules of Evidence regarding evidence admissibility, especially concerning computer-stored electronic files. The research conducted by ArcSight ensures that raw event data is normalized and stored in a manner that meets the criteria set forth in these rules, making it suitable to serve as admissible evidence when needed. The overview discusses the "best evidence rule" from the Federal Rules of Evidence, which states that for proving the content of a writing or recording, an original copy (or something that can be considered equivalent) is typically required. This rule applies to electronic files stored in computers and other devices; according to these rules, any printout or output readable by sight that accurately reflects the data should be considered an "original." ArcSight's approach to normalization of raw event data aligns with this interpretation of the Federal Rules of Evidence, ensuring compliance. Additionally, ArcSight includes multiple integrity checks to guarantee the accuracy and preservation of data, along with a thorough chain of custody for security log information. This process surpasses similar offerings from other vendors in terms of meeting legal requirements for evidence admissibility. The text highlights that while some vendors claim "raw event storage" as a crucial feature, they often fail to guarantee the integrity of the raw data they collect. These vendors typically use connectionless protocols (like Syslog over UDP or SNMP), which do not provide encryption or assurance of receipt by the security information management solution. Moreover, these products may lack complete audit trails and cannot cache events near end devices, increasing the risk of data loss during system or network outages. ArcSight ESM, in contrast, ensures best-in-class chain of custody through four critical integrity checks: 1. Secure delivery, which involves using encrypted, connection-based protocols to prevent data alteration or loss during transit. This contrasts with unencrypted, connectionless protocol solutions that do not provide data integrity assurances or guaranteed receipt by the SIM system. 2. Maintains five timestamps per event for enhanced traceability, including Device Receipt Time, Agent Receipt Time, Manager Receipt Time, Database Start Time, and Database End Time. 3. Provides MD5 Hash integrity checks for archived partitions to ensure data integrity in storage. 4. Offers granular role-based access controls along with a comprehensive audit trail that tracks all user activities within the ArcSight system, providing proof of effective control over log data. In addition to these integrity measures, ArcSight allows capturing and storing raw events as fields within the event table, which is an additional feature appreciated by customers. This text discusses the use of security log data in legal matters by organizations. It states that ArcSight ESM provides the strongest litigation quality data due to four key integrity checks and ensures accurate preservation of the chain of custody. In case an organization needs to utilize such data in court, they can rely on ArcSight ESM for high-integrity evidence. The information also includes contact details for ArcSight, Inc., located at 5 Results Way, Cupertino, CA 95014, USA, with a phone number (408) 864-2600 and the company website www.arcsight.com. The text is copyrighted to ArcSight, Inc., mentioning that ArcSight and ArcSight ESM are registered trademarks of the company.