HP ArcSight Technical Overview - EA v01 Extra Notes 1.1

Summary:

This document outlines a method for ensuring end-to-end chain of custody during litigation, effective across Canada, US, and Europe. It emphasizes the importance of not dropping data, prioritizing cache, and managing high volume traffic (100K EPS, 1M records per second). The system includes correlation methods like location, session, and vulnerability-based analysis to detect threats effectively. "Dd" is used as a placeholder for detailed information which may be found in the full document.

Details:

This text appears to be a summary of some sort of technical or security document about monitoring for threats and risks, specifically focusing on how to ensure the end-to-end chain of custody for litigation purposes, with proven effectiveness in courts across Canada, US, and Europe. The document highlights that they do not drop data, understand its priority-based cache, and can handle high volumes such as 100K EPS (events per second) and 1M records per second for searching. They also mention scaling horizontally using Logger cubes to manage scale and provide actionable alerts without disrupting the network admin's nighttime sleep. The document goes on to describe several methods of correlation, including location correlation by physically logging into two different locations at the same time (for possible hacking or shared account usage), session correlation through analyzing logs tied to a user’s IP address over an 8-hour period, and vulnerability-based correlation for assessing the probability of compromise. The repeated use of "Dd" throughout the text seems to be a placeholder or filler for actual data points or details that are presumably covered in more depth elsewhere within the document. Overall, this summary suggests a focus on comprehensive threat monitoring with a strong emphasis on actionable alerts and efficient handling of large volumes of information from various sources.