Version 4

    You can access the presentation here:


    Chat Log - 3/6/2014 - 9AM-10AM


    3/6/2014 9:01SQLRockstarGood morning everyone!
    3/6/2014 9:01clapointmorning!
    3/6/2014 9:01francois.caronHey, how are you?
    3/6/2014 9:02SQLRockstarI am well, thanks! How about yourself?
    3/6/2014 9:14francois.caronHey guys, does anybody have a multi-domain network with guards at the boundary between domains?
    3/6/2014 9:16ScottCertainly but I am only part of the responsibility for a single domain space serving my project within the DoD
    3/6/2014 9:17clapointJust FYI for those dealing with cross-domain monitoring issues, here's a link to a doc that describes how we can make this work for you:
    3/6/2014 9:17francois.caronok. Do you know whether there is an approach in your agency, to consolidate management across domains, or management as well, is kept segmented?
    3/6/2014 9:17ChrisYes, but we use firewalls at the boundary
    3/6/2014 9:18francois.caronto Goodzhere: Do you struggle with consolidating amnagement across domains?
    3/6/2014 9:18francois.caronmanagement
    3/6/2014 9:18Chrisyes we do
    3/6/2014 9:18francois.carondo you have SolarWinds products deployed?
    3/6/2014 9:18Chrisi actually have a lot of duplication
    3/6/2014 9:19Chrisi have played with EOC and it seems to helps some
    3/6/2014 9:19Chrisyes
    3/6/2014 9:20Chrisi have NPM NCM SAM and have LEM (Not installed yet)
    3/6/2014 9:20francois.caronwhat change in the portfolio would help you the most, in this regards?
    3/6/2014 9:20ScottWe are moving toward deployment of EOC here for our COOP and Expansions.  We will be geographically distributed as well as cross domain.
    3/6/2014 9:20ed.benderEOC can be made to work with Orion servers on different security enclaves (NIPR / SIPR) for example.
    3/6/2014 9:20francois.carongood set of products. Are you subject to applying Continuous Monitoring rules and practices?
    3/6/2014 9:21francois.caronto Scott: the cross domain limits will be based on guards?
    3/6/2014 9:22Scottfirewalls the way I understand it. I have been sheperding an upgrade of NPM, SAM, NTA and NCM along with Fail Over for all of the above.  We will be using EOC watch over everything in the future.
    3/6/2014 9:23francois.carongoodzhere, did you see my Q, related to your struggle:  what change in the portfolio would help you the most, in this regards?
    3/6/2014 9:23francois.caronsounds good ScottW
    3/6/2014 9:25francois.caronIs Continuous Monitoring a necessity for you guys? Do you think we communicate enough on the ability of our products to help with this?
    3/6/2014 9:25ChrisI think we mostly have what we need
    3/6/2014 9:25francois.caronok
    3/6/2014 9:26Chrisit looks like EOC will help us out a lot
    3/6/2014 9:26ChrisI have just started using EOC
    3/6/2014 9:26francois.caronok
    3/6/2014 9:26ScottLikewise here.  We are really looking forward to getting this all stood up.
    3/6/2014 9:26francois.caronsounds good
    3/6/2014 9:27francois.caronScottW, how do you manage your logs (centralization, correlation..)
    3/6/2014 9:27francois.caronSomebody has HP Arcsight?
    3/6/2014 9:28Chrisintegrating LEM into the "NPM suite" would help a lot.  I hate that it is separate and also does not integrate into EOC
    3/6/2014 9:29ScottThat is something we are working on and I am researching.  LEM, Splunk etc, are being researched.
    3/6/2014 9:29ChrisLEM is good
    3/6/2014 9:29ChrisSplunk is good too, but it is much more expensive
    3/6/2014 9:29ScottI have used both Splunk and ArcSight with a preference for the former.
    3/6/2014 9:30francois.caronto Goodzhere: we have some thoughts about this, you are not te first to ask
    3/6/2014 9:30francois.caroninteresting ScottW. Why do you prefer Arcsight?
    3/6/2014 9:30colbywhat would you like to see integrated from LEM to Orion? access to the data, graphs and charts related to log data stored in LEM? any thoughts?
    3/6/2014 9:30ScottNo, I prefer SPLUNK.
    3/6/2014 9:30ScottSorry for the confussion.
    3/6/2014 9:31Scottand spelling,
    3/6/2014 9:32ScottSPLUNK is a much more intuitive platform for analysis IMHO
    3/6/2014 9:32francois.carongot it. Not really surprised. Was curious, how is Splunk doing in terms of alerting: send me an alert automatically when you see this and that in my logs
    3/6/2014 9:32ChrisI would like to have LEM as a "module" within the Orion website. I would also like to have LEM resources available for the pages within NPM.
    3/6/2014 9:33francois.caronhey, we have the LEM PM here, Nicole!
    3/6/2014 9:33ChrisI would also like to use EOC to monitor multiple LEM installs
    3/6/2014 9:33ChrisIt needs more integration with the other SolarWinds products and not just out there on its own.
    3/6/2014 9:34Scottgoodz is echoing what we ultimately want as well.  I want a tool that can correlate machine data, remedy tickets, badge access tables etc,....
    3/6/2014 9:34clapointmakes sense.  can you both provide a bit more color on the problems that are behind the need for that functionality?
    3/6/2014 9:37ScottMy primary purview is as a security professional.  To that end, I want to be able to run any event to ground by accessing any and everything that might have happened.  I love NPMs simplicity of set up and operation but as I said, if I see something in NPM, I want to be able to rapidly look at other data that will help me assess what needs to be done.  Door access records, Change tickets, etc,.... are all valued sources of "facts"
    3/6/2014 9:39Chriswhen monitoring devices and troubleshooting issues, i want to see all the data for that device in one place, to include the logs.  NPM has that functionality now, but LEM is much more complex.  When using LEM as the log collector, I want to see the LEM info instead of the NPM log info (since we are using LEM instead of NPM to collect logs now)
    3/6/2014 9:41ChrisI dont want to have to bounce back and forth between tools
    3/6/2014 9:41Scottlikewise
    3/6/2014 9:41francois.caronhence the request for LEM integration
    3/6/2014 9:44ChrisWho is actively using the compliance reporting function for DISA STIGs?
    3/6/2014 9:44clapointGot it. That's very helpful context on the use-cases. I think you'll be very happy with where we're heading on this subject. We'll make sure to include you as we get further along with mockups/prototyping.
    3/6/2014 9:44ChrisOK thanks
    3/6/2014 9:46turnerdlHi, Im new to this group. Is there a visual? or just voice?
    3/6/2014 9:47Chrisvisual is on the left
    3/6/2014 9:47GaryThere is a visual also
    3/6/2014 9:47Chrisslides are there now
    3/6/2014 9:47ed.benderpowerpoint slides on the left.
    3/6/2014 9:47ed.benderpowerpoint slides are on the left.
    3/6/2014 9:48turnerdloh yeah!! Thanks.
    3/6/2014 9:51francois.caronWould you see orion improving capabilities in the area of Network Access Control: e.g. a feature taht could detect User logins (UDt does that), know what vendor, machine type or whatever, and would apply policies leading to shutting down teh port (or wireless access). Would you rely on Orion portfolio for that kind of poor man's NAC (Network Access Control)
    3/6/2014 9:52ScottYes.
    3/6/2014 9:53francois.caronWhat would be the most common use case (e.g. type of policy and criterias, leading to kicking a device out)
    3/6/2014 9:53GaryThat would be a great feature
    3/6/2014 9:54ScottRight now, any system not certified by DoD is machina non grata
    3/6/2014 9:54francois.caronok. Anybody has an opinion on how inteersted they would be in seeing orion evolve this way?
    3/6/2014 9:54Scottthanks everyone
    3/6/2014 9:55francois.caronamnd what is te criteria to be "certified by DoD". How would orion detect that and apply teh right policy?
    3/6/2014 9:55clapointNext up is my session, so please stay on ;-).
    3/6/2014 9:55francois.caronIt's the sessions on teh latest and greatest on Orion, you guys want to listen to Chris' session! :-)
    3/6/2014 9:56clapointWe'll give you a sneak peek into a couple of things we're working on both the network and systems sides of our business.
    3/6/2014 9:56francois.caronScottW, don't let me down on teh NAC question ;-)
    3/6/2014 9:56Scott.Wagner.USARMYcivI will be back shortly and try and answer that.  Gotta take a nature and lunch break.
    3/6/2014 9:56francois.caronhaha