Senior Advanced Splunk IT Specialist

Check out how I am able to get all these offers:

More on that #splunk job: Sr Advanced Splunk / IT Security Specialist

POC: 443-755-8136 (O)

Bachelor’s degree in a related specialized area or equivalent is required plus a minimum of 8 years of relevant experience; or Master’s degree plus a minimum of 6 years of relevant experience.

Knowledge Skills and Abilities: Senior Splunk Administrator Advanced knowledge of backend operating systems to implement, maintain, configure, and remediate issues (UNIX/Linux/Windows) Knowledge of operating systems and networking. Understanding of SIEM & logging fundamentals. Understanding of SOC Monitor and Response fundamentals. Experience in any type of SIEM – Splunk, Arcsight, Log Rhythm, etc. Experience with implementation of SIEM products and tools. Understanding of security concepts such as cyber-attacks and techniques, threat vectors, risk management, incident management etc. Knowledge of various operating system flavors including but not limited to Windows, Linux, Unix Knowledge of applications, databases, middleware to address security threats against the same. Proficient in preparation of reports, dashboards and documentation Excellent communication and leadership skills Ability to handle high pressure situations with key stakeholders Good Analytical skills, problem solving and Interpersonal skills Working knowledge and experience with MS office with proficiency in Excel Preferred degree types and experience: The leading candidate will have a Bachelor’s Degree in Computer Science, a related field, or equivalent experience. with a minimum of 5 years of experience in a SOC, or an Associates Degree in Computer Science, Information Systems, Cyber Security, or related discipline with a minimum of 7 years of experience in a SOC. Strong candidates will have previous experience working with users; possess a talent for problem-solving as well as organization and time management skills.

Desired Certifications: CISSP, Network +, Security + (or other applicable certifications)

cyber security

information security analyst job description

information security job description

information security job description
image from

The position information security analyst is a great opportunity for a security professionals to expand their skill set.

There are many types of information security analysts.  Some information security analysts examine the security features of a system, while others might be responsible for analyzing the security features of an entire organizations infrastructure.

Analysts are usually professionals with enough security to provide guidance on security incidents, security features and/or risks in a given information systems environment.

That being said, the term information security analyst is used in many different ways by many different organizations.  For example, sometimes organizations call their security professionals “analysts” when they actually do “engineering”.  And sometimes they will call security analysts engineers.  So take the description below with a grain of salt.

Essentially, an Analyst studies, monitors, computes, considers, contemplates and provides reports, incident handling, responses on existing systems.  Or they check on designs proposed developed by others.  While engineers, create, design, manipulate install, configure existing and/or proposed systems.  There is a lot of overlap so you should always examine the description of the specific job you plan on doing.

Analysts analyze.  Engineers build stuff.  But of course there can be lots of overlap.

Prerequisites for Typical Information Security Analyst:

If you have a solid understanding of networking, TCP/IP, subnetting, a little bit of server administration, malware identification and lots of system security experience than Information Security Analyst is for you.  Organization dealing with the federal government usually desire a BS degree or specific IT certifications.

Basic Job Description of Typical Information Security Analyst:

The Information Security Analyst responsibilities can sometimes include ensuring that system Information Security requirements are reached.  Another task might be to provide support for systems engineering life cycle from the specification through the design  oof hardware or software, procurement, development, to integration, test, operations and maintenance.  Provide analysis, definition, and the recommendation of information assurance and security requirements for advancing Information Security technologies of computing and network infrastructure. 

Responsibilities may include but are not limited to:
• Ensure compliance with Configuration Management (CM), Information Security governance, policy, directives, and guidance are followed.

Ensure compliance with certain security policies / standards such as:

  • Federal Information Security Management Act (FISMA)
  • NIST Special Publications (SP) 800 Series
  • Security Technical Implementation Guides (STIGs)
  • PCI
  • Sarbanes-Oxely Act
  • Risk Management Framework for DoD IT
  • ISO/IEC 27000
  • Health Insurance Portability and Accountability Act (HIPA)

• Conduct Information System Security Engineering activities at the subsystem and system level of design

• Complete Vulnerability scans, Information System Security audits, analysis, risk assessments, vulnerability assessments, intrusion detection/prevention and log monitoring of computing resources

• Computer Network Defense:

  • Analyze TCP/IP traffic
  • Continuous monitoring of information system security
  • Incident handling
  • SIEM Analyst
  • Data Loss prevention .
  • Coordination with computer emergency response team (CERT)

• Certification & Accreditation / Risk Management Framework analysis
• Support C&A Security Test and Evaluation processes


HP0-M54 ArcSight ESM Security Analyst

History of ArcSight ESM Security Analyst Certification:

HP0-M54 ArcSight ESM Security Analyst (aka HP Technical Certified II – ArcSight Security Analyst 2012) took the place of ArcSight Certified Security Analyst (ACSA) aka ArcSight ESM Security Analyst (AESA).  The confusion on certification names comes from the acquisition of ArcSight by HP in 2010.  ArcSight had already created a certification for the ESM (admin and analyst), but once HP took it, they started to integrate it into their ExpertOne certifications.

I have noticed that companies look for the old ACIA/ACSA when they want an ArcSight certified professional not knowing that that cert no longer exists.


HP ArcSight ESM ArcSight Prerequisites:

To pass this exam, you should have at least 6 months experience using ArcSight ESM or successfully completed ArcSight ESM Security Analyst training. Exams are based on an assumed level of industry-standard knowledge that may be gained from the training, hands- on experience, or other pre-requisite events. You should also be knowledgeable about Common security devices and their functions, such as IDS & firewalls; network device functions, such as routers, switches, hubs, etc.; TCP/IP functions, such as CIDR blocks, subnets, addressing, communications, etc.; Basic Windows operating system tasks & functions; Possible attack activities, such as scans, man in the middle, sniffing, DoS, etc and possible abnormal activities, such as worms, Trojans, viruses, etc.; SIEM terminology, such as threat, vulnerability, risk, asset, exposure, safeguards, etc.; Security directives, such as Confidentiality, Integrity, Availability.

HP ExperOne does not list the Objectives for this cert for some reason (standard LACK of HP taking on too much business with too little staff IMHO).  Anyway, after taking this certification just make sure you have experience with each of the ArcSight Console Resources.  You should use each until you understand them because questions are about the resources.

How to take the HP0-M54 ArcSight Admin Cert

That certification can be taken through Pearson VUE.  You have to get an account with HP ExpertOne first.  HP issues an “HP Learner ID”

The test cost about 250USD and has about 75+ questions.

There are so many braindumps articles and “products” for this certification.  Its really unfortunate that HP has not done more to make this certification more relevant since ArcSight is the top SIEM in the world (circa 2014).  HP is trying but sometimes it seems they have more products and services than they can handle.  They did recently update HP0-M54 so thats positive.

If you are planning on taking this certification, you should think about NOT doing braindumps.  Get some actual experience with the product.  You can downloaded it for a free trial and play with it.  If you want to make money in as an ArcSight subject matter expert you will have to put in some real time and effort.  The test will not do anything for you without experience.






HP0-M55 HP0-M68 ArcSight ESM Administrator

History of ArcSight ESM Administration Certification:

HP0-M54 ArcSight ESM Security (aka HP Technical Certified II – ArcSight Security Administrator 2012).  Due to the acquisition of ArcSight by HP in 2010 and the recent move away from an Oracle backend, ArcSight ESM certifications have gone through almost yearly, back to back name changes.  What is now HP Technical Certified II – ArcSight Security Administrator used to be ArcSight Certified Integrator/Administrator (ACIA) aka ArcSight ESM Integrator/Administrator (AEIA).   And NOW, HP Technical Certified II – ArcSight Security Administrator expires 2 June 2014.  This certification cannot be acquired as of 2nd June 2014. The new certification is HP ATP – ArcSight ESM 6.5 Administrator V1 which is HP0-M68.


HP ArcSight ESM Objectives include:

  • Identify functions of ArcSight ESM components and perform steps to verify status and restart component services
  • Illustrate ArcSight connector basics
  • Identify primary types of storage in ESM and key components of event storage area, and understand retention policies
  • Describe how to use the ArcSight Console and how to configure the console preferences, and navigate within ESM resources
  • Depict how to use the Web Management Console to manage users and the CORR Engine (for NEW HP0-M68)
  • Identify files/folders that need to be backed up
  • Understand ESM authentication mechanisms and guidelines
  • Perform core ArcSight ESM administrative tasks
  • Identify stock content dashboards
  • Illustrate how to manage connectors (status, operation commands, dashboards, import/export configurations, upgrades)
  • Describe basic event management tasks
  • Identify basic troubleshooting tools, logs, and processes


How to take the HP0-M54 ArcSight Admin Cert

That certification can be taken through Pearson VUE.  You have to get an account with HP ExpertOne first.  HP issues an “HP Learner ID”

The test cost about 250USD and has about 75+ questions.

There are so many braindumps articles and “products” for this certification.  Its really unfortunate that HP has not done more to make this certification more relevant since ArcSight is the top SIEM in the world (circa 2014).  HP is trying but sometimes it seems they have more products and services than they can handle.  They did recently update HP0-M54 so thats positive.

If you are planning on taking this certification, you should think about NOT doing braindumps.  Get some actual experience with the product.  You can downloaded it for a free trial and play with it.  If you want to make money in as an ArcSight subject matter expert you will have to put in some real time and effort.  The test will not do anything for you without experience.





ArcSight Data Sources

ArcSight ESM can collect output from the logs of 300+ types of sources. The logs are collected by HP ArcSight Connectors. The logs go through normalization and categorization and converted into what is known as Common Event Format (CEF). CEF is an industry standard for log format.

CEF contains information such as IP, host names, time date stamp, attack name, port, number, vendor type, country of origin.

ArcSight Data Sources Include (but are not limited to):

Intrusion Detection and Prevention Systems
Vulnerability Assessment Tools
Anti-virus and Anti-spam Tools
Encryption tools
Application Audit Logs and Physical Security Logs

“ArcSight Connectors also manage ongoing updates, upgrades, configuration changes and administration of distributed deployments through a centralized web-based interface. They can be deployed as software or on an appliance.”



ArcSight n00b Part2: Skillset Prereq


So you want to get into ArcSight, but don’t know what skills you should have to even start? At an organization I worked for we had a hard time hiring ArcSight Engineers/Administrators. There are not many people with actual ArcSight experience beyond use of the client side console. So we started looking for individuals that might be able to learn the system quickly. Based on some of the people we hired here are some prerequisites that might help you to start in ArcSight:

Linux/Unix – Although ArcSight ESM/Database works on Windows, the Linux/Unix systems have a serious learning curve. You need to have a strong grasp of the basics if your ArcSight ESM or Database is on a Linux/Unix OS. Basic commands to traverse a directory, copying, pasting, finding and manipulating data, user and group manipulation on the command line is a necessity. All of this is more transparent on a Windows system, but in a Linux/Unix environment its best to have some experience. Some scripting experience is helpful but not absolutely necessary. I would say the the level of knowledge is Comptia Linux+ if the system is in a linux OS. The more comfortable you are with linux that the better.

HP ArcSight 5.2 Operates on these operating systems:

Microsoft Windows
Server 2003 R2
(SP2) 32-bit
Microsoft Windows
Server 2003 R2
(SP2) 64-bit
Microsoft Windows
Server 2008 R2
SP2 64-bit

Red Hat Enterprise
Linux 5 (RHEL 5.7)
Red Hat Enterprise
Linux 5 (RHEL 5.7)
Red Hat Enterprise
Linux 6.1 64-bit
SUSE Linux 11
Enterprise Server

Version 5.3
( 64-bit
IBM AIX 6L, 6.1
64- bit

Oracle DBA – HP ArcSight ESM 6.x has moved to a database called CORR. But most current (circa 2013) ESM/DB implementations will have an Oracle back end. This is sure to change within about 3 years as more people go to CORR. I would say low level DBA Oracle skills is very necessary. Once you start installing and understanding ArcSight you see that its just a database with a complex user interface that allows intricate manipulation of how the data is viewed.. its SQL with a fancy user interface. As an ArcSight Engineer, you will have to face Oracle at some point. Be ready! Skills necessary are starting, stopping the database, doing simple SQL commands, understanding how Oracle works with ArcSights ESM front in, basic trouble shooting and managing database user accounts. If you have a DBA on staff that is great, but you will still need to know some basics.

More info on CORR:

HP ArcSights Correlation Optimized
Retention and Retrieval (CORR) Engine is a
breakthrough technology that delivers orders
of magnitude improvement in log correlation
and storage, helping security administrators
thwart the complex threats they face today.

–HP ArcSight Express

Security Analyst – ArcSight has two separate tracks / bodies of knowledge: HP ArcSight Security Analyst & HP ArcSight Administrator/Engineer. These two bodies of knowledge do have some cross over, but each goes very deep into their own dimensions. For example, an HP ArcSight Security Analyst does not need to know anything about Oracle installation and troubleshooting and still be a great analyst, and the HP ArcSight Engineer does not need to know how to analyze a TCP/IP packet using a protocol analyzer.

A security analyst will be familiar with many tools of their trade: packet sniffers, network scanners, IDS/IPS (host and/or network based) and they should have a strong understanding of how networks and TCP/IP work. The ArcSight Security Analyst should know how to look at a TCP/IP packet and figure out the source/destination and potential nature of a packet in the context of a given network. They should be able to use the ArcSight Console, create reports, active channels and use the ArcSight Logger. A huge benefit would be to know how to create ArcSight content (aka rules). For some sort of baseline of knowledge base: CEH, CISSP, GCIA.

Other skills might include:

Networking / Security – Since ArcSight is collecting security logs over a network both computer security skills and skills in networking are helpful. More specifically, having experience with hardening workstations and/or servers, understanding the why security policies are important to organizations and hands-on experience with system security in a medium to large operational environment will give a good exposure to security. Knowledge base level might be somewhere between a Security+ and a CISSP. As for networking, the basics are needed for an ArcSight Engineer/Administrator because you must integrate ArcSight into a local area network. So you need to understand basic ip addressing, how to use tools for troubleshooting connectivity, ip subnetting, and how TCP/IP works. So you don’t need to be a CCNA or even a CCENT because you are not configuring switches and routers but something like the skillset of Comptia Network+ would do.

Storage – Surprisingly enough knowledge of storage might come in handy. Because in a large environment where lots of data are collected in a database your organization will likely use a storage device of some sort. ArcSight works better with certain storage devices. This is important information for an ArcSight Engineer because storage can directly affect the performance that the customer sees.

These are just some of the prerequisites that I have found helpful but of course nothing beats actual ArcSight Engineering/Admin/Analyst experience when looking for an ArcSight professional and this is good to keep in mind as you dig deeper into ArcSight. The “unicorn” ArcSight candidate is the one that has worked for the company, (HP) ArcSight.


ArcSight n00b (Part 1)


ArcSight n00b

ArcSight for dummies.. is a an oxymoron because you cannot do ArcSight and be a dummy.  The system is overly complex with too many moving parts.

In a world of intuitive interfaces and user friendly complex systems Arcsight is “rocket surgery”.

The best I can do after 2 years with this log collecting, correlation beast is to tell what I have learned from my attempts at figuring it out.


What the HELL is ArcSight?

ArcSight is a security information & event manager (SIEM).  It collects security event logs from critical servers, internetworking devices, proxies, firewalls and other core network systems.  So systems like DNS servers, host based intrusion protection systems, intrusion detection systems and DHCP servers.  Usually, these logs are monitored by a security analyst.  You find SIEMs at medium to large organizations that have a lot to lose.  That is to say, they have assets of great value: data, services, information systems.  Since they must be online to conduct business, they may have a high exposure to the Internet and are under regular probing and or attack by numerous “threatsources” (attackers, malware, competitors).

ArcSight was bought be HP in 2010.  I am told by former ArcSight employees that this affected the quality of ArcSight.  But that is before my time.  The product seems great (aside from minor grievances <cough> Challenge Response Code <cough> and the employees very smart and very skilled.  HP seems to have kept much of the special sauce that makes ArcSight the top SIEM.

What Are the Components that Make up ArcSight?

Great question!  The main components of ArcSight (HP ArcSight..) are the following:

ArcSight ESM – ArcSight Event Security Manager is software for monitoring security events.  It allows real-time view of security events, can take security incidents that may be related to a larger attack and alert the analyst (correlation), it allows historical views of trends on a given network.

ArcSight Logger – Logger is a log management solution that is designed for high event throughput, long-term storage for rapid data analysis.  It allows the security analyst to type in and ip address (for example, and see how many times that system was attacked or accessed and with what type of packet.

Connectors – There are a few types of connectors but the main ones are the ConnectorAppliance and SmartConnetor.  A SmartConnector is software that collects event data from the network device and sends it to an ESM or Logger.   The ConnectorAppliance is a hardware solution that allows the management of many SmartConnectors.


So if you are new to ArcSight where do you start:

It really helps to have a background in information assurance/security analysis, networking, Linux and databases.  The learning curve seems to be having some comfort with all of this things.  Usually, IT professionals are very deep in one area and weak in most others.  If you are a true Jack of all trades, then you will like the challenge of ArcSight.  If you don’t have any experience with these things.  There are some other recommendations for ArcSight n00bs:

– ArcSight Certifications

– ArcSight Resources




SmartConnector Users Guide (2009), Connector Appliance Admin Guide v4.6 (2008), Logger QuickStart v5.2 (2011), ESM v5.2 101, Concepts for ArcSight ESM v5.2 (2012).