The ArcSight 2010 User Conference breakout session list is out for those that haven't seen it yet (Conference information can be found here). I really enjoyed last year's conference and am certainly looking forward to this one. If you are on the fence about going and haven't gone to one yet - send someone. Actually send 2 someones; a manager and an ArcSight admin type. This way, in theory, you can absorb and later plan at the strategic and tactical level. If you send 2 people see if your company can spring for travel for a 3rd person by tapping into ArcSight's "BOGO" deal - send 2, get the third ticket free. If you are going to be deploying or have just deployed you REALLY need to send someone(s). I mentioned to my boss last year that if we had gone it would have escalated our development/grasp of the tool by at least 3 or 4 months since the conference happened between when we made the decision to go with ArcSight and when professional services came out to install it. Granted that curve gets smaller the longer you have had the product in house and how much time/FTE you have dedicated to the tool.
I really hoped last year to walk away with pages and pages of things to implement right away. Specific event IDs to hone in on, IDs to tune out, a mother load of rules to develop and implement, etc. Didn't exactly happen like that. I did walk away with some rules/content to develop but it was more conceptual. There were several cases where the presenter would say something, my boss would turn and look at me inquisitively, and I would say something like it was being worked or was already implemented. In that sense getting some validation that we were on the right path developmentally was a great take away - especially since at that point we were only about 10 months or so into our deployment.
A quick comparison to last year's conference shows 7 fewer sessions - 10 fewer on the ArcSight side, 3 more customer led. I believe they are expecting and planning for more folks this year and the session rooms last year seemed a little on the smaller side / were full to the point where in many people were standing. Hopefully the hotel will be giving us some larger rooms since larger crowd + (potentially) same space = bring your deodorant! Actually, bring it regardless mkay. Was also interesting to note there are no sessions that seem to revolve around Windows event logs (last year there were 2). Obviously there are other OSs out there but seems like an omission /shrug. A little closer to my own heart is the fact that there are 2 ArcSight Express sessions. Not that we have Express but I tend to correlate Express with small to mid sized companies. Had it been available when we purchased we might have gone that route. That said I find 1 of those 2 sessions a little odd. Maybe I am wrong about this but isn't the functionality of Express the same as ESM it just has a more compact stock content set? Why then have a session devoted to optimizing just Express almost like an introduction? Perhaps the thought (reality?) is a company with Express isn't usually dedicating time to the tool so their people really would need a class like this? Of course by that same argument would they even send someone to the conference in the first place?
One last, quick observation is there are 5 or 6 sessions developed to the identification or detection of malware and/or bots. One of these I will probably talk about in a follow on rant...I mean post; the rest I think will be interesting to see. Probably post more on that as well.
Mark
No comments:
Post a Comment