The ArcSight 2007 User Conference is upon us! Well, next week anyway.
A lot of the hits I get are from people searching Google for 'arcsight ...' If you're an ArcSight user that stumbled on my blog and will be at the conference next week, drop me a line or just stop me and say, "Hi." Feel free to e-mail me (p melson at g mail dot com), though I'll be pretty easy to find - I'll be the tall pasty guy in the obnoxious hawaiian shirt standing next to the free beer.
It's probably too late for me to tell you this, but last year's conference was excellent. I am not a big fan of the venue since it is pretty isolated (so rent a car!), but the facilities are plenty nice. The presentations last year were excellent, and are reason enough to attend. Add to that the chance to trade stories and ideas with other users in all sorts of industries along with the access you get to ArcSight developers and support staff, and it's 3 days very well spent.
A question from someone who can only admire ArcSight from afar:
ReplyDeleteFor SIM/SEM of the free or cheap variety (i.e. under $10,000 to get going), is there anything out there that is a mature/solid product in your opinion? Or that you hear good things about from people you trust?
On a related note, who are the other companies to watch in this area and is the market in its early stages or somewhere in the middle of the curve?
"SIM products under $10K" is a pretty small field. As far as I know without researching it, there are only two that meet that criteria.
ReplyDeleteThe first is MARS, which retails for over $10K, but Cisco has been been pretty much throwing it in with the purchase of other Cisco stuff. This way maybe Cisco will be able to get enough MARS boxes in early enough that they can become the "defacto standard" for SIM. That would, in my opinion, be a tragedy if people assumed all SIM's were like MARS.
The other interesting player is eIQ Networks. They have a new SIM product, SecureVue. I've seen nothing but the cut sheets, but I used to work with their FirewallAnalyzer product a lot, and it was pretty good. It was also cheaper than its competitors by a lot. As I hear tell, eIQ's developers are mostly expat NetIQ/WebTrends folks.
Thanks, I will check out eIQ. I just read an article in the September issue of SC magazine on SIM products. They mention ArcSight and Intellitactics as the mature large scale products. There is a short blurb about SIM for small/medium organizations. They mention LogLogic, High Tower Software, TriGeo and Q1 Labs are focusing on SIM appliances for easier deployment. I am hoping that doesn't mean limited features.
ReplyDeleteThe thing about standalone SIM appliances is that they limit the ways in which you can gather log data. MARS is a good example of this - you can log from any source you want, as long as it's syslog. :-)
ReplyDeleteHi Paul, I am one of those who, as you say, found your blog by googling ArcSight, trying to do some recon on the product for my employer. (I think I see that the most recent posts here are from 2007 so who knows if you or anybody will be seeing my question.) I'm trying to find out, can Arcsight's data be queried programmatically; i.e. is it stored in a relational database, hopefully SQL Server or Oracle, or if not, is there an API or ADO.NET provider that can allow it to be queried, preferably with SQL? Thanks for any info anyone reading can provide.
ReplyDeleteHi Paul,
ReplyDeleteDo you know any reason why ArcSight ESM does not support the Cisco MARS? Right now, all my firwalls send the syslog feeds into Cisco MARS and I'm trying to set the Cisco MARS to send thoes raw feeds data to ArcSight local connector but I just found out that ArcSight does not support the Cisco MARS. Thanks in ADV for any info reading this subject.
See the following posts for answers to some of the questions posted here:
ReplyDeletehttp://pmelson.blogspot.com/2009/06/from-inbox.html
http://pmelson.blogspot.com/2009/06/from-inbox-2.html
Hope you find them helpful!