ArcSight Enterprise Security Manager (ESM) Reviews

• Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
• Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
• Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.

This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.

The web console should have all the features of the standard console.

In addition, the upgrade process should be simpler.

I have used this solution for 10 years and 8 months.

I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.

Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.

I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.

There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.

I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.

In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.

The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.

We carried out a pilot implementation based on the initial SOW, including several basic use cases. This allowed us to understand what is really happening in the environment and we learned that most of the default rules are not appropriate for us. After the pilot was successful, we bought the solution.

Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.

In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.

You must understand your environment and its dynamics.

Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.

- We use this product for managed SIEM services and its stability and maturity helps with standard deployments (hardly any surprises)

- A bit on the slow side for reports requiring query of old data

- High availability achievable through complicated configurations (i.e. load balancers)

- The user interface is a bit dated

The two most valuable features for us are the deployment strategy and its operational ease.

As it's an SIEM solution, it won't prove anything overnight. We're still in the implementation stage and filtering out all the noise. It's operationalized, but we're fine tuning it.

I'd like to see some threat intelligence out of the box rather than adding it in subscriptions. It also needs more straightforward and simplified correlation rules so that a SOC analyst can dive right in rather than undergo a separate induction program. Right now, the attrition rate is high.

We've had it for about eight months now.

We haven't had any issues with deployment.

It is a stable product. We've had no issues with instability.

We haven't had a need to scale yet, and maybe not for another two or three years.

System integrated support is there, but we haven't had any need to contact HP support. We will soon, though, because we don't really know how to fine tune the product.

The threat landscape was the trigger for needing a SIEM product to correlate everything that is going on within the environment.

We'restill in the implementation stage because it's complex. So the basic things are done, but not the full-scale deployment. It's a process.

We use it to monitor several web traffic sources and to look for compromised indicators within that traffic. The traffic comes from several applications that we've exposed on the internet.

The most valuable feature is the real-time alerts. We're also currently looking to incorporate some of the SOAR capabilities that are new to the platform.

The interface—the console looks pretty old right now, so could benefit from a more modern design.  It's functional, but not so as visually appealing as it could be.

For additional features, I'd say capabilities regarding the behavioral analytics integrated in the solution. Right now, there's something in place, but it's not integrated on our side of the platform.

I've been using ArcSight since 2015, so about six years.

My impressions are that it is stable.

On our end it's pretty good. We haven't had any problems adding more sources.

I've used their customer service and support a couple of times. It was a good service.

Setup was relatively easy. The initial deployment was around five hours. For full deployment with all the sources, it took longer.

I would rate this solution an eight out of ten. It's been useful and would recommend it to others. I'd also advise to take just the initial architect for implementation because that was critical for us in making the appropriate selections prior to deployment.

The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.

The ability to correlate such a diverse range of information into a single location is invaluable.

SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.

I have been using ArcSight for two years.

I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.

The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).

I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files.

I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.

I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.

Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.

ArcSight is exclusively an enterprise product and it is priced accordingly.

We evaluated QRadar and Splunk.

Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.

The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.

My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.

Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.

I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.

We have had no issues with the deployment.

If you encounter serious performance problems, you didn't size correctly prior to deployment.

The scalability options are pretty good although costly.

Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.

I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.

As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.

As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.

We would like it to be cheaper, but the licensing model is pretty simple.

You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.

Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.

ArcSight ESM is not easy to use and it should be integrated with other tools that have infrastructure capabilities. 

I have been working with the solution for a few months. 

ArcSight ESM is stable. 

The tool is scalable and my company has 20,000 users. 

ArcSight ESM is not difficult to deploy. It requires an extensive number of skilled cybersecurity experts.

I would rate the tool a seven out of ten. The solution has gone beyond signature-based monitoring and analysis and is AI-powered. It is good enough to cover the full range of cybersecurity services. 

We deal mainly with enterprise companies - I'm the senior manager and we are partners with ArcSight. 

The solution has a good dashboard, very good real-time reporting and it's easy to use, offering simplicity for implementation and operations.

I'd like to see an improvement in their training and documentation. SOAR (Security Orchestration, Automation, and Response) would be a good feature to include in the future. 

I've been using this solution for six years. 

This solution is stable and scalable. 

They offer 24/7 standby support wherever you are. It's very good. 

Positive

The initial setup is straightforward. 

The cost is reasonable for a good solution.

It's important to set up the organization before implementation, checking internal desktops or IT security internals before buying the solution.

I rate this product an eight out of 10.