ArcSight Enterprise Security Manager (ESM) Reviews

The ArcSight solution supports your security team with many SIEM features:

• Monitoring
• Analysis
• Alerts
• Incident response

In my opinion, ArcSight is an open solution. It is easy to:

• Customize components
• Use FlexConnector to collect logs from your own application
• Edit rules and the dashboard
• Create work flows
• Enrich information for events

I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.

I have over two years of experience.

It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.

ArcSight can be extended to meet the biggest customers (large enterprise) needs.

ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.

ArcSight configuration and deployment is complex, because it has many components.

I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.

Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.

One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

In general, it is a very stable product. We did multiple implementations, and we never had any major issues.

As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do

There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.

As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.

For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.

We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.

We worked with RSA enVision/RSA SA as a partner:

• RSA enVision was very basic and was very hard to fine-tune.
• RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.

The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.

With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.

In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.

As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.

We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.

Do a live PoC to test all needed features.

Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.

Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.

Intrusion Detection System (IDS)

Security Information and Event Management (SIEM)

To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.

From a daily perspective, ArcSight prevents attacks while it actively monitors our systems. It provides us analytics for these attacks and helps keep us abreast of the latest threats because of live threat feeds.

It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.

We've had no issues with deployment, although it's complicated.

It's a pretty stable solution. We've had no issues with instability.

It's very scalable.

They're pretty good and responsive.

The initial setup was complex and required a lot of customization and tinkering. There are other products on the market that are very light, and this is not one of them. To get all the functionalities and to exploit them, it takes a long time to deploy. It takes 3-4 months.

It's very expensive in its licensing model.

Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.

We have a large footprint of 25 plus subsidiaries reporting into a consolidated security reporting and action team using ArcSight ESM.

ArcSight ESM has improved our organization because we have better incident reporting. It was originally deployed in order to fulfill compliance requirements. We were required to have security monitoring, ArcSight ESM was a quick and effective way to be able to meet that minimum requirement.

The most valuable features of ArcSight ESM are ease of use and readily usable components.

ArcSight ESM is lacking cloud scalable technology.

I have been using ArcSight Enterprise Security Manager (ESM) for approximately three years.

ArcSight ESM has average capabilities. It's not seen as being particularly robust or usable for advanced threats.

The scalability of ArcSight ESM is average to poor.

We have approximately 60,000 users using the solution.

The support from ArcSight ESM is very poor. We had a negative experience.

I rate the support from ArcSight ESM one out of five.

We did not use a solution prior to ArcSight ESM.

The initial setup of ArcSight ESM was relatively straightforward. The full deployment took us approximately six months. The implementation strategy was to get basic monitoring templates as fast as possible.

We used an integrator for the implementation of ArcSight ESM.

The ROI was not important at first because we were trying to cover our basic compliance requirement for monitoring.

We're paying a fee for an MSSP, and the cost of the total cost of ArcSight ESM was approximately three to four million dollars a year. The price was less than similar solutions. We did not have additional fees.

We evaluated other solutions prior to choosing ArcSight ESM, such as Splunk and RSA NetWitness. We decided on ArcSight ESM because it was cost-effective.

We are replacing ArcSight ESM with Microsoft Sentinel. We wanted to shift to cloud-based, cloud-scalable technology.

My advice to others is for them to take a hard look at the total cost of ownership, specifically the maintenance and upkeep that's required to maintain the appropriate service levels.

I rate ArcSight ESM a four out of five.

We use ArcSight Enterprise Security Manager for any type of cyber security attack.

It is in the cloud and on the customer's infrastructure. I am only deploying one agent and the agent is deploying all the information from the customers and then sending it to the cloud.

I am an integrator, but we sell our services. I'm not selling the software directly to customers. I'm selling my service with this product.

It is a very useful tool for intelligence building because it has many use cases and many rule sets.

It is quite complex and could use a better UI. So the improvement would be a simplification. It is pretty complicated to use. The architecture is not complex but the setup and use are. 

In the next release, it would be nice if the Logger model and the ESM model would be merged. Right now there are two big models, Logger and ESM, but from a Windows perspective, it is not good because they're sending Logger and ESM separately. So if you need ESM, you have to buy both Logger and ESM but if you only need Logger, you are buying just Logger. You can deploy them on one system, but you have two different systems and different databases. My suggestion would be to merge Logger and ESM together.

I have been using ArcSight Enterprise Security Manager for about a year.

It is stable.

Arc Sight Enterprise Security Manager is scalable.

The number of people running it should be based on the organization's size. If you have a  company with 500 assets, you should have at least one field engineer for the ESM product and two security analysts to operate this software. This is minimum. One engineer and two security analysts is minimum to start if the organization is midsize.

Their technical support is generally good. On a scale of five, I'd give them four out of five.

The initial setup is complex.

Installation is not complex, but Micro Focus also has different intelligence products. One runs on containers and it is quite complex to install and use, but it is a different product. So maybe if we can remove this wall then we should be all right.

I have two products from Micro Focus. I have this ESM and one for Web. It is for user IT behavior analytics. The second product is quite complex and it's linked to it. Then you have to connect these things together. So the complexity is in the Web product, not in ESM.

Our own site deployment took about one month to deploy and we can deploy services for our customers in about two weeks minimum. But that is a minimum. If the infrastructure is big, it may take up to two or three months. If the infrastructure is not logging or if there are many customer applications, it makes it complex to deploy. Every ESM product will be complex to implement if the organization is big and the logging is not enabled correctly.

My advice to anyone considering Arc Sight Enterprise Security Manager is to just read the manual. Just read the manual and documentation. 

On a scale of one to ten, I would rate it a nine.

• Real-time rules for threat detection
• Event correlations that are automated and prioritized according to level of security risk and compliance violation

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

We've been using ArcSight since 2007.

We've deployed it without any issues.

We haven't had any issues with instability.

It's scaled fine for our needs.

We chose ArcSight when they had no real competitor and we stayed with them.

I'm pleased with the current capabilities.

• Powerful Correlation
• Customization 
• Integration capabilities

• Very complex install and management
• Steep learning curve
• Poor Network Investigation
• Poor analytics.

Six years.

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

No. ArcSight is very scalable.

3 out of 5.

We implemented it in-house.

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

If you really want the power and flexibility of customizing your Security monitoring and correlation, go with ArcSight, but beware of the effort involved in set up and maintenance.