Try our new research platform with insights from 80,000+ expert users
PeerSpot user
Network Security Engineer, Security Monitoring Center at a tech services company
Real User
FlexConnector collects logs from your own application.

What is most valuable?

The ArcSight solution supports your security team with many SIEM features:

  • Monitoring
  • Analysis
  • Alerts
  • Incident response

In my opinion, ArcSight is an open solution. It is easy to:

  • Customize components
  • Use FlexConnector to collect logs from your own application
  • Edit rules and the dashboard
  • Create work flows
  • Enrich information for events

How has it helped my organization?

I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.

For how long have I used the solution?

I have over two years of experience.

What do I think about the stability of the solution?

It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.

Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
December 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,106 professionals have used our research since 2012.

What do I think about the scalability of the solution?

ArcSight can be extended to meet the biggest customers (large enterprise) needs.

How are customer service and support?

ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.

How was the initial setup?

ArcSight configuration and deployment is complex, because it has many components.

Which other solutions did I evaluate?

I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.

What other advice do I have?

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a partner of HPE ArcSight.
PeerSpot user
ProductS9907 - PeerSpot reviewer
Product Specialist Security Solutions at a tech services company with 201-500 employees
Real User
The feature list allows us to input data dynamically to list it as a rule action.

How has it helped my organization?

Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.

What is most valuable?

One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.

What needs improvement?

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

What do I think about the stability of the solution?

In general, it is a very stable product. We did multiple implementations, and we never had any major issues.

As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do

What do I think about the scalability of the solution?

There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.

As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.

For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.

How are customer service and technical support?

We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.

Which solution did I use previously and why did I switch?

We worked with RSA enVision/RSA SA as a partner:

  • RSA enVision was very basic and was very hard to fine-tune.
  • RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.

How was the initial setup?

The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.

With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.

What's my experience with pricing, setup cost, and licensing?

In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.

Which other solutions did I evaluate?

As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.

We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.

What other advice do I have?

Do a live PoC to test all needed features.

Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.

Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are partners with HPE.
PeerSpot user
Dr Trust Tshepo Mapoka - PeerSpot reviewer
Dr Trust Tshepo MapokaSenior Cybersecurity Consultant at CIA Botswana
Top 20Real User

Thanks I agree.

See all 2 comments
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
December 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,106 professionals have used our research since 2012.
PeerSpot user
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Leaderboard
Has helped us to gather, store, correlate and analyze security log data from many different information systems.

Valuable Features:

Intrusion Detection System (IDS)

Security Information and Event Management (SIEM)

Improvements to My Organization:

To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.

Room for Improvement:

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
PeerSpot user
it_user406278 - PeerSpot reviewer
EVP & Global Head - Services at a tech company with 1,001-5,000 employees
Vendor
The live threat feed keeps us abreast of the latest threats. The initial setup required a lot of customization.

Valuable Features

From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.

Improvements to My Organization

From a daily perspective, ArcSight prevents attacks while it actively monitors our systems. It provides us analytics for these attacks and helps keep us abreast of the latest threats because of live threat feeds.

Room for Improvement

It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.

Deployment Issues

We've had no issues with deployment, although it's complicated.

Stability Issues

It's a pretty stable solution. We've had no issues with instability.

Scalability Issues

It's very scalable.

Customer Service and Technical Support

They're pretty good and responsive.

Initial Setup

The initial setup was complex and required a lot of customization and tinkering. There are other products on the market that are very light, and this is not one of them. To get all the functionalities and to exploit them, it takes a long time to deploy. It takes 3-4 months.

Pricing, Setup Cost and Licensing

It's very expensive in its licensing model.

Other Advice

Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer987771 - PeerSpot reviewer
Senior Manager at a tech services company with 51-200 employees
Real User
Lacking scalable cloud technology, poor stability, but easy to use
Pros and Cons
  • "The most valuable features of ArcSight ESM are ease of use and readily usable components."
  • "ArcSight ESM is lacking cloud scalable technology."

What is our primary use case?

We have a large footprint of 25 plus subsidiaries reporting into a consolidated security reporting and action team using ArcSight ESM.

How has it helped my organization?

ArcSight ESM has improved our organization because we have better incident reporting. It was originally deployed in order to fulfill compliance requirements. We were required to have security monitoring, ArcSight ESM was a quick and effective way to be able to meet that minimum requirement.

What is most valuable?

The most valuable features of ArcSight ESM are ease of use and readily usable components.

What needs improvement?

ArcSight ESM is lacking cloud scalable technology.

For how long have I used the solution?

I have been using ArcSight Enterprise Security Manager (ESM) for approximately three years.

What do I think about the stability of the solution?

ArcSight ESM has average capabilities. It's not seen as being particularly robust or usable for advanced threats.

What do I think about the scalability of the solution?

The scalability of ArcSight ESM is average to poor.

We have approximately 60,000 users using the solution.

How are customer service and support?

The support from ArcSight ESM is very poor. We had a negative experience.

I rate the support from ArcSight ESM one out of five.

Which solution did I use previously and why did I switch?

We did not use a solution prior to ArcSight ESM.

How was the initial setup?

The initial setup of ArcSight ESM was relatively straightforward. The full deployment took us approximately six months. The implementation strategy was to get basic monitoring templates as fast as possible.

What about the implementation team?

We used an integrator for the implementation of ArcSight ESM.

What was our ROI?

The ROI was not important at first because we were trying to cover our basic compliance requirement for monitoring.

What's my experience with pricing, setup cost, and licensing?

We're paying a fee for an MSSP, and the cost of the total cost of ArcSight ESM was approximately three to four million dollars a year. The price was less than similar solutions. We did not have additional fees.

Which other solutions did I evaluate?

We evaluated other solutions prior to choosing ArcSight ESM, such as Splunk and RSA NetWitness. We decided on ArcSight ESM because it was cost-effective.

What other advice do I have?

We are replacing ArcSight ESM with Microsoft Sentinel. We wanted to shift to cloud-based, cloud-scalable technology.

My advice to others is for them to take a hard look at the total cost of ownership, specifically the maintenance and upkeep that's required to maintain the appropriate service levels.

I rate ArcSight ESM a four out of five.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1751472 - PeerSpot reviewer
Chief Technological Officer at a tech consulting company with 51-200 employees
Real User
Very useful tool for intelligence building as it has many use cases and many rule sets
Pros and Cons
  • "It is a very useful tool for intelligence building because it has many use cases and many rule sets."
  • "It is quite complex and could use a better UI. So the improvement would be a simplification. It is pretty complicated to use. The architecture is not complex but the setup and use are."

What is our primary use case?

We use ArcSight Enterprise Security Manager for any type of cyber security attack.

It is in the cloud and on the customer's infrastructure. I am only deploying one agent and the agent is deploying all the information from the customers and then sending it to the cloud.

I am an integrator, but we sell our services. I'm not selling the software directly to customers. I'm selling my service with this product.

What is most valuable?

It is a very useful tool for intelligence building because it has many use cases and many rule sets.

What needs improvement?

It is quite complex and could use a better UI. So the improvement would be a simplification. It is pretty complicated to use. The architecture is not complex but the setup and use are. 

In the next release, it would be nice if the Logger model and the ESM model would be merged. Right now there are two big models, Logger and ESM, but from a Windows perspective, it is not good because they're sending Logger and ESM separately. So if you need ESM, you have to buy both Logger and ESM but if you only need Logger, you are buying just Logger. You can deploy them on one system, but you have two different systems and different databases. My suggestion would be to merge Logger and ESM together.

For how long have I used the solution?

I have been using ArcSight Enterprise Security Manager for about a year.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

Arc Sight Enterprise Security Manager is scalable.

The number of people running it should be based on the organization's size. If you have a  company with 500 assets, you should have at least one field engineer for the ESM product and two security analysts to operate this software. This is minimum. One engineer and two security analysts is minimum to start if the organization is midsize.

How are customer service and support?

Their technical support is generally good. On a scale of five, I'd give them four out of five.

How was the initial setup?

The initial setup is complex.

Installation is not complex, but Micro Focus also has different intelligence products. One runs on containers and it is quite complex to install and use, but it is a different product. So maybe if we can remove this wall then we should be all right.

I have two products from Micro Focus. I have this ESM and one for Web. It is for user IT behavior analytics. The second product is quite complex and it's linked to it. Then you have to connect these things together. So the complexity is in the Web product, not in ESM.

Our own site deployment took about one month to deploy and we can deploy services for our customers in about two weeks minimum. But that is a minimum. If the infrastructure is big, it may take up to two or three months. If the infrastructure is not logging or if there are many customer applications, it makes it complex to deploy. Every ESM product will be complex to implement if the organization is big and the logging is not enabled correctly.

What other advice do I have?

My advice to anyone considering Arc Sight Enterprise Security Manager is to just read the manual. Just read the manual and documentation. 

On a scale of one to ten, I would rate it a nine.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user427377 - PeerSpot reviewer
Senior ICT Security Officer at a financial services firm with 1,001-5,000 employees
Vendor
It provides us with event correlations that are automated and prioritized according to level of security risk and compliance violation.

Valuable Features:

  • Real-time rules for threat detection
  • Event correlations that are automated and prioritized according to level of security risk and compliance violation

Improvements to My Organization:

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

Room for Improvement:

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

Use of Solution:

We've been using ArcSight since 2007.

Deployment Issues:

We've deployed it without any issues.

Stability Issues:

We haven't had any issues with instability.

Scalability Issues:

It's scaled fine for our needs.

Other Solutions Considered:

We chose ArcSight when they had no real competitor and we stayed with them.

Other Advice:

I'm pleased with the current capabilities.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Real User
Network investigation is poor but it's highly customizable

Valuable Features:

  • Powerful Correlation
  • Customization 
  • Integration capabilities

Room for Improvement:

  • Very complex install and management
  • Steep learning curve
  • Poor Network Investigation
  • Poor analytics.

Use of Solution:

Six years.

Stability Issues:

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

Scalability Issues:

No. ArcSight is very scalable.

Customer Service:

3 out of 5.

Implementation Team:

We implemented it in-house.

ROI:

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

Other Advice:

If you really want the power and flexibility of customizing your Security monitoring and correlation, go with ArcSight, but beware of the effort involved in set up and maintenance.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros sharing their opinions.