ArcSight Enterprise Security Manager (ESM) Reviews

• Powerful Correlation
• Customization 
• Integration capabilities

• Very complex install and management
• Steep learning curve
• Poor Network Investigation
• Poor analytics.

Six years.

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

No. ArcSight is very scalable.

3 out of 5.

We implemented it in-house.

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

If you really want the power and flexibility of customizing your Security monitoring and correlation, go with ArcSight, but beware of the effort involved in set up and maintenance.

Too many to name, but here are a few:

1. Its versatility when it comes to vendor support.
2. The ESM and logger are powerful tools. If used properly, we can achieve much more than we previously could. The Alert and Case Tracking mechanism contribute to the work of ESM and Logger.
3. Express, all-in-one component is best for small businesses.
4. NTP is efficient in blocking identified threats.
5. ArcSight Flex Connector Development module is an excellent feature if you want to get the logs from unsupported vendor products.

I am a service provider for this product, so I provide value to the customer based on their requirements. The requirements are generally based on the lines of compliance and better security vision of what is going on in the organization, and who is doing what etc. and to mitigate external threats like port scans, DOS, malware ingestion, phishing etc.

Better reporting with the nice look and feel available in the wider market; also more vendor log support. HP should improve their Tech Support status.

3+ years

A few, depending on the specific organization's structure and policies.

No

The solution itself is very scalable, but it is also a lot more expensive than other players.

Customer Service: PoorTechnical Support: Poor

No

Splunk, RSA Envision, McAfee Nitro and IBM QRadar

Consider the complexity of this solution and choose the right people to deploy it.

The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.

When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation.

They need to fix some bugs and increase the search performance speed. Sometimes there are issues when I perform log correlations.

We have had no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it for our needs.

Customer Service:

5/10

Technical Support:

5/10

The initial setup was quite easy and straightforward.

I work for a reseller, and we set up ArcSight for our customers, and I am learning a lot about its architecture.

For SIEM, I think HP ArcSight is a leading competitor alongside Splunk.

You need to learn about architecture and practice more before implementation since this product is not easy to learn and takes time to master.

We use ArcSight Enterprise Security Manager for any type of cyber security attack.

It is in the cloud and on the customer's infrastructure. I am only deploying one agent and the agent is deploying all the information from the customers and then sending it to the cloud.

I am an integrator, but we sell our services. I'm not selling the software directly to customers. I'm selling my service with this product.

It is a very useful tool for intelligence building because it has many use cases and many rule sets.

It is quite complex and could use a better UI. So the improvement would be a simplification. It is pretty complicated to use. The architecture is not complex but the setup and use are. 

In the next release, it would be nice if the Logger model and the ESM model would be merged. Right now there are two big models, Logger and ESM, but from a Windows perspective, it is not good because they're sending Logger and ESM separately. So if you need ESM, you have to buy both Logger and ESM but if you only need Logger, you are buying just Logger. You can deploy them on one system, but you have two different systems and different databases. My suggestion would be to merge Logger and ESM together.

I have been using ArcSight Enterprise Security Manager for about a year.

It is stable.

Arc Sight Enterprise Security Manager is scalable.

The number of people running it should be based on the organization's size. If you have a  company with 500 assets, you should have at least one field engineer for the ESM product and two security analysts to operate this software. This is minimum. One engineer and two security analysts is minimum to start if the organization is midsize.

Their technical support is generally good. On a scale of five, I'd give them four out of five.

The initial setup is complex.

Installation is not complex, but Micro Focus also has different intelligence products. One runs on containers and it is quite complex to install and use, but it is a different product. So maybe if we can remove this wall then we should be all right.

I have two products from Micro Focus. I have this ESM and one for Web. It is for user IT behavior analytics. The second product is quite complex and it's linked to it. Then you have to connect these things together. So the complexity is in the Web product, not in ESM.

Our own site deployment took about one month to deploy and we can deploy services for our customers in about two weeks minimum. But that is a minimum. If the infrastructure is big, it may take up to two or three months. If the infrastructure is not logging or if there are many customer applications, it makes it complex to deploy. Every ESM product will be complex to implement if the organization is big and the logging is not enabled correctly.

My advice to anyone considering Arc Sight Enterprise Security Manager is to just read the manual. Just read the manual and documentation. 

On a scale of one to ten, I would rate it a nine.

Hybrid Cloud

Flexibility, high ingestion rate, and complexity of use cases.

ArcSight gives us better visibility into threats that were unknown earlier. We now have an ability to assess end-to-end communications, as well as alerts from various security solutions along the path.

The most valuable features are lists, correlation, escalation matrix, and customers.

The following needs to be improved:

1. We would like the ability to easily identify either unused resources or those that are being used sub-optimally.
2. ESM should make usage of variables and other such deep customizations, highly intuitive.
3. User behavior analytics is too pricey but an essential tool.

We have been using ArcSight for eight years.

• Real-time rules for threat detection
• Event correlations that are automated and prioritized according to level of security risk and compliance violation

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

We've been using ArcSight since 2007.

We've deployed it without any issues.

We haven't had any issues with instability.

It's scaled fine for our needs.

We chose ArcSight when they had no real competitor and we stayed with them.

I'm pleased with the current capabilities.

We are using ArcSight Enterprise Security Manager (ESM) for data analytics. We monitor the reports on security event information.

I have been using this solution for approximately one year.

The solution could be more stable.

We have not had any issue with the scalability.

We have approximately 20 users using this solution in my organization.

We have been satisfied with the support.

The installation was easy.

We had assistance with the implementation of the solution. We have approximately five individuals that do the maintenance.

There is a license required for this solution.

I would recommend this solution to others.

I rate ArcSight Enterprise Security Manager (ESM) a seven out of ten.

On-premises

• Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.
• Detection - Caliber to detect subtle attacks with a powerful correlation engine.
• Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.

By using ArcSight ESM and its correlation technology, it thwarts multiple attacks from external sources before exploitations such as SQL injection, UNIX password file attempt, brute force to published servers, and more.

In addition, internal frauds have been prevented through preventing unauthorized login attempts to the firewall, database, critical servers, etc.

ArcSight Connector appliance needs some improvement, as it has some bugs which triggers issues most of the time. I believe that the Connector is going to hit end-of-service.

We experienced no issues with the deployment.

We had the bugs in Connector as detailed in the Areas for Improvement section.

We've had no issues with scalability.

Customer Service:

3.5*

Technical Support:

Technical support should be improved. Many times, I've raised a case but none of them solved it and it took the guys from the Protect724 forum so solve my issue. The support team simply collects the logs from end users and makes you wait, and you carry on passing the same information which is available in the Admin guide.

All you need is proper planning and pre-requisites information, and it's straightforward. Some newbies say that this product is hard to handle, but basically practice makes perfect.

HP are doing their job perfectly by bringing new features in every version, such as RepSM, HA capability, etc. It has never failed me.