ArcSight Enterprise Security Manager (ESM) Reviews

• Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer.
• Having a single solution that can actually manage the entire infrastructure, soup to nuts.
• Ability to detect and then take action on it.

Reducing my OPEX cost by reducing the overhead and training costs of employees and staff. Before we would have to have a large number of staff to be able to go in and do consulting opportunities, to mitigate and remediate security intrusions on given clients. Now using ArcSight, albeit there maybe a capital upfront cost to buy the software product, it enables us to speed our time to resolution.

ArcSight needs to go the same route that HPE's doing with the virtualization engine of the HP 380. Basically making it more of a single pane of glass to be able to deploy and take a tangible action on a security event. Today it takes still a lot of consulting dollars to go into trying to deploy ArcSight. You have to have a very powerful technologist or technologist team to deploy ArcSight at scale and be able to actually understand the events coming inbound and make the right tangible decisions from those points of ingress or points of notification. That today, albeit, not horribly hard, as long as you have a trained professional that knows the product. It would be nice to be able to basically make that a one pane of glass, much like HPE's done with the virtualization concept. It would make that pain point a little less. It's not going to make it perfect, but it would be nice to see improvement in that area.

My opinion from a stability's standpoint ... we don't have any issues. The product runs 24/7/365. Whenever HPE introduces a patch or an enhancement for security concerns, we've never had a problem being able to ingest that on the fly with little-to-no downtime outside of what's been expected from the release of the patch.

I've not had any problems with scaling into tens of thousands of nodes. I guess the biggest problem you're going to have with that would be actually the compute power to make the tangible decisions that's needed on large-scale environments where you have hundreds of firewalls coming in from different points of ingress. That would be a concern, but again that's not because of the ArcSight, it's just basically that's compute power.

It has improved substantially over the last two years. I'm going to rate them at 3/5 because when you call in the time to remediation is long right now. I'm not going to fault any one person on that. It's a complex security tool, so calling in and trying to get that omission, crystal ball appearance is difficult. I get that. Is there room for improvement? Of course there is.

Well we have different tools out there, but the most common ones everybody's going to know about is Splunk. Feature, function and price was why we switched When we're able to actually deliver the similar features and functions, add in additional intellectual property from HPE with respect to decision trees of ArcSight and being able to take tangible actions on the stuff that's coming inbound, that's great. Other tools can do that. Now you're just talking about price in the industry. We're able to deliver the same features and functionality at a lower cost to the client, typically we'll win with ArcSight.

Straightforward for the most part but there are limitations. For example in the virtualization engine of the J80, the Instant On, which is a OneView Instant On product line. It does work great, as long as you have your infrastructure. Our clients give us all the necessary requirements, such as the AD and IP address, the DNS, the subnets and stuff. As long as all that works seamlessly, then we can usually bind that HP 380, the Instant On into the infrastructure seamlessly. Does it always work smooth? No. But that's not necessarily HPE's fault, it's because the infrastructure doesn't always lend itself to easy integration.

I'm going to rate it at a 9. There's always room for improvement, of course, and maybe I'll be fair and give it an 8.5. The only reason I would do that is because, again, coming up with that single pane of glass, easier management style, and more about deployment. You don't have to have that powerhouse technologist that knows every trick of the trade to go in and deploy it and get all the bells and whistles. Is that a perfect model that will ever be achieved? Of course not. Can there be improvement? Sure there can. What I'm shooting for is have an ArcSight solution that can get me 90 percent there, and then the customization of ArcSight will be reduced substantially, so that the customers' adoption of a new security style tool will be easier to swallow, and it will lend itself to a larger footprint over time as the customer builds comfort with the product.

With respect to the software on ArcSight, concept's the same on that. When we actually ask for improvements on the product, they've made those enhancements and made those fixes. Now with respect to me asking for a single pane of glass? I know they're working on it, I'm sure they are. It's a pain point that not only we have, but a lot of our customers have. If we're having the same conversation next year, I'll be disappointed. I'm hoping that the single pane of glass comes out soon.

Scalability and Adaptability. By Scalability, I mean, the number of supported devices by ArcSight. You can make changes to the current deployment if required or add a new region in the scope by adding components of ArcSight. By Adaptability I mean, once the analysts see what can be achieved by utilizing the various resources of ArcSight, it motivates them to come up with new ideas and how to implement them. The interface is quite user friendly compared to other Vendors.

We could extract meaningful data of the billions of Security Events and relate it with the extra information we had for our assets.

Support from the vendor and pricing.

3 Years.

No

Yes, Oracle bugs mostly.

No.

Good.

I have worked on multiple SIEM products. I work as a Senior Security Analyst and have a minimal role in deciding the solution. I only work where it is explicitly an HP ArcSight environment or deployment.

Straightforward.

Through an in-house team.

Best SIEM product but it's high on pricing and licensing.

ArcSight ESM is not easy to use and it should be integrated with other tools that have infrastructure capabilities. 

I have been working with the solution for a few months. 

ArcSight ESM is stable. 

The tool is scalable and my company has 20,000 users. 

ArcSight ESM is not difficult to deploy. It requires an extensive number of skilled cybersecurity experts.

I would rate the tool a seven out of ten. The solution has gone beyond signature-based monitoring and analysis and is AI-powered. It is good enough to cover the full range of cybersecurity services. 

We primarily use the solution for consolidating the logs from all the applications and databases and different centers.

The solution is very good at consolidating logs from a variety of sources.

The solution is pretty stable.

The solution can scale.

The way that scaling is set up isn't very cost-effective.

The automation needs to be improved. Everybody needs automation as there is a lack of analysts these days in all of our security diagnostic accounts. There's too much noise in the data they push to you. It's a lot of white noise, and it takes a lot of time to sort through the all false positives that ArcSight triggers to you.

It's very complicated to see if something is a real case and if it's a threat or not. It's very difficult to be able to check that the information sent as they are sending you thousands of messages per day regarding threats. It's very difficult for an analyst to be able to pinpoint the real root cause of the problem. 

I would suggest that they offer full automation and filtering for white noise. By white noise I mean the bulk of messaging and alerts they have been sending to the security analysts. It's difficult for them to realize if it's a threat or not in the end, and you need to spend a lot of time among other systems that you also need to manage. Maybe only 10% of this information is useful for a security analyst.

The product should improve its ease of use.

They should work to have a more let's say intuitive dashboard, a real-time intuitive dashboard, and to focus it on the most important, critical assets in the company. 

The solution requires a lot of expertise and manpower to deploy the solution.

We've been using the solution for nine years. It's been just under a decade.

The solution is pretty stable. However, they've got some problems in terms of interacting with APIs. To try to make ArcSight speak with other solutions and try to correlate information from IPS/IDS solutions looks pretty complicated. 

The solution can scale if you need it too. It's just an expensive process.

Regarding the scalability, it was a problem that their license model was EPS. If you're familiar with EPS licensing model, events per second, it is not a very good idea as a model as you cannot foresee what's in 2021 or what will be in 2022. From our point, it causes a lack of proper budgeting due to the fact that it's very difficult to budget how many events per second you will generate in all your systems. 

We haven't really dealt with technical support. I wouldn't be able to speak to the quality of their services.

The initial setup is very, very complex, and requires a lot of consultancy and professional services associated with it. It's not at all easy to install the solution as per my knowledge. It's very complicated. 

The licensing model is based on EPS - Events Per Second - and it makes it hard to budget how much the solution will cost.

The solution is pretty expensive.

At a marketing level, we've checked out Splunk. We have not tested it internally on our servers. We simply took a closer look at their marketing and their strategic messaging.

We have used on-premises previously. We have never tested the cloud option if they have one. 

I would rate the solution seven out of ten. I consider Splunk and LogRhythm to be the number one solutions in the market.

I would advise others to try to be very careful when they got a quote from ArcSight, as, in the end, what they offer to you initially is not what you will end up in the end in terms of budgeting and pricing, and the level of expectations.

On-premises

Flexibility, high ingestion rate, and complexity of use cases.

ArcSight gives us better visibility into threats that were unknown earlier. We now have an ability to assess end-to-end communications, as well as alerts from various security solutions along the path.

The most valuable features are lists, correlation, escalation matrix, and customers.

The following needs to be improved:

1. We would like the ability to easily identify either unused resources or those that are being used sub-optimally.
2. ESM should make usage of variables and other such deep customizations, highly intuitive.
3. User behavior analytics is too pricey but an essential tool.

We have been using ArcSight for eight years.

• Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.
• Detection - Caliber to detect subtle attacks with a powerful correlation engine.
• Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.

By using ArcSight ESM and its correlation technology, it thwarts multiple attacks from external sources before exploitations such as SQL injection, UNIX password file attempt, brute force to published servers, and more.

In addition, internal frauds have been prevented through preventing unauthorized login attempts to the firewall, database, critical servers, etc.

ArcSight Connector appliance needs some improvement, as it has some bugs which triggers issues most of the time. I believe that the Connector is going to hit end-of-service.

We experienced no issues with the deployment.

We had the bugs in Connector as detailed in the Areas for Improvement section.

We've had no issues with scalability.

Customer Service:

3.5*

Technical Support:

Technical support should be improved. Many times, I've raised a case but none of them solved it and it took the guys from the Protect724 forum so solve my issue. The support team simply collects the logs from end users and makes you wait, and you carry on passing the same information which is available in the Admin guide.

All you need is proper planning and pre-requisites information, and it's straightforward. Some newbies say that this product is hard to handle, but basically practice makes perfect.

HP are doing their job perfectly by bringing new features in every version, such as RepSM, HA capability, etc. It has never failed me.

The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.

When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation.

They need to fix some bugs and increase the search performance speed. Sometimes there are issues when I perform log correlations.

We have had no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it for our needs.

Customer Service:

5/10

Technical Support:

5/10

The initial setup was quite easy and straightforward.

I work for a reseller, and we set up ArcSight for our customers, and I am learning a lot about its architecture.

For SIEM, I think HP ArcSight is a leading competitor alongside Splunk.

You need to learn about architecture and practice more before implementation since this product is not easy to learn and takes time to master.

We deal mainly with enterprise companies - I'm the senior manager and we are partners with ArcSight. 

The solution has a good dashboard, very good real-time reporting and it's easy to use, offering simplicity for implementation and operations.

I'd like to see an improvement in their training and documentation. SOAR (Security Orchestration, Automation, and Response) would be a good feature to include in the future. 

I've been using this solution for six years. 

This solution is stable and scalable. 

They offer 24/7 standby support wherever you are. It's very good. 

Positive

The initial setup is straightforward. 

The cost is reasonable for a good solution.

It's important to set up the organization before implementation, checking internal desktops or IT security internals before buying the solution.

I rate this product an eight out of 10. 

On-premises