ArcSight Enterprise Security Manager (ESM) Reviews

We use ESM for compliance, log retention, and general security operations. We don't use all the features. We have been late in terms of taking advantage of the cloud option. 

ArcSight is customizable. You can integrate just about anything. I also like the ease of use.

The API integration could be better, and I'd like to see more machine-learning capabilities in the future. 

I have used ArcSight ESM for nearly 12 years.

ArcSight is more stable than other solutions I've used if you take care of the maintenance. I've seldom had significant issues. 

Scaling up ArcSight isn't a challenge.

I've had mixed experiences. Sometimes, it was fine, and it was not so good at other times. It isn't as good as it used to be. 

The setup is simple to me because I've been doing it for a while, but I'm not sure a beginner would find it easy. It could be simpler. I haven't had the opportunity to deploy it on the cloud, but you should be able to do it without problems. 

I rate ArcSight ESM six out of 10 for affordability. In my last company, I evaluated Sentinel. The annual license for ArcSight is equal to about two months of Sentinel. 

I rate ArcSight ESM seven out of 10. I've worked with it my whole life and watched it evolve. ArcSight doesn't do much that other solutions can't. ArcSight has been around for 20-plus years. A lot of companies have moved on to other solutions. At the end of the day, you get out of a SIEM product what you put into it. 

On-premises

ArcSight Enterprise Security Manager (ESM) is used in the customer side, specifically where there is an investment because the solution, when implemented, helps with integration. ArcSight Enterprise Security Manager (ESM) is able to ingest logs and integrate with all the third-party products, so its utility becomes higher. Integration is very important because if the solution isn't able to integrate with others, then data doesn't come under SIEM and becomes incomplete.

ArcSight Enterprise Security Manager (ESM) helped my company in terms of correlating alerts. The solution also helped in both alert-giving and understanding alerts. It also dismisses repeat alerts and removes false positives. ArcSight Enterprise Security Manager (ESM) also gives you the main reason for the alert so it saves time in terms of investigating all alerts, including false alerts, so it improved my company.

What I found most valuable in ArcSight Enterprise Security Manager (ESM) is its good integration with third-party products. The solution also has good core capabilities.

What could be improved in ArcSight Enterprise Security Manager (ESM) is its analytics feature. That feature should be more powerful and have more correlation in terms of AI/ML, though MicroFocus has done a good job in adding analytics to ArcSight Enterprise Security Manager (ESM) which has become a big draw to customers.

What I'd like to see in the next release of the solution is the addition of AI/ML features.

I've been using ArcSight Enterprise Security Manager (ESM) for almost five years, and I'm still using it.

ArcSight Enterprise Security Manager (ESM) has great stability.

ArcSight Enterprise Security Manager (ESM) is a scalable solution.

The technical support team of ArcSight Enterprise Security Manager (ESM) is very helpful. I would rate technical support for the solution five out of five.

The initial setup for ArcSight Enterprise Security Manager (ESM) was straightforward and the process was very well-explained. How long the process takes would differ from environment to environment and from customer to customer, but it could take one to two days.

We implemented ArcSight Enterprise Security Manager (ESM) ourselves.

I'm unsure on the exact ROI for ArcSight Enterprise Security Manager (ESM) because in cybersecurity you could never predict how much you saved, but my company got good value out of it.

I'm not using the latest version of ArcSight Enterprise Security Manager (ESM).

ArcSight Enterprise Security Manager (ESM) is not being used by the entire organization, but at least a thousand users use it, though I'm not 100% sure. The solution is used daily, and it's integrated and customized and has become part of the internal monitoring and compliance check of my company.

My advice to others who want to implement ArcSight Enterprise Security Manager (ESM) is that it's a great product, especially because it increased its feature sets and it has good integration with third-party solutions, for example, with other OEMs, with CrowdStrike, etc. The value proposition of the solution is also getting better and better, and usage-wise, ArcSight Enterprise Security Manager (ESM) is also good.

I would rate ArcSight Enterprise Security Manager (ESM) nine out of ten because even if it's an old product, it's been working well for quite some time. It has a huge customer base. I've not seen any issues, so I'm rating it a nine, but not a ten because there's always room for improvement.

My company is a reseller of ArcSight Enterprise Security Manager (ESM).

On-premises

ArcSight ESM provides us the flexibility to write our own passwords and customize the solution. It lets us search and log a variety of SmartConnectors. It has 480-plus SmartConnectors. 

ArcSight's features are already ahead of many competitors, but may they could offer some more training about how to find tools, how to get them working, and how to optimize them. I'd also like to see a greater focus on cloud content and the ability to write rules from the browser.

We've been using ArcSight ESM for around 10 years.

ArcSight is scalable. I started out with three data centers, and now I have it deployed at more than 48 locations.

I rate ArcSight support seven out of 10. Sometimes, it takes ages to get an issue resolved. I have ArcSight experience, so I normally try to fix things on my own or find a workaround, but it's tough to get support when I need it.

It goes on for days. If you call in the morning and explain it to the engineer, but the issue isn't fixed, you have to explain it to another person when the shift changes. It's usually okay, but it can be challenging if you're dealing with an urgent issue and you don't have the proper documentation.  

Neutral

I have used McAfee Nitro, IBM QRadar, and DNIF HyperCloud. Other solutions aren't as simple to set up or as stable. ArcSight is better in terms of coverage. The technology is more than 20 years old.

The setup is quite simple, and the documentation is thorough. 

We looked at three other solutions. I was working for a government organization, and there was an Indian company developing its own team. ArcSight was head and shoulders above the rest in features like aggregation filtering, bandwidth, parsing, etc. It was there.

Hopefully, we're still way ahead, but the IT data architecture is getting a bit complex with the introduction of Kubernetes and everything. It will be complicated in terms of resources, deployment, etc., but I think ArcSight can still be what it used to be if we sort this out.

I rate ArcSight ESM seven out of 10. I would recommend ArcSight depending on an organization's needs. I don't have much experience in terms of pricing, but ArcSight can provide a lot of functionality if a company requires it.

On-premises

Custom data parsers and custom event / asset categorization.

Allowing for non conventional data feeds from HR into our overall security monitoring practice has allowed us to catch gaps in our exit checklist for employees among other things.

The network modeling and asset categorization needs to be simplified to facilitate wider adaptation amongst customers.

I have been working with ArcSight for over 8 years.

I have never deployed an ArcSight installation without encountering several issues, I have over 40 deployments to my credit.

Absolutely, the new CORR engine is a vast improvement but was pushed out to customers too quickly. Several key components of our analysis workflow broke due to the new event processing scheme.

Not so much on the ESM level, but it gets expensive to scale at the logger level.

Customer Service: Support can use vast improvements, but your technical account managers are great. No complaints there.Technical Support: Lacking.

I am a Sr. Principal Architect and design and go with the best solution for the customer, currently deploying a solution around Logstash, elasticsearch and kibana.

Lots of moving parts.

Hard to determine, ArcSight is a product that costs millions to implement and takes several months to years before the ROI is clear.

For this particular project $2.4 million USD.

Understanding of your environment and data sources is key before correlation can occur. You make sure your environment is at a point that augmentation of the existing analysis workflow is required and not using a SIEM to establish one.

ArcSight monitors any down time with patch management. Whenever any project is on-boarded such as in our security core or asset and wealth management technology, the hardware goes through ArcSight. That is basically our use case whether we're doing the patch management, or the upgrades on that tool, or managing the centralized desktop. ArcSight monitors the failures in the cloud. We have the tech classifications in the CMDB which is integrated with ArcSight and ArcSight pulls out everything on the CMDB and I'm able to see it all - the CMDB database and the CVS scores which are also integrated in ArcSight. I can know that for a particular monitoring track or detected incident, this is the particular CVS score. I'm a VP and enterprise architect, and we're customers of ArcSight. 

The user interfaces are quite good and speedy, and I like the consoles too. The typology and the setup are also good. It's very similar to QRadar, so it's user friendly although I believe QRadar rates better. 

The deployment typology could be improved. If you want to scale across all the different lines of businesses, it should be easy to do that and it's not. If I'm doing DMX monitoring, I shouldn't need a different SIEM. For the traditional application servers which are RTTR architecture-based, the legacy applications, which might be Java or steam-based applications, require DMX monitoring, currently provided by Nagios. Instead, the monitoring could be different types of monitoring which we could get from ArcSight. It would save the cost of doing the DMX monitoring from Nagios. QRadar has a dashboard which includes most of the monitoring, data and everything. The features in ArcSight could be more like that.

I've been using this solution for 10 years. 

Scalability is okay although if we had better typology, we could scale more and performance could be better. It's similar to QRadar. We are onboarded for security core processing or data disk core processing. If I wanted to add another 20 line of businesses under that, it should be okay. There's a trade off between the security and performance so the more secure your typology is, will result in degraded performance. We currently have around 2,000 users but hope to increase that number. 

Technical support is available 24/7, They are on a rota basis for the different regions. If I'm looking for support here in India, it's available 2 1/2 hours ahead of Singapore, 3 1/2 hours ahead for the Japanese team. In the UK region, we have support available from 11:00am. And if I'm looking for post 7:00pm in India, then I have the support teams available from the States. They're quite good and they offer other professional services too, including for incident management. 

The initial setup doesn't take too much time. 

I'm neutral on whether I would recommend this solution. It depends on what typology you are using, and your use cases. If you have a different endpoint, or security tool already doing what this product does and it's already integrated with CMDB, and there's a tool at the endpoint giving the CVS Score, then you don't need an SIEM platform. 

On the pricing side, QRadar is much costlier compared to ArcSight. There's a trade off. Anyone aiming for something specific will go for ArcSight monitoring rather than going for Qradar because deployment of the SIEM is not so easy for the larger deployment typologies in the financial services sector. It's not easy to scale up for different lines of businesses unless you have proper planning, methodologies, processes, and your SOPs are in place. If you follow the proper SOPs, things are easier.

I would rate this solution a six out of 10. 

Private Cloud

We use ArcSight ESM for log analysis and security alerts. It warns us of threats and then helps us conduct a forensic investigation of a cyber attack or internal incident after it happens.

ArcSight ESM helps us stop security incidents by detecting them early before they can cause more damage. 

ArcSight ESM needs to improve performance, user interface, and automation.

ArcSight has become more stable with the latest patches that have come out, but we also have had many difficulties applying the patches

It's costly to scale up ArcSight ESM, but it's scalable. You have to pay for extra storage, licenses, and log processing.

ArcSight support is okay but slow. It isn't provided promptly. There is a vast time difference between American time and East Asian time. 

Setting up ArcSight is very complex. Nothing about it is user-friendly.

ArcSight's price is reasonable. That's why our company was forced to buy this. It's cheaper than some of the better solutions. 

LogRhythm has a better GUI and some automation options, like an automated password writing script. In Exabeam, I can see an event with the user's picture, which Exabeam can draw from the Active Directory. It has a better GUI, better performance, and customization. I expect these things from ArcSight, but it can't deliver yet.

I rate ArcSight three out of 10. I would never recommend it. I would recommend QRadar, LogRhythm, or Exabeam, but they all cost more. Price is its only advantage.

We have many use cases. Our Windows devices, antivirus, and firewall are integrated with ArcSight. I have used ArcSight ESM versions 6.1.1, 6.9, 7.0, and 7.2.

The filters and the ability to do what you want are the most valuable features. There is nothing that you cannot do in this solution. It has all the features, which makes it very dynamic.

I am having issues with report generation with older versions. I don't know if this is because of compatibility issues, but report generation has been a little bit difficult in older versions. It is not similar to the newer and current versions.

We are looking at moving to the cloud. It would be good if ArcSight ESM can move to the cloud. They already seem to be working on this. 

It would also be very helpful and great if we can integrate external threat intelligence, machine learning, and AI into this solution. It has good dashboards, but they can always be better. Its stability can also be improved. 

I've been using ArcSight for three years. I started using it in February 2019.

It is stable, but its stability can be better. I would rate it a four out of five in terms of stability.

It has been good when it comes to scalability. As an MSSP, we provide services to other customers, and we have customers with different capacity requirements. It is good in terms of moving from one particular size to another.

They have been great. They are friendly and good.

Its initial setup is straightforward. The deployment duration depends on the environment. It doesn't take time for our own environment, but I've heard some people complaining about the time period for which they have to wait for the deployment to take place.

ArcSight can be a little bit expensive because of the area that we work in and the cost. Licensing is mostly on a yearly basis, not monthly.

I would recommend this solution to anyone looking for an on-prem SIEM solution. It has been the best SIEM solution that I've worked with.

I would rate ArcSight ESM a nine out of ten. It is a great solution.

On-premises

We have outsourced our SOX management to an IT company because I cannot maintain and manage that in the bank. We had selected them because they were using ArcSight. They are a very professional security company. They came up with this suggestion of switching from ArcSight to LogRhythm. We are currently using ArcSight, but we would be switching to LogRhythm.

They are using the latest version of ArcSight ESM. It is all on-prem. Our production setup cannot be on a public cloud. In India, cloud deployment is not allowed for financial services. It has to be either a co-location or in-house.

The reports that we are from getting from ArcSight are very valuable. The reporting in ArcSight is good. Our regulators ask us for the reports on a regular basis, and we have been able to provide the required data.

Its overall functionality in terms of log analysis and the speed at which it does that is also valuable. It is very quick. Whatever alerts we had configured were extremely fast. We immediately get alerts when there is unauthorized access or unknown access, or even positive access. This is where we found the difference between ArcSight and other solutions.

When I asked our networking juniors for a comparison between LogRhythm and ArcSight, they said that both platforms are almost the same. It is just that LogRhythm is more modern with a digital platform, which probably gives it some advantage over ArcSight. ArcSight is a very old and mature product that is running on an old platform. It is an old legacy platform. 

In terms of new features, it just requires platform upgrades so that it becomes lighter and easily adaptable, specifically in the cloud. It would be a good thing if they can also make reporting easier. 

We have been using this solution for one year.

It is pretty stable.

It is pretty scalable.

I have not been in touch with ArcSight for technical support. I only talked to my vendor, who monitored my network. My vendor got in touch with ArcSight support.

The setup ran into a couple of months because the configuration of the endpoint devices to collect the logs was really tedious. It took some time to bring the environment into a condition to get it monitored by ArcSight.

It is a very good product. I would rate ArcSight ESM an eight out of ten.

On-premises