ArcSight Enterprise Security Manager (ESM) Reviews

I primarily use ArcSight ESM for security and network monitoring. We are dealing with Active Directory, so we use ArcSight ESM to track the actions administrators take on accounts, like disabling and enabling accounts or accounts going expired and why.

ArcSight ESM allows us to track the logging of our customers or providers through VPN to a security middleware that tracks and allows them to access backend resources. In this way, we can find if someone is doing an administrative operation at inappropriate times of day or trying to do something they're not allowed to.

ArcSight ESM's UI is a little cumbersome and complex, especially for first-time and occasional users using the console manager. It's also a very complex product, and new users will require assistance from someone expert to avoid making errors. 

I've been using ArcSight ESM for three years.

ArcSight ESM is stable, except when you're doing very complex correlations, but that's a problem common to all products in this area.

We have not had any problems with ArcSight ESM's scalability.

ArcSight's technical support is very good.

The initial setup was not so easy as it's a very technical product, and anybody who doesn't have a lot of technical knowledge will probably find it difficult to set up. It's important to have a clear understanding of your goals when setting up all the infrastructure, as ESM is so complex. The deployment took around an hour or two.

We used a provider team.

ArcSight ESM is a very powerful platform, but you have to be careful in designing rules and defining an initial set of targets because otherwise, you could end up with high costs or a hugely demanding setup. I would rate ArcSight ESM seven out of ten.

We use it for our internal and vendor daily base of log analysis and threat analysis.

It is a robust product and has multiple valuable features. For example, it has robust threat intelligence built into its customization and great templates that provide ease of use.

The dashboard looks a bit cumbersome with the current version. They should work on the dashboard and optimize their integration which currently lags with devices of reputed vendors. So, having these custom integrators sometimes works and sometimes doesn't.

We have been using this solution for almost ten years. It is deployed on private cloud.

We haven't experienced any stability challenges. It works if we get enough hardware and software provisions for the vendor recommendation.

On-premises is a challenge to scale, and we haven't tried the cloud but we've heard it's quite scalable and robust.

We do not use technical support that often. They are very good, but they should train their L1-level support. Overall, they're a good strong team.

The setup is neither easy nor difficult and depends on the expertise. It requires really good expertise to build from scratch. The setup itself is not a big hassle, and in a week, the system is up and running, but the main challenge is the integration. We keep integrating, and with the password of the integrated direct, it's fine.

It is a licensed product.

I rate this solution an eight out of ten in terms of the inbuilt features and how it has grown into a strong solution over the years. The team has done an excellent job with the features, integrations, and compatibility.

Regarding advice, I think the assessment on currently sizing the product to their need is key. It's an expensive product, so sizing is the most important choice. In addition, I believe moving to cloud has more robust integration features. They are building new custom solutions that can be integrated with ESM for better analysis.

We use ArcSight ESM for log analysis and security alerts. It warns us of threats and then helps us conduct a forensic investigation of a cyber attack or internal incident after it happens.

ArcSight ESM helps us stop security incidents by detecting them early before they can cause more damage. 

ArcSight ESM needs to improve performance, user interface, and automation.

ArcSight has become more stable with the latest patches that have come out, but we also have had many difficulties applying the patches

It's costly to scale up ArcSight ESM, but it's scalable. You have to pay for extra storage, licenses, and log processing.

ArcSight support is okay but slow. It isn't provided promptly. There is a vast time difference between American time and East Asian time. 

Setting up ArcSight is very complex. Nothing about it is user-friendly.

ArcSight's price is reasonable. That's why our company was forced to buy this. It's cheaper than some of the better solutions. 

LogRhythm has a better GUI and some automation options, like an automated password writing script. In Exabeam, I can see an event with the user's picture, which Exabeam can draw from the Active Directory. It has a better GUI, better performance, and customization. I expect these things from ArcSight, but it can't deliver yet.

I rate ArcSight three out of 10. I would never recommend it. I would recommend QRadar, LogRhythm, or Exabeam, but they all cost more. Price is its only advantage.

• Logger
• Command Center

The ArcSight ESM allows for easy log analysis as well as correlation and alerting. Logger is an indexed database which allows for faster, historical searching. The versatility to use SQL queries is helpful.

There are some limitations on the functionality of Rules that I would like to see expanded. I would like to see some better support options in the ArcSight community for HP Protect. Unless someone in your organization is an ArcSight SME, you are going to have a difficult time getting answers.

I've used it for two years.

There were no issues with the deployment.

We've not had any issues with the stability.

We've had no issues scaling it for our needs.

I would give it 3/10. A lot of the support is community based. That strategy can work, but the answers are sometimes incomplete, incorrect, and can take a long time to get.

I have used QRadar and Splunk. Both have great functionality that make them easy to use, but ArcSight has a very consistent layout and their logic is easy to figure out.

I was not involved in the setup.

I'm not involved in pricing or licensing.

It's a well rounded product especially with the addition of Logger and Command Center. I felt it was easy to understand and use right from the start. There are some companies that do not take advantage of everything ArcSight can offer. A problem I think ArcSight can fix with better support alternatives.

ArcSight ESM is used as a security information and event management (SIEM) solution. It has been used in banks.

The most valuable features of ArcSight ESM are the dashboards, ease of management for anyone, and simple for teams to provide reports related to cyber security. There are a lot of good features that are provided.

ArcSight ESM could improve the alerts for the storage capacities or actions.

I have been using ArcSight Enterprise Security Manager (ESM) for approximately six years.

ArcSight ESM is stable.

The scalability of ArcSight ESM is very good.

On the client's bank site, there are approximately 1,500 users using the solution.

The support for ArcSight ESM has been very good.

The deployment of ArcSight ESM is easy.

We have approximately six people from our information security department managing ArcSight ESM. The deployment was done by four engineers.

ArcSight ESM is an affordable solution, it cost approximately $200,000 for three years. This price was at a substantial discount.

We have evaluated IBM QRadar before choosing ArcSight ESM.

My advice to others is once they evaluate ArcSight ESM they will love it.

I rate ArcSight ESM an eight out of ten.

Our primary use case is to prioritize internationally used references.

This process has helped to improve our organization because we have centralized the intra-group security equipment logs.

We've been working hard to implement Violation scenarios as a rule.

The features that we have found to be most valuable are:

1. Connectivity with the SOC system
2. Flexible connectivity with third-party solutions

There are several improvements that we would like to see, including:

1. Building a system based on a log collection (SOC)
   
2. A scenario for external encroachment
3. Operator training

We use Micro Focus ArcSight SIEM version 6.3, 6.4, and 6.5 in multiple sites and customer ranges. The SIEM log monitoring tool is very efficient at providing us the details for any file system changes, logins, OSPF, and BGP as well as other router and server changes.

It is a vital tool for live monitoring and helps us to understand the traffic alerts of any major issue on the network, thereby reducing hacking attempts. Before our staff had to review raw logs directly to understand if there has been any attempt to the system, but with ArcSight, once the rules are defined, it becomes easy to detect changes and generate automated logs. 

Another benefit is this tool sends an automated mail to all the operators, which makes it easy to share the information and reporting.

Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the SIEM tool. The analytics feature is not reliable and needs improvement for more detailed analysis.

The product that we used in our office under different environments is highly stable. We have used certain specific versions unless required specifically by the client.

This product is designed for easy scalability and can easily scale up without major challenges. However, we have a specific team which looks after the setup and maintenance of the tool.

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve our issues. 

Since I have been in the organisation, we have used Micro Focus ArcSight for 80% of the clients. We have also used Splunk for certain clients based on their requirements.

We have a separate team for this functionality. I am not aware of the process. However, complete client cooperation is required in the setup or else there can be certain counterproductive alerts.

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

We have used Micro Focus ArcSight from the beginning.

Correlation and flexibility are the most valuable features.

ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.

I would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.

We have used ArcSight for 6 years.

Initial deployment of ArcSight is pretty challenging. It takes at least 3-4 months to install, integrate, define content and fine tune before starting the security operation.

Customer service is fast in response, but very standard in their approach, which takes lot of time for simple issues.

I have used RSA enVision, QRadar and Splunk. ArcSight is better than them all when it comes to filtering, normalization, aggregation, dashboards, reporting and correlation, multi-tenancy and custom devices support.

Initial setup was complex as the integration of a custom application takes lot of time and effort. Then, fine tuning requires at least 6 weeks to analyze and tune each alert separately.

We implemented through HPE itself and I would advise to go through a vendor as they would hand over the SIEM post-fine tuning which is a mammoth task.

ROI can be measured in terms of detected security incidents and compliance positive tests, which in turn boost the business. Our security incident count increased from 3 per month to 46 and all were real security threats. Had those gone undetected and realized, there would have been possible data theft, information stealing, damage of brand reputation, etc.

An organization that has enough budget for SIEM and really cares about security and not only about compliance must go with ArcSight. SMB organizations who want to start a SOC or have just a log management solution for compliance requirements can go for cheaper options such as QRadar, LogRhythm, AlienVault, etc. For MSSP, ArcSight is indeed the best SIEM available in the market, as segregation of logs, access restriction, different log retention, customized view for dashboard and reports to clients are present with ease.

Lastly, ArcSight is like Apple. If you have money, go for iPhone and you will certainly not regret it. But if your budget is the primary constraint, then another SIEM must be explored.