They're the leader of the SIEM market for fifteen years or so. ArcSight is a very capable product that integrates with many different platforms. It's huge with a lot of moving parts, but nothing can compete with it in terms of capability.
Security Practice Director at Rolta AdvizeX
Capable product that integrates with many different platforms.
What is most valuable?
What needs improvement?
I'm a little concerned that the market is moving around ArcSight. It's a fantastic SIEM, but the recent metrics show that relying too heavily on a SIEM solution isn't protecting us. ArcSight addresses that by integrating with other solutions, but I'd like to see that to be a more central element of it.
What was my experience with deployment of the solution?
We've had no issues with deployment.
What do I think about the stability of the solution?
It is incredibly stable and road-tested, reasons why it's a market leader.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
December 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,106 professionals have used our research since 2012.
What do I think about the scalability of the solution?
It's highly scalable. It works in small scenarios as well as the biggest that I can imagine.
How are customer service and support?
Technical support from the vendor has been good. There's a particular challenge with ArcSight not in the technical support, but in the fact that it supports the platform and the integration.
How was the initial setup?
The initial setup is relatively complex because it's not a small solution. It's not only complex to set up, but the interface with business operations is even more complex around scoping, implementing, and running an implementation.
What other advice do I have?
Make sure you tune it to your business and infrastructure, which isn't necessarily part of technical support. It requires some consulting, which is a market challenge of the product.
It's not a one-size-fits-all solution and it isn't sold with the appropriate professional services. So the number one thing with ArcSight is that you have to make sure that you get professional services to help size it for your particular use case, including integrations with your tools, operational model, and security operations.
Disclosure: My company has a business relationship with this vendor other than being a customer: We're partners.
Sr Security Engineer at a tech services company with 51-200 employees
There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it.
What is most valuable?
Not really a feature, per se, but the ability to do multi-tenant SIEM.
How has it helped my organization?
We help our customers do more than 'check a box' for security and compliance and we are very proud of that. We tend to be more like partners to a lot of our customers, and they rely on us to deliver high-fidelity, relevant security alerts.
What needs improvement?
There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it. I am not sure why this is, but it is a little hard to be self-sufficient when this is the case. I am sure this is why real ArcSight experts are in demand! Being too feature-rich can be as bad as being oversimplified!
For how long have I used the solution?
I have been working as an analyst using AS for 9 months now. This work involves monitoring the multi-tenant implementation of AS, sending reports to customers, doing investigations on alerts that come in, and implementing new Connectors and content. Connectors are how AS gets events from the devices.
What was my experience with deployment of the solution?
Again, system complexity can be an issue, but not really.
What do I think about the stability of the solution?
None. ArcSight is very stable. Period.
What do I think about the scalability of the solution?
Again, none. It is a system that is more than capable of multi-tenant implementations.
How are customer service and technical support?
They try really, really hard.
Which solution did I use previously and why did I switch?
No, the folks I work for were at ArcSight before HP acquired it and have always been users and proponents of it. It's a powerful product for sure.
How was the initial setup?
Setup is fairly complex, and with so many features, it is difficult to just 'set it and forget it' with ArcSight. It requires a lot of care and feeding, as well as a pretty good amount of ongoing maintenance and configuration to really get good quality alerts out of it.
What about the implementation team?
In-house experts.
Which other solutions did I evaluate?
I've been looking at Open Source SIEM recently, and paying a lot of attention to the others in the commercial market, like IBM and MacAfee, but I don't have any practical experience. I have heard mixed reviews about all of them (including AS from some folks I know).
What other advice do I have?
Implementation advice: this is a big job, and unless you are able to hire and train a dedicated SIEM engineer, I would look at getting staff augmentation from HP or other consulting types. Be prepared to Read The Friendly Manual (RTFM), and do a lot of searches online. Take the entry-level certs that HP offers, and get classes if there is budget.
Disclosure: My company has a business relationship with this vendor other than being a customer: ArcSight partner
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
December 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,106 professionals have used our research since 2012.
IT Manager at Royal Cemerlang
Enables us to minimize the damages of WannaCry attacks
Pros and Cons
- "When WannaCry attacks I can minimize the damage. My company had no protection at the time. We get alerts in ArcSight and then whenever a user got a copy of WannaCry and the WannaCry malware wants to connect to the mother ship, it alerts me in the ArcSight dashboard, and that helps us a lot. We then just go to the user and erase the malware."
- "In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they use still scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop."
What is our primary use case?
Our primary use case if for analyzing cybersecurity.
How has it helped my organization?
When WannaCry attacks I can minimize the damage. My company had no protection at the time. We get alerts in ArcSight and then whenever a user got a copy of WannaCry and the WannaCry malware wants to connect to the mother ship, it alerts me in the ArcSight dashboard, and that helps us a lot. We then just go to the user and erase the malware.
What needs improvement?
In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they still use scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop.
They should do something similar to what Splunk is doing. They have Enterprise Security and ArcSight should include some use cases that concentrate on Enterprise Security.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
It's quite stable.
What do I think about the scalability of the solution?
Our initial sizing is enough for our needs.
How was the initial setup?
The initial setup was straightforward. The correlation engine took us a lot of time. It took us three months to do the implementation. We required two staff for deployment.
What about the implementation team?
We used a partner for the implementation.
What's my experience with pricing, setup cost, and licensing?
The pricing is great compared to others.
Which other solutions did I evaluate?
At the time that we were looking into options, we did a PoC for Splunk. We found that ArcSight is more user-friendly than Splunk because Splunk uses more scripting in the configuration and initial setup.
What other advice do I have?
I would rate it an eight out of ten. Not a ten because of the drag and drop feature I'd like for them to include and because I think they should include more enterprise security use cases.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Manager at a tech services company with 10,001+ employees
Allows me to view events in real time. The FlexConnector configuration is complex.
What is most valuable?
The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:
- Allows me to look at the traffic in real time
- Allows me to add filters that remove the traffic that is not interesting
- Allows me to narrow down my research to only important traffic.
- Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
- Allows me to create reports, evaluate my findings, and send information to my customers.
How has it helped my organization?
I was able to provide intelligence reports to my customers. The organization relies on this information in order to sell services.
What needs improvement?
I would like to see the following:
- An improvement in the connector/agent configuration.
The connector configuration is CLI based. If the connectors are pre-defined and built by HPE, then the configuration/installation seems to be OK.
- Making the FlexConnector configuration less complex.
You need development skills in order to do your job in creating/configuring agents and connectors. I tried to learn the syntax in order to customize the software (connectors and agents) for a particular device, and it was a nightmare. The cost for this work, via HPE consultancy, is huge.
For how long have I used the solution?
I've been using this product for three and a half years. I am one of the supporters of the product.
What was my experience with deployment of the solution?
Some of the connectors need to be developed in-house. There were also issues with forwarding events. We noticed that some logs were lost between connectors and the central reporting unit.
How are customer service and technical support?
I would give technical support a rating of 4 or 5 out of 10.
Which solution did I use previously and why did I switch?
We also use Splunk to compare features. ArcSight is the favorite solution for my organization.
How was the initial setup?
The initial setup is straightforward, but the customization can become a nightmare very easily.
What about the implementation team?
We had an in-house implementation. I would recommend a dedicated team for implementation, support, and operation.
What other advice do I have?
This product requires a dedicate team to operate it from a to z. HPE support needs to be clearly defined and considered.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
System Support Engineer at a tech services company with 501-1,000 employees
Parsers are easy to create and test.
What is most valuable?
It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.
How has it helped my organization?
It can collect logs from many unsupported log sources. Parsers are easy to create and test.
What needs improvement?
The solution needs quite a bit of initial customization.
It needs more product integration, like NBAD and VM solutions, etc. Although the solution currently supports log collection from NBAD and VM solutions, it would be good to add features for HPE to have their own NBAD and VM solution.
There is room to improve the storage requirement.
Most SIEM solutions now have their own Vulnerability Management, NBAD, File Integrity Monitoring etc solutions that can be bought as an add on module. HP does not seem to have any of those capabilities. The most important advantage of having such capabilities is that it allows users to view and analyse all the data on a single pane of glass. Regarding the initial customization, the solution needs some effort in terms of fine tuning to get the dashboards and reports to work. Once it is setup I think the way the data can be used with in the solution is the best as it allows high customization.
For how long have I used the solution?
I have been using ArcSight for over five years.
What do I think about the stability of the solution?
The hardware requirements are very high and the solution has poor stability when they are not met.
What do I think about the scalability of the solution?
HPE ArcSight scales very well at the connector level, Logger level and the ESM level.
How is customer service and technical support?
Technical support is poor. This is one area that needs improvement
How was the initial setup?
The initial setup is not complex, but is a little time consuming. Since the solution is highly customizable, the number of configurable options are high. HPE ArcSight allows distributed architecture.
What's my experience with pricing, setup cost, and licensing?
Pricing is high. There are multiple licensing options available. Hardware/software or hybrid licensing options are available. Some of the license upgrades are paper license upgrades.
Which other solutions did I evaluate?
We evaluated IBM QRadar, McAfee ESM, and AlienVault.
What other advice do I have?
Planning is very important. You need to know the security threats to your organisation to create the relevant rules. Look at other less-discussed modules of HPE ArcSight, like ArcSight Interactive Discovery and ArcSight ThreatDetector, for better results.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Specialist at a tech services company with 501-1,000 employees
Correlation and flexibility are valuable. It helped meet compliance requirements for log collection.
What is most valuable?
Correlation and flexibility are the most valuable features.
How has it helped my organization?
ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.
What needs improvement?
I would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.
For how long have I used the solution?
We have used ArcSight for 6 years.
What do I think about the stability of the solution?
Initial deployment of ArcSight is pretty challenging. It takes at least 3-4 months to install, integrate, define content and fine tune before starting the security operation.
How are customer service and technical support?
Customer service is fast in response, but very standard in their approach, which takes lot of time for simple issues.
Which solution did I use previously and why did I switch?
I have used RSA enVision, QRadar and Splunk. ArcSight is better than them all when it comes to filtering, normalization, aggregation, dashboards, reporting and correlation, multi-tenancy and custom devices support.
How was the initial setup?
Initial setup was complex as the integration of a custom application takes lot of time and effort. Then, fine tuning requires at least 6 weeks to analyze and tune each alert separately.
What about the implementation team?
We implemented through HPE itself and I would advise to go through a vendor as they would hand over the SIEM post-fine tuning which is a mammoth task.
What was our ROI?
ROI can be measured in terms of detected security incidents and compliance positive tests, which in turn boost the business. Our security incident count increased from 3 per month to 46 and all were real security threats. Had those gone undetected and realized, there would have been possible data theft, information stealing, damage of brand reputation, etc.
What other advice do I have?
An organization that has enough budget for SIEM and really cares about security and not only about compliance must go with ArcSight. SMB organizations who want to start a SOC or have just a log management solution for compliance requirements can go for cheaper options such as QRadar, LogRhythm, AlienVault, etc. For MSSP, ArcSight is indeed the best SIEM available in the market, as segregation of logs, access restriction, different log retention, customized view for dashboard and reports to clients are present with ease.
Lastly, ArcSight is like Apple. If you have money, go for iPhone and you will certainly not regret it. But if your budget is the primary constraint, then another SIEM must be explored.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Manager at PT Permata Anugerah Abadi
Easy-to-setup product with a valuable security analysis feature
Pros and Cons
- "ESM has valuable features for event prediction and security analysis."
- "There could be more API features for extracting logs on different devices included in the product."
What is our primary use case?
We use ArcSight Enterprise Security Manager (ESM) as an SIEM system.
How has it helped my organization?
From a business perspective, the product helps us with cloud platform management. Its dashboard provides quick suggestions on real-time data.
What is most valuable?
ESM has valuable features for event prediction and security analysis.
What needs improvement?
There could be more API features for extracting logs on different devices included in the product.
What do I think about the stability of the solution?
It is a stable product.
What do I think about the scalability of the solution?
Our organization has 10 ArcSight Enterprise Security Manager (ESM) users. It is a scalable platform. We are preparing for the budget to increase the usage.
How was the initial setup?
It is easy to set up and configure.
What's my experience with pricing, setup cost, and licensing?
The product licenses are inexpensive.
What other advice do I have?
Compared to other vendors, ArcSight Enterprise Security Manager has a more effective dashboard. It has good pricing as well. However, they could schedule more marketing programs and activities similar to those of their competitors.
I rate it an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Mdr of Presales & Customer Success Head at a financial services firm with 1-10 employees
A robust and scalable solution that is good for correlation
Pros and Cons
- "The tool is good for correlation and aggregation. We use it as a collection platform."
- "The tool should improve its UI. It also should make data more searchable."
What is our primary use case?
The tool is good for correlation and aggregation. We use it as a collection platform.
What needs improvement?
The tool should improve its UI. It also should make data more searchable.
For how long have I used the solution?
I have been working with the tool for three to four years.
What do I think about the stability of the solution?
The tool is stable.
What do I think about the scalability of the solution?
The tool is scalable.
Which solution did I use previously and why did I switch?
I have worked with QRadar and McAfee.
How was the initial setup?
The deployment process is similar to the hosting of other applications. The tool's deployment depends on the environment architecture, and your requirements.
What other advice do I have?
I would rate the solution a seven out of ten. The product is very robust.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Splunk Enterprise Security
Microsoft Sentinel
IBM Security QRadar
Elastic Security
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Securonix Next-Gen SIEM
Google Chronicle Suite
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which is the best SIEM tool for a mid-sized financial services firm: Arcsight or Securonix?
- Exporting Nessus Data Logs to HP ArcSight ESM
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- What Questions Should I Ask Before Buying SIEM?
- RSA-EMC vs. other SIEM products?