ArcSight Enterprise Security Manager (ESM) Reviews

They're the leader of the SIEM market for fifteen years or so. ArcSight is a very capable product that integrates with many different platforms. It's huge with a lot of moving parts, but nothing can compete with it in terms of capability.

I'm a little concerned that the market is moving around ArcSight. It's a fantastic SIEM, but the recent metrics show that relying too heavily on a SIEM solution isn't protecting us. ArcSight addresses that by integrating with other solutions, but I'd like to see that to be a more central element of it.

We've had no issues with deployment.

It is incredibly stable and road-tested, reasons why it's a market leader.

It's highly scalable. It works in small scenarios as well as the biggest that I can imagine.

Technical support from the vendor has been good. There's a particular challenge with ArcSight not in the technical support, but in the fact that it supports the platform and the integration.

The initial setup is relatively complex because it's not a small solution. It's not only complex to set up, but the interface with business operations is even more complex around scoping, implementing, and running an implementation.

Make sure you tune it to your business and infrastructure, which isn't necessarily part of technical support. It requires some consulting, which is a market challenge of the product.

It's not a one-size-fits-all solution and it isn't sold with the appropriate professional services. So the number one thing with ArcSight is that you have to make sure that you get professional services to help size it for your particular use case, including integrations with your tools, operational model, and security operations.

Not really a feature, per se, but the ability to do multi-tenant SIEM.

We help our customers do more than 'check a box' for security and compliance and we are very proud of that. We tend to be more like partners to a lot of our customers, and they rely on us to deliver high-fidelity, relevant security alerts. 

There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it. I am not sure why this is, but it is a little hard to be self-sufficient when this is the case. I am sure this is why real ArcSight experts are in demand! Being too feature-rich can be as bad as being oversimplified!

I have been working as an analyst using AS for 9 months now. This work involves monitoring the multi-tenant implementation of AS, sending reports to customers, doing investigations on alerts that come in, and implementing new Connectors and content. Connectors are how AS gets events from the devices.

Again, system complexity can be an issue, but not really.

None. ArcSight is very stable. Period.

Again, none. It is a system that is more than capable of multi-tenant implementations.

They try really, really hard.

No, the folks I work for were at ArcSight before HP acquired it and have always been users and proponents of it. It's a powerful product for sure.

Setup is fairly complex, and with so many features, it is difficult to just 'set it and forget it' with ArcSight. It requires a lot of care and feeding, as well as a pretty good amount of ongoing maintenance and configuration to really get good quality alerts out of it.

In-house experts.

I've been looking at Open Source SIEM recently, and paying a lot of attention to the others in the commercial market, like IBM and MacAfee, but I don't have any practical experience. I have heard mixed reviews about all of them (including AS from some folks I know).

Implementation advice: this is a big job, and unless you are able to hire and train a dedicated SIEM engineer, I would look at getting staff augmentation from HP or other consulting types. Be prepared to Read The Friendly Manual (RTFM), and do a lot of searches online. Take the entry-level certs that HP offers, and get classes if there is budget.

Our primary use case if for analyzing cybersecurity. 

When WannaCry attacks I can minimize the damage. My company had no protection at the time. We get alerts in ArcSight and then whenever a user got a copy of WannaCry and the WannaCry malware wants to connect to the mother ship, it alerts me in the ArcSight dashboard, and that helps us a lot. We then just go to the user and erase the malware.

In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they still use scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop.

They should do something similar to what Splunk is doing. They have Enterprise Security and ArcSight should include some use cases that concentrate on Enterprise Security.

Three to five years.

It's quite stable. 

Our initial sizing is enough for our needs. 

The initial setup was straightforward. The correlation engine took us a lot of time. It took us three months to do the implementation. We required two staff for deployment. 

We used a partner for the implementation. 

The pricing is great compared to others.

At the time that we were looking into options, we did a PoC for Splunk. We found that ArcSight is more user-friendly than Splunk because Splunk uses more scripting in the configuration and initial setup.

I would rate it an eight out of ten. Not a ten because of the drag and drop feature I'd like for them to include and because I think they should include more enterprise security use cases. 

The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:

• Allows me to look at the traffic in real time
• Allows me to add filters that remove the traffic that is not interesting
• Allows me to narrow down my research to only important traffic.
• Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
• Allows me to create reports, evaluate my findings, and send information to my customers.

I was able to provide intelligence reports to my customers. The organization relies on this information in order to sell services.

I would like to see the following:

• An improvement in the connector/agent configuration.
  The connector configuration is CLI based. If the connectors are pre-defined and built by HPE, then the configuration/installation seems to be OK.

• Making the FlexConnector configuration less complex.
  You need development skills in order to do your job in creating/configuring agents and connectors. I tried to learn the syntax in order to customize the software (connectors and agents) for a particular device, and it was a nightmare. The cost for this work, via HPE consultancy, is huge.

I've been using this product for three and a half years. I am one of the supporters of the product.

Some of the connectors need to be developed in-house. There were also issues with forwarding events. We noticed that some logs were lost between connectors and the central reporting unit.

I would give technical support a rating of 4 or 5 out of 10.

We also use Splunk to compare features. ArcSight is the favorite solution for my organization.

The initial setup is straightforward, but the customization can become a nightmare very easily.

We had an in-house implementation. I would recommend a dedicated team for implementation, support, and operation.

This product requires a dedicate team to operate it from a to z. HPE support needs to be clearly defined and considered.

It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.

It can collect logs from many unsupported log sources. Parsers are easy to create and test.

The solution needs quite a bit of initial customization.

It needs more product integration, like NBAD and VM solutions, etc. Although the solution currently supports log collection from NBAD and VM solutions, it would be good to add features for HPE to have their own NBAD and VM solution.

There is room to improve the storage requirement.

Most SIEM solutions now have their own Vulnerability Management, NBAD, File Integrity Monitoring etc solutions that can be bought as an add on module. HP does not seem to have any of those capabilities. The most important advantage of having such capabilities is that it allows users to view and analyse all the data on a single pane of glass. Regarding the initial customization, the solution needs some effort in terms of fine tuning to get the dashboards and reports to work. Once it is setup I think the way the data can be used with in the solution is the best as it allows high customization.

I have been using ArcSight for over five years.

The hardware requirements are very high and the solution has poor stability when they are not met.

HPE ArcSight scales very well at the connector level, Logger level and the ESM level.

Technical support is poor. This is one area that needs improvement

The initial setup is not complex, but is a little time consuming. Since the solution is highly customizable, the number of configurable options are high. HPE ArcSight allows distributed architecture.

Pricing is high. There are multiple licensing options available. Hardware/software or hybrid licensing options are available. Some of the license upgrades are paper license upgrades.

We evaluated IBM QRadar, McAfee ESM, and AlienVault.

Planning is very important. You need to know the security threats to your organisation to create the relevant rules. Look at other less-discussed modules of HPE ArcSight, like ArcSight Interactive Discovery and ArcSight ThreatDetector, for better results.

Correlation and flexibility are the most valuable features.

ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.

I would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.

We have used ArcSight for 6 years.

Initial deployment of ArcSight is pretty challenging. It takes at least 3-4 months to install, integrate, define content and fine tune before starting the security operation.

Customer service is fast in response, but very standard in their approach, which takes lot of time for simple issues.

I have used RSA enVision, QRadar and Splunk. ArcSight is better than them all when it comes to filtering, normalization, aggregation, dashboards, reporting and correlation, multi-tenancy and custom devices support.

Initial setup was complex as the integration of a custom application takes lot of time and effort. Then, fine tuning requires at least 6 weeks to analyze and tune each alert separately.

We implemented through HPE itself and I would advise to go through a vendor as they would hand over the SIEM post-fine tuning which is a mammoth task.

ROI can be measured in terms of detected security incidents and compliance positive tests, which in turn boost the business. Our security incident count increased from 3 per month to 46 and all were real security threats. Had those gone undetected and realized, there would have been possible data theft, information stealing, damage of brand reputation, etc.

An organization that has enough budget for SIEM and really cares about security and not only about compliance must go with ArcSight. SMB organizations who want to start a SOC or have just a log management solution for compliance requirements can go for cheaper options such as QRadar, LogRhythm, AlienVault, etc. For MSSP, ArcSight is indeed the best SIEM available in the market, as segregation of logs, access restriction, different log retention, customized view for dashboard and reports to clients are present with ease.

Lastly, ArcSight is like Apple. If you have money, go for iPhone and you will certainly not regret it. But if your budget is the primary constraint, then another SIEM must be explored.

We use ArcSight Enterprise Security Manager (ESM) as an SIEM system.

From a business perspective, the product helps us with cloud platform management. Its dashboard provides quick suggestions on real-time data.

ESM has valuable features for event prediction and security analysis.

There could be more API features for extracting logs on different devices included in the product.

It is a stable product.

Our organization has 10 ArcSight Enterprise Security Manager (ESM) users. It is a scalable platform. We are preparing for the budget to increase the usage.

It is easy to set up and configure.

The product licenses are inexpensive.

Compared to other vendors, ArcSight Enterprise Security Manager has a more effective dashboard. It has good pricing as well. However, they could schedule more marketing programs and activities similar to those of their competitors.

I rate it an eight out of ten.

The tool is good for correlation and aggregation. We use it as a collection platform. 

The tool should improve its UI. It also should make data more searchable. 

I have been working with the tool for three to four years. 

The tool is stable. 

The tool is scalable. 

I have worked with QRadar and McAfee. 

The deployment process is similar to the hosting of other applications. The tool's deployment depends on the environment architecture, and your requirements. 

I would rate the solution a seven out of ten. The product is very robust. 

On-premises