We primarily provide this solution to clients.
Head - Professional Services at a computer software company with 51-200 employees
A mature and simple to use product, but needs a cloud deployment option
Pros and Cons
- "The product is quite mature. It's been around for a long time."
- "The biggest requirement is that there is no cloud solution for this product yet. They need to create a cloud version. It's the biggest thing they can do to make the solution better."
What is our primary use case?
What is most valuable?
The simplicity of the solution is the most valuable aspect of the product.
The product is quite mature. It's been around for a long time.
The integration is easy for the most part.
What needs improvement?
Over the past two years, a lot of improvements have been happening.
The biggest requirement is that there is no cloud solution for this product yet. They need to create a cloud version. It's the biggest thing they can do to make the solution better.
The dashboard and user interface need some work. It's my understanding that they are developing better versions of those now.
For how long have I used the solution?
I've been using the solution for eight years or so. I started working on Version Five and have continued to update it from there.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
November 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
What do I think about the stability of the solution?
The stability of the solution is very good. It's pretty perfect, actually. We don't have crashes. It doesn't freeze. There aren't bugs or glitches. It's completely reliable.
What do I think about the scalability of the solution?
The solution is easily scalable. If an organization needs to expand it, they most certainly can.
What we used to do traditionally, to scale, that each device throws up certain EPS and we size the solution accordingly. Once they have a cloud solution, it will be even easier to scale.
The solution works for any size of organization, from small companies to large enterprises.
How are customer service and support?
The solution's technical support is excellent. I'm in India, however, their support is on a global scale.
HP as an organization had one toll-free number. You plug in your requirements. However, by the time it reached the team, it became difficult as everyone was routed centrally. However, once the site was taken over by Micro Focus, we are seeing some great improvements in the support.
How was the initial setup?
The initial setup is not complex. It's very straightforward.
If you have a well-skilled technician, you probably only need a few people to handle the deployment and maintenance.
In terms of how long a deployment takes, a SIEM implementation depends on the number of devices, and which we are integrating with. The kind of dashboards and reports the customer is looking for also come into play in calculating the amount of time that will be needed. Therefore, the duration of the implementation would be purely dependent on the client's specific needs.
A standard deployment is typically four weeks. However, I've seen some deployments take as long as 12 weeks.
What about the implementation team?
We deploy the solution for our clients. We also tend to handle the maintenance for our clients as well.
Which other solutions did I evaluate?
I have some experience with Splunk and Curator.
There are a few differences. Splunk, for example, is a native cloud product. That makes it excellent for scalability. Any on-premise challenges a company might face are answered by Splunk.
In both solutions, you are able to integrate and manage other devices as well, which isn't necessarily true on Arcsight.
What other advice do I have?
We're an authorized partner. We provide this solution to our clients.
In terms of implementation, new users should make a list of the requirements they need in order to have a broad idea of what they want the solution to achieve. Once they understand their requirements, it will be easier to find a solution that will match them.
For Arcsight, users need to go in with the compliance packs. Arcsight has some additional modules called compliance packs, which can get you automatic reports. That needs to be configured pretty well.
The biggest piece everyone needs to consider is the sizing part. It's an on-premise solution. If you are not buffering the sizing with at least about 25% additional computation and the storage space, then you're in for trouble down the line. Always go bigger than you need.
Overall, I'd rate the solution seven out of ten.
ArcSight, in the last one and a half years, have been delivering on time, in terms of a better dashboard, a better user interface, and now, with an add-on EDA. MailStore is also getting into it. We are seeing that they are catching up with what the market needs. We will have to wait and see what the new release brings. Version Eight is coming in now. They seem to be doing everything now and are committing for some great features in a future release.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Senior Security Consultant, CISSP, HPE ArcSight Specialist at a retailer with 5,001-10,000 employees
Parses raw logs, converts them to common event format so you don't need expertise in all products
Pros and Cons
- "SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product."
- "They need to develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network."
How has it helped my organization?
This product is one of the best SIEM solutions, which helps SOC analysts to consolidate all security-relevant logs of many products into one place in a common format. It doesn’t require that you have expertise in each and every product. It facilitates pinpointing indicators of compromise and investigating security incidents more quickly than the legacy way of checking every product log separately. The old way required a huge effort (and the pain) of human correlation.
What is most valuable?
- SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.
- Filtration, Aggregation: Both features provide a good way to save EPS (events per second).
- Logger: Long log retention, fast search, and reporting.
- ESM/Express: Correlation via standard rules and data monitors, active list, session list, active channels, reports, trends, queries, dashboards (query viewers and data monitors), and lightweight rules.
What needs improvement?
Developing more products/modules that make it more independent from relying on other vendors’ products to get all the necessary logs. For example, develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network.
What do I think about the stability of the solution?
Overall, the product stability is very good. But without continuous tuning of the developed content and improper usage of the product, you can encounter performance issues with ESM/Express, and sometimes hangs, which requires a services restart.
What do I think about the scalability of the solution?
No.
How are customer service and technical support?
Sometimes very good and sometimes moderate.
Which solution did I use previously and why did I switch?
No.
How was the initial setup?
Straightforward for Logger and Express appliance; more considerations for ESM software version.
What's my experience with pricing, setup cost, and licensing?
HPE ArcSight pricing might be more expensive than other SIEM solutions, but in my opinion it has powerful features and great flexibility in developing complex use cases. So, in my opinion, it's worth trying first (via PoC, for example) before making any decision based on cost.
Which other solutions did I evaluate?
No.
What other advice do I have?
If you are implementing Express/ESM, I advise disabling all out-of-the-box content and building your own. Also, keep monitoring partial matches and your session/active list sizes as you develop your correlation rules, as it has a big performance hit on the system.
Disclosure: My company has a business relationship with this vendor other than being a customer: HPE implementation partner.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
November 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
Senior Security Consultant & Solution Architect at a financial services firm with 10,001+ employees
It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.
Valuable Features:
- Alert correlation
- Reporting
- Retention
These are the features we find most valuable for us and which we use the most.
Improvements to My Organization:
It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.
Due simply to the user features available out-of-the-box, the convenience it can bring to any organization (when deployed and configured correctly) can greatly assist any enterprise in many facets, from an increased and enhanced security posture, to auditory regulations and even data retention.
Room for Improvement:
It needs additional and better user customization for SmartConnectors. It has additional device support for more obscure log sources.
Also needed is a configuration wizard for organizations lacking the in-depth knowledge required to integrate the solution successfully.
Deployment Issues:
We've had no issues with deployment.
Stability Issues:
We've had no issues with instability. It's been stable for us.
Scalability Issues:
We've been able to scale it for our needs. We've had no issues with scalability.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Response Engineer at a media company with 10,001+ employees
It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events.
Valuable Features
It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.
Improvements to My Organization
We're a large organization, and the tool scales very well for us.
Room for Improvement
The technical support needs to be improved.
Deployment Issues
We've had no issues with deployment.
Stability Issues
Whether we've had issues with stability is a hard thing to say because we're on the cutting edge of virtualization. When we were on older hardware with physical servers, it was relatively stable. But we ran into issues with support, and we decided to virtualize a lot of the it -- everything from the loggers to the ESM. We see a lot of performance gains, but our biggest hangup is support. The tool itself is great, but when we run into a hiccup, it seems they don't have the expertise on the support side to get us quickly back to where we need to be.
Scalability Issues
We have well over 100,000 employees and we've virtualized a lot. Again, the problem is with getting support as we scale.
Customer Service and Technical Support
They don't listen when we report an event or issue. We tend to be on the bleeding edge, so we have to do our own troubleshooting and perform our own resolution of events. When we send information, they've often asked for logs. And sometimes we don't get responses at all. I often have to ask for a status update on our tickets, which oftentimes get sent to non-US support teams. They're then re-assigned back to the US and there's a lot of confusion.
Technical support has been so frustrating that we've brought in an intermediary, LiveQuest, to deal with HP support for us.
Initial Setup
I've set it up so many times now, it's really hard for me to describe it. It's pretty straightforward and has become second nature for me.
Other Advice
You have to really know your environment. Have a good SE, and be prepared to do a lot of your own homework.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Sales Engineer
Useful real-time alerts for web traffic monitoring
Pros and Cons
- "Stable solution with good customer service support."
- "Could benefit from a more modern interface."
What is our primary use case?
We use it to monitor several web traffic sources and to look for compromised indicators within that traffic. The traffic comes from several applications that we've exposed on the internet.
What is most valuable?
The most valuable feature is the real-time alerts. We're also currently looking to incorporate some of the SOAR capabilities that are new to the platform.
What needs improvement?
The interface—the console looks pretty old right now, so could benefit from a more modern design. It's functional, but not so as visually appealing as it could be.
For additional features, I'd say capabilities regarding the behavioral analytics integrated in the solution. Right now, there's something in place, but it's not integrated on our side of the platform.
For how long have I used the solution?
I've been using ArcSight since 2015, so about six years.
What do I think about the stability of the solution?
My impressions are that it is stable.
What do I think about the scalability of the solution?
On our end it's pretty good. We haven't had any problems adding more sources.
How are customer service and support?
I've used their customer service and support a couple of times. It was a good service.
How was the initial setup?
Setup was relatively easy. The initial deployment was around five hours. For full deployment with all the sources, it took longer.
What other advice do I have?
I would rate this solution an eight out of ten. It's been useful and would recommend it to others. I'd also advise to take just the initial architect for implementation because that was critical for us in making the appropriate selections prior to deployment.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Dynamics Nav Expert at a tech services company with 51-200 employees
Allows integration and log collection with different devices.
What is most valuable?
The valuable features are:
- Integration and log collection with different devices.
- Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
- Correlations of logs from different device types.
- Built-in content such as reports, dashboard, compliance, and standard packages.
- Option to correlate logs with business data.
- Option to adjust the product to different roles: operations, decision makers, and administrators.
- You can adjust the web console interface to match the specific role.
- Integration with other products, such as databases and IPSs.
- Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
- Correlations of logs from different device types.
- Ready-made content that can be used immediately.
- Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.
What needs improvement?
I would like to see the following improvements:
- Less time to administer and track logs on separate devices.
- Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
- Reporting: I would like an easier way to find the root cause.
- Simplicity: I would like to see an easier way to figure out which column has the mapped data.
- Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
- Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.
- Better documentation or "how-to" videos: Usually documentation for devices, whose logs are going to be collected, is poor. Those guides are split in two parts: 1. To-do content for device administrator. 2. To-do content on the ArcSight side. When a customer uses these guides, it is not clear what he has to do. Sometimes the customer asks specific questions that the ArcSight implementer cannot answer. Some of these questions are about specific roles, privileges needed for a domain, or database use when the specific source is added.
- Simplified licensing and license extension for console users: Console users are licensed separately. Those licenses are expensive. The web console is introduced with limited features.
What do I think about the stability of the solution?
There were some stability issues in the partner versions. The client versions were stable.
What do I think about the scalability of the solution?
There were no scalability issues.
How is customer service and technical support?
The technical support was not very good. They are slow and not very efficient. I rely on personal contacts to solve my issues.
How was the initial setup?
The installation was straightforward. It has some built-in connectors that are easy to set up.
What's my experience with pricing, setup cost, and licensing?
The product is not cheap. If you set it up and use it well, it is a worthwhile purchase.
Which other solutions did I evaluate?
We evaluated Splunk and McAfee Log Manager.
What other advice do I have?
Prior to implementation, do an internal assessment and analyze business, technical, and other requirements. Know your inventory and ask for a project methodology approach. Ask your partner for a referral visit to other customer sites.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a partner.
Security Expert at a tech services company with 501-1,000 employees
With multi-tier hierarchical deployment, we are able to integrate and standardize security incident detection and response.
What is most valuable?
- High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
- High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
- Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.
How has it helped my organization?
- Losses from security incidents have significantly decreased.
- Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
- Detailed reports allow for planning and informed decision making.
What needs improvement?
The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.
Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.
The GUI is outdated. Improvements on this are on the way, according to the vendor.
For how long have I used the solution?
I’ve been using ArcSight for five years.
What do I think about the stability of the solution?
We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.
What do I think about the scalability of the solution?
Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.
How are customer service and technical support?
Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.
Which solution did I use previously and why did I switch?
We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.
How was the initial setup?
Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.
What's my experience with pricing, setup cost, and licensing?
The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.
Which other solutions did I evaluate?
We evaluated McAfee ESM.
What other advice do I have?
The keys to success with this solution are:
- Careful deployment planning
- Readiness to invest time and resources into training your IT security personnel
- Fine tuning the solution to your specific needs
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Security Assistant Manager at a insurance company with 5,001-10,000 employees
It allows us to traceback security threats, to generate usage trends and discover anomalies.
Valuable Features:
For us, there are several valuable features.
- The ability to correctly parse the most number of products comparing to its competitors;
- The ability to create very complex scenarios to detect security risks and anomalies;
- Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
- The ability to create parsers for all kinds of applications and systems is an important differentiator.
Improvements to My Organization:
It greatly changed our work habits in the organization allowing us to not only trace back security threats, but also to generate usage trends, discover anomalies and so many other usages. It quickly became an indispensable tool.
Room for Improvement:
They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.
There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.
Deployment Issues:
We've had no issues with deployment.
Stability Issues:
We've had no issues with stability.
Scalability Issues:
We've had no issues with scalability.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Splunk Enterprise Security
Microsoft Sentinel
IBM Security QRadar
Elastic Security
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Securonix Next-Gen SIEM
Google Chronicle Suite
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which is the best SIEM tool for a mid-sized financial services firm: Arcsight or Securonix?
- Exporting Nessus Data Logs to HP ArcSight ESM
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- What Questions Should I Ask Before Buying SIEM?
- RSA-EMC vs. other SIEM products?