ArcSight Enterprise Security Manager (ESM) Reviews

It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.

It can collect logs from many unsupported log sources. Parsers are easy to create and test.

The solution needs quite a bit of initial customization.

It needs more product integration, like NBAD and VM solutions, etc. Although the solution currently supports log collection from NBAD and VM solutions, it would be good to add features for HPE to have their own NBAD and VM solution.

There is room to improve the storage requirement.

Most SIEM solutions now have their own Vulnerability Management, NBAD, File Integrity Monitoring etc solutions that can be bought as an add on module. HP does not seem to have any of those capabilities. The most important advantage of having such capabilities is that it allows users to view and analyse all the data on a single pane of glass. Regarding the initial customization, the solution needs some effort in terms of fine tuning to get the dashboards and reports to work. Once it is setup I think the way the data can be used with in the solution is the best as it allows high customization.

I have been using ArcSight for over five years.

The hardware requirements are very high and the solution has poor stability when they are not met.

HPE ArcSight scales very well at the connector level, Logger level and the ESM level.

Technical support is poor. This is one area that needs improvement

The initial setup is not complex, but is a little time consuming. Since the solution is highly customizable, the number of configurable options are high. HPE ArcSight allows distributed architecture.

Pricing is high. There are multiple licensing options available. Hardware/software or hybrid licensing options are available. Some of the license upgrades are paper license upgrades.

We evaluated IBM QRadar, McAfee ESM, and AlienVault.

Planning is very important. You need to know the security threats to your organisation to create the relevant rules. Look at other less-discussed modules of HPE ArcSight, like ArcSight Interactive Discovery and ArcSight ThreatDetector, for better results.

We use ArcSight Enterprise Security Manager (ESM) as an SIEM system.

From a business perspective, the product helps us with cloud platform management. Its dashboard provides quick suggestions on real-time data.

ESM has valuable features for event prediction and security analysis.

There could be more API features for extracting logs on different devices included in the product.

It is a stable product.

Our organization has 10 ArcSight Enterprise Security Manager (ESM) users. It is a scalable platform. We are preparing for the budget to increase the usage.

It is easy to set up and configure.

The product licenses are inexpensive.

Compared to other vendors, ArcSight Enterprise Security Manager has a more effective dashboard. It has good pricing as well. However, they could schedule more marketing programs and activities similar to those of their competitors.

I rate it an eight out of ten.

We use ArcSight primarily to provide logs for the incident response team and cyber security analysts to evaluate everything happening in the network. 

The most important feature is ArcSight's event correlation capabilities. It's powerful and easy. I also like the flex connector capability. It's easy to develop a new connector that isn't fully supported out of the box. For example, say you created a solution internally that's completely different, and it's not unsupported by the solution. You can write your own connector using the flex connector.

When we need to consume old events, we have to wait for a long time. ArcSight should improve the database capability to reply to queries faster. It would also be interesting if they implemented network visibility. For example, they could add a feature like NetWitness with a model just for looking through the packets.

I rate ArcSight Enterprise Security Manager nine out of 10. 

I really like the correlation part and the way the logs are correlated. I have never faced issues with parsing in this product. I like the way it parses, and everything is so clear to me.

Its search part can be improved. When I go to the console and search for a few logs or something else, it takes a lot of time. When I try to search for three days or one week, it takes too much time. This is a major area of improvement.

I wanted them to include features like SOAR, threat intelligence, and automation, and they seem to have included all these features in version 7.3 or 7.4.

I have been using this solution for approximately three to four years.

It is stable.

It is scalable.

I have experience with their technical support, and I would rate them 4.5 out of 5. Whenever I have raised a ticket, I got an appropriate response. They were able to solve my problem.

I would rate ArcSight Enterprise Security Manager (ESM) an eight out of ten.

We primarily use the solution for its technology including its independent logs, and those types of things. The technology we leverage is for third parties.

The solution offers very good monitoring.

The product's log management and event management capabilities are excellent.

There are a lot of really good analytical components. It helps us focus on analysis.

We need to have more data to work with. The more data you have the more you will be able to give off the right information based on the historical information allows you to take more action. When you don't have enough data, you can't really get the right insights.

The stability isn't quite perfect. We occasionally run into problems.

I've been using the solution for almost three years ow. It's been a while.

The solution is more or less stable. It's okay. However, from time to time, we do actually have some problems with it. It's not perfect. 

We haven't tried to scale the solution at this point.

We have about 2,100 people on within the company, and five of those are focused on this solution specifically. We don't have plans to increase the usage of ArcSight at this time.

I definitely have been in contact with technical support multiple times. They do provide device guidance. I'd say that they do work quite efficiently and our tickets are always responded to. We're pretty satisfied with their level of support.

We didn't previously use a different solution. This is the first product for us that we use in this particular way.

I didn't handle the initial setup personally. My team handled it, however, and I do not recall them saying that it was complex. My understanding is that it is straightforward.

Our teams also handle the maintenance.

We handled the implementation in-house.

I don't have too much information about the licensing costs at this time. I don't really handle them. I'm not sure if there are additional costs over and above the license itself.

We're just a customer. We don't have a business relationship with the company.

We're using the latest version of the solution. I'm not sure of the exact version number.

I'd rate the solution eight out of ten. Due to the technology inherant the background of the product. Overall, it's quite good, although we have run into stability issues in the past.

Creating dashboards and real-time channels for real-time monitoring: This feature gives real-time alerts for the monitoring team to act upon. In certain cases, we can also create real-time email alerts for relevant teams for faster actions and resolutions.

This product has helped us and our customer for monitoring the security of different applications as well as different hardware devices. It helps in keeping an eye on each activity logged into our internal environment. This also helped us and our customer to meet the local regulatory requirement.

The correlation and storage have to be improved. The correlation works fine, if we have less amount of rules being written, but it becomes slow if we have more than 200 rules written for any correlation. This created buffer-buckets for all events flowing into the system. There are other ways in which this can be improved.

For the last one year, I have been using the current version, i.e., HPE ArcSight ESM, Hardware Appliance L5600, Software Version 6.8.

Before that, I have used the earlier versions, i.e., v4.5 and v5.0 for nearly three years.

I have not encountered any stability issues with HPE ESM. It was stable all the time.

We didn't encounter any scalability issues. We were able to scale it as and when required.

The technical support needs improvement, as sometimes it takes time to get the actual response on the issue. It takes more than two days to reach a resolution as the support team needs a lot of basic information.

I was not using any other solution previously.

The setup was straightforward but it still needs involvement from the support team as sometimes credentials do not work.

This is based on the requirement and budget. I would not like to comment on the pricing or licensing.

We looked at other solutions such as Splunk and IBM QRadar.

It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.

We're a large organization, and the tool scales very well for us.

The technical support needs to be improved.

We've had no issues with deployment.

Whether we've had issues with stability is a hard thing to say because we're on the cutting edge of virtualization. When we were on older hardware with physical servers, it was relatively stable. But we ran into issues with support, and we decided to virtualize a lot of the it -- everything from the loggers to the ESM. We see a lot of performance gains, but our biggest hangup is support. The tool itself is great, but when we run into a hiccup, it seems they don't have the expertise on the support side to get us quickly back to where we need to be.

We have well over 100,000 employees and we've virtualized a lot. Again, the problem is with getting support as we scale.

They don't listen when we report an event or issue. We tend to be on the bleeding edge, so we have to do our own troubleshooting and perform our own resolution of events. When we send information, they've often asked for logs. And sometimes we don't get responses at all. I often have to ask for a status update on our tickets, which oftentimes get sent to non-US support teams. They're then re-assigned back to the US and there's a lot of confusion.

Technical support has been so frustrating that we've brought in an intermediary, LiveQuest, to deal with HP support for us.

I've set it up so many times now, it's really hard for me to describe it. It's pretty straightforward and has become second nature for me.

You have to really know your environment. Have a good SE, and be prepared to do a lot of your own homework.

The valuable features are:

• Integration and log collection with different devices.
• Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
• Correlations of logs from different device types.
• Built-in content such as reports, dashboard, compliance, and standard packages.
• Option to correlate logs with business data.
• Option to adjust the product to different roles: operations, decision makers, and administrators.
• You can adjust the web console interface to match the specific role.
• Integration with other products, such as databases and IPSs.
• Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
• Correlations of logs from different device types.
• Ready-made content that can be used immediately.
• Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.

I would like to see the following improvements:

• Less time to administer and track logs on separate devices.
• Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
• Reporting: I would like an easier way to find the root cause.
• Simplicity: I would like to see an easier way to figure out which column has the mapped data.
• Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
• Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.
• Better documentation or "how-to" videos: Usually documentation for devices, whose logs are going to be collected, is poor. Those guides are split in two parts: 1. To-do content for device administrator. 2. To-do content on the ArcSight side. When a customer uses these guides, it is not clear what he has to do. Sometimes the customer asks specific questions that the ArcSight implementer cannot answer. Some of these questions are about specific roles, privileges needed for a domain, or database use when the specific source is added.
• Simplified licensing and license extension for console users: Console users are licensed separately. Those licenses are expensive. The web console is introduced with limited features.

There were some stability issues in the partner versions. The client versions were stable.

There were no scalability issues.

The technical support was not very good. They are slow and not very efficient. I rely on personal contacts to solve my issues.

The installation was straightforward. It has some built-in connectors that are easy to set up.

The product is not cheap. If you set it up and use it well, it is a worthwhile purchase.

We evaluated Splunk and McAfee Log Manager.

Prior to implementation, do an internal assessment and analyze business, technical, and other requirements. Know your inventory and ask for a project methodology approach. Ask your partner for a referral visit to other customer sites.