ArcSight Enterprise Security Manager (ESM) Reviews

• Alert correlation
• Reporting
• Retention

These are the features we find most valuable for us and which we use the most.

It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.

Due simply to the user features available out-of-the-box, the convenience it can bring to any organization (when deployed and configured correctly) can greatly assist any enterprise in many facets, from an increased and enhanced security posture, to auditory regulations and even data retention.

It needs additional and better user customization for SmartConnectors. It has additional device support for more obscure log sources.  

Also needed is a configuration wizard for organizations lacking the in-depth knowledge required to integrate the solution successfully.

We've had no issues with deployment.

We've had no issues with instability. It's been stable for us.

We've been able to scale it for our needs. We've had no issues with scalability.

I think the ability to create rules more flexible than in other products (i.e. IBM QRadar) is its most valuable feature. It has good options for shaping data and using them in very complex rules.

It has increased our detective capabilities in the cybersecurity landscape. We're able to build SOC around it, and make it a central tool for detecting network compromises.

Performance is the product's Achilles' heel. The aggregation can't be done for a long period of time, i.e. one week. On top of that, in comparison to the competition, ArcSight works very slowly and the WebUI is not very user-friendly.

We've been using it for 10 months and the program is still in the development phase.

There were no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it to our needs.

The level of technical support is low. I think HP should invest money to train support people. Furthermore, sometimes I feel they are overworked because they used to sending notifications about cases without closing them.

Previously, I worked with IBM QRadar.

SIEM in general is not straightforward. I think the initial setup was simple, but to get value from this product, you have to do something more than the initial setup.

We did it in-house with help from the vendor's professional services. My advice is to think first where you would like to put your collectors. Assess if your network will be able to lift extra loads, assess what logging level will be required, and if log sources are capable of delivering it.

ArcSight was chosen by my new company management without asking me for my opinion.

We have a large footprint of 25 plus subsidiaries reporting into a consolidated security reporting and action team using ArcSight ESM.

ArcSight ESM has improved our organization because we have better incident reporting. It was originally deployed in order to fulfill compliance requirements. We were required to have security monitoring, ArcSight ESM was a quick and effective way to be able to meet that minimum requirement.

The most valuable features of ArcSight ESM are ease of use and readily usable components.

ArcSight ESM is lacking cloud scalable technology.

I have been using ArcSight Enterprise Security Manager (ESM) for approximately three years.

ArcSight ESM has average capabilities. It's not seen as being particularly robust or usable for advanced threats.

The scalability of ArcSight ESM is average to poor.

We have approximately 60,000 users using the solution.

The support from ArcSight ESM is very poor. We had a negative experience.

I rate the support from ArcSight ESM one out of five.

We did not use a solution prior to ArcSight ESM.

The initial setup of ArcSight ESM was relatively straightforward. The full deployment took us approximately six months. The implementation strategy was to get basic monitoring templates as fast as possible.

We used an integrator for the implementation of ArcSight ESM.

The ROI was not important at first because we were trying to cover our basic compliance requirement for monitoring.

We're paying a fee for an MSSP, and the cost of the total cost of ArcSight ESM was approximately three to four million dollars a year. The price was less than similar solutions. We did not have additional fees.

We evaluated other solutions prior to choosing ArcSight ESM, such as Splunk and RSA NetWitness. We decided on ArcSight ESM because it was cost-effective.

We are replacing ArcSight ESM with Microsoft Sentinel. We wanted to shift to cloud-based, cloud-scalable technology.

My advice to others is for them to take a hard look at the total cost of ownership, specifically the maintenance and upkeep that's required to maintain the appropriate service levels.

I rate ArcSight ESM a four out of five.

We are resellers. We deal with many vendors to provide and implement solutions for our clients. We primarily use this product for logging data.

The most useful features are directories, price, and live reporting.

The customer experience could be improved.

I think they can improve the AI and monitoring. Also, they need an updated database.

I have been dealing with this solution for approximately three years.

We are working with the last updated version.

The stability can be improved. The competitors are more stable.

It's a scalable product and the scalability is good.

Our clients are usually enterprise companies.

The technical support is good. They have been able to resolve our issues.

We are using SIEM. It has a better dashboard and is more complete.

The initial setup can be simple and also complex. It depends on the client's infrastructure.

We implement the solution and maintain it for the clients.

It's a good price, it's one of the cheaper solutions.

There are no additional costs.

Depending on the size of the companies, I would recommend this solution. It's more suited for small to medium-sized companies.

I would rate this solution an eight out of ten.

There are many features that are good for clients who are looking for a good SIEM solution. They like the ease of creating a business that is effective and impressive. 

The security is difficult. 

I would like to have a feature that gives us an entire report listing what devices are integrated.

I have been using ArcSight for the last five years. 

In the beginning, we got good support but it hasn't been what it used to be. On weekends we get the list of devices that are integrated but if we need to generate the lists of rights, it doesn't send the logs.

The initial setup was simple. The initial setup took five to six days.

I would rate it a seven out of ten. In the next release, I would like for them to include a list of integrated devices. 

Our primary use case is SIEM. It is a data lake for logs from all of our servers and devices (routers, switches, firewalls, wireless controllers, etc.).

It prevented my users from getting infected by ransomware. It can also pinpoint the story behind every virus or network attack to our environment.

ArcSight ESM: The module has user-defined rules capabilities. This feature lets us define almost any threat.

The product should include a lot more predefined scenarios so the adopted company will have knowledge and a broader skill set in security and network.

Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.

HPE ArcSight has helped us gain visibility of the solutions across the organization. We have been constantly identifying anomalous activities both internally as well as externally. These include malware proliferation, data loss, proxy bypass attempts, phishing and spear-phishing, port scans, etc

It can be more user-friendly. The product is too restrictive to suit the flexibility needs of the infrastructure. It is sometimes hard to implement the solution as recommended by HPE.

I have used this solution for around four and a half years. Currently, we are using HPE ArcSight Express 5, ESM 6.8, Connector Appliances and SmartConnectors 7.4.

In version 5, I used to experience some issues as it was using Oracle DB. Although, I do not have any problems in version 6+.

This product is not easily scalable. We particularly required skilled personnel to do this activity and it also took a significant amount of time.

The technical support is poor.

We were not using any other solution before. We started using HPE ArcSight straightaway.

Setting up of the ArcSight solution is always complex compared to other solutions out there. There are a lot of parameters and dependencies involved. Adding infrastructure complexity will add more complications. Distributed deployment is also difficult to implement.

It is very expensive for larger deployments.

We are now working with open-source systems and Splunk solutions. We are decommissioning HPE ArcSight as it is getting impractical to manage and maintain the solution.

There are better products in the market for medium to large-scale deployments. It is recommend to use this product for small-scale deployments, i.e., 200-800 EPS.

• High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
• High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
• Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.

• Losses from security incidents have significantly decreased.
• Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
• Detailed reports allow for planning and informed decision making.

The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.

The GUI is outdated. Improvements on this are on the way, according to the vendor.

I’ve been using ArcSight for five years.

We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.

Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.

Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.

We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.

Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.

The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.

We evaluated McAfee ESM.

The keys to success with this solution are:

• Careful deployment planning
• Readiness to invest time and resources into training your IT security personnel
• Fine tuning the solution to your specific needs