ArcSight Enterprise Security Manager (ESM) Reviews

• Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
• Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
• Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.

This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.

The web console should have all the features of the standard console.

In addition, the upgrade process should be simpler.

I have used this solution for 10 years and 8 months.

I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.

Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.

I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.

There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.

I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.

In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.

The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.

We carried out a pilot implementation based on the initial SOW, including several basic use cases. This allowed us to understand what is really happening in the environment and we learned that most of the default rules are not appropriate for us. After the pilot was successful, we bought the solution.

Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.

In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.

You must understand your environment and its dynamics.

Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.

Creating dashboards and real-time channels for real-time monitoring: This feature gives real-time alerts for the monitoring team to act upon. In certain cases, we can also create real-time email alerts for relevant teams for faster actions and resolutions.

This product has helped us and our customer for monitoring the security of different applications as well as different hardware devices. It helps in keeping an eye on each activity logged into our internal environment. This also helped us and our customer to meet the local regulatory requirement.

The correlation and storage have to be improved. The correlation works fine, if we have less amount of rules being written, but it becomes slow if we have more than 200 rules written for any correlation. This created buffer-buckets for all events flowing into the system. There are other ways in which this can be improved.

For the last one year, I have been using the current version, i.e., HPE ArcSight ESM, Hardware Appliance L5600, Software Version 6.8.

Before that, I have used the earlier versions, i.e., v4.5 and v5.0 for nearly three years.

I have not encountered any stability issues with HPE ESM. It was stable all the time.

We didn't encounter any scalability issues. We were able to scale it as and when required.

The technical support needs improvement, as sometimes it takes time to get the actual response on the issue. It takes more than two days to reach a resolution as the support team needs a lot of basic information.

I was not using any other solution previously.

The setup was straightforward but it still needs involvement from the support team as sometimes credentials do not work.

This is based on the requirement and budget. I would not like to comment on the pricing or licensing.

We looked at other solutions such as Splunk and IBM QRadar.

It is easy to use when we created some dashboards for analytics. ArcSight allows you to create a dashboard and provides an on-the-fly filter.

It makes things easy when I create a new alert.

They need to improve the Web UI, similar to how it is done with Splunk.

ArcSight is still using a Java app to do analytics.

ArcSight Express is using HTML5, which is good. However, the capabilities of ArcSight Express are not good when the data grows.

I did not have any issues with stability.

I did not have any issues with scalability.

Technical support responds quickly.

We previously used RSA enVision. We had issues with the report generation.

The installation is very easy.

The licensing should come with EPS format, and not with EPD format.

You need to first know the SIEM concept. SIEM can grow significantly, so you need to understand how to use a collector properly.

Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.

HPE ArcSight has helped us gain visibility of the solutions across the organization. We have been constantly identifying anomalous activities both internally as well as externally. These include malware proliferation, data loss, proxy bypass attempts, phishing and spear-phishing, port scans, etc

It can be more user-friendly. The product is too restrictive to suit the flexibility needs of the infrastructure. It is sometimes hard to implement the solution as recommended by HPE.

I have used this solution for around four and a half years. Currently, we are using HPE ArcSight Express 5, ESM 6.8, Connector Appliances and SmartConnectors 7.4.

In version 5, I used to experience some issues as it was using Oracle DB. Although, I do not have any problems in version 6+.

This product is not easily scalable. We particularly required skilled personnel to do this activity and it also took a significant amount of time.

The technical support is poor.

We were not using any other solution before. We started using HPE ArcSight straightaway.

Setting up of the ArcSight solution is always complex compared to other solutions out there. There are a lot of parameters and dependencies involved. Adding infrastructure complexity will add more complications. Distributed deployment is also difficult to implement.

It is very expensive for larger deployments.

We are now working with open-source systems and Splunk solutions. We are decommissioning HPE ArcSight as it is getting impractical to manage and maintain the solution.

There are better products in the market for medium to large-scale deployments. It is recommend to use this product for small-scale deployments, i.e., 200-800 EPS.

The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.

The ability to correlate such a diverse range of information into a single location is invaluable.

SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.

I have been using ArcSight for two years.

I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.

The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).

I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files.

I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.

I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.

Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.

ArcSight is exclusively an enterprise product and it is priced accordingly.

We evaluated QRadar and Splunk.

Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.

It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.

It can collect logs from many unsupported log sources. Parsers are easy to create and test.

The solution needs quite a bit of initial customization.

It needs more product integration, like NBAD and VM solutions, etc. Although the solution currently supports log collection from NBAD and VM solutions, it would be good to add features for HPE to have their own NBAD and VM solution.

There is room to improve the storage requirement.

Most SIEM solutions now have their own Vulnerability Management, NBAD, File Integrity Monitoring etc solutions that can be bought as an add on module. HP does not seem to have any of those capabilities. The most important advantage of having such capabilities is that it allows users to view and analyse all the data on a single pane of glass. Regarding the initial customization, the solution needs some effort in terms of fine tuning to get the dashboards and reports to work. Once it is setup I think the way the data can be used with in the solution is the best as it allows high customization.

I have been using ArcSight for over five years.

The hardware requirements are very high and the solution has poor stability when they are not met.

HPE ArcSight scales very well at the connector level, Logger level and the ESM level.

Technical support is poor. This is one area that needs improvement

The initial setup is not complex, but is a little time consuming. Since the solution is highly customizable, the number of configurable options are high. HPE ArcSight allows distributed architecture.

Pricing is high. There are multiple licensing options available. Hardware/software or hybrid licensing options are available. Some of the license upgrades are paper license upgrades.

We evaluated IBM QRadar, McAfee ESM, and AlienVault.

Planning is very important. You need to know the security threats to your organisation to create the relevant rules. Look at other less-discussed modules of HPE ArcSight, like ArcSight Interactive Discovery and ArcSight ThreatDetector, for better results.

The ArcSight solution supports your security team with many SIEM features:

• Monitoring
• Analysis
• Alerts
• Incident response

In my opinion, ArcSight is an open solution. It is easy to:

• Customize components
• Use FlexConnector to collect logs from your own application
• Edit rules and the dashboard
• Create work flows
• Enrich information for events

I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.

I have over two years of experience.

It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.

ArcSight can be extended to meet the biggest customers (large enterprise) needs.

ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.

ArcSight configuration and deployment is complex, because it has many components.

I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.

• High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
• High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
• Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.

• Losses from security incidents have significantly decreased.
• Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
• Detailed reports allow for planning and informed decision making.

The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.

The GUI is outdated. Improvements on this are on the way, according to the vendor.

I’ve been using ArcSight for five years.

We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.

Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.

Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.

We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.

Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.

The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.

We evaluated McAfee ESM.

The keys to success with this solution are:

• Careful deployment planning
• Readiness to invest time and resources into training your IT security personnel
• Fine tuning the solution to your specific needs