We are resellers. We deal with many vendors to provide and implement solutions for our clients. We primarily use this product for logging data.
Senior Manager at PT Permata Anugerah Abadi
Scalable, with good support and live reporting
Pros and Cons
- "The most useful features are directories, price, and live reporting."
- "The customer experience could be improved."
What is our primary use case?
What is most valuable?
The most useful features are directories, price, and live reporting.
What needs improvement?
The customer experience could be improved.
I think they can improve the AI and monitoring. Also, they need an updated database.
For how long have I used the solution?
I have been dealing with this solution for approximately three years.
We are working with the last updated version.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
December 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,106 professionals have used our research since 2012.
What do I think about the stability of the solution?
The stability can be improved. The competitors are more stable.
What do I think about the scalability of the solution?
It's a scalable product and the scalability is good.
Our clients are usually enterprise companies.
How are customer service and support?
The technical support is good. They have been able to resolve our issues.
Which solution did I use previously and why did I switch?
We are using SIEM. It has a better dashboard and is more complete.
How was the initial setup?
The initial setup can be simple and also complex. It depends on the client's infrastructure.
What about the implementation team?
We implement the solution and maintain it for the clients.
What's my experience with pricing, setup cost, and licensing?
It's a good price, it's one of the cheaper solutions.
There are no additional costs.
What other advice do I have?
Depending on the size of the companies, I would recommend this solution. It's more suited for small to medium-sized companies.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Analyst at a financial services firm with 10,001+ employees
Helps our clients with compliance and gives them real-time alerts and monitoring for their server data
Pros and Cons
- "We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR."
- "I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM."
What is our primary use case?
We use this solution for clients that want database consulting. They have a lot of general user's data in that demise so they want to have a robust SIEM solution that they trust. They have real-time alerts and monitoring for their data server.
How has it helped my organization?
We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR.
What needs improvement?
They should make a user manual for the technical people.
I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM.
What do I think about the stability of the solution?
I would rate the stability as a four out of five.
How was the initial setup?
The initial setup was easy. It was a two-month project plus one month setting up the best practices cost organization. In total, it was around a three month project.
What's my experience with pricing, setup cost, and licensing?
Pricing is average.
What other advice do I have?
I would rate this solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
December 2024
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,106 professionals have used our research since 2012.
Security Consultant at a tech services company with 5,001-10,000 employees
It makes user behavior and problems on the network visible, which we can then solve
Pros and Cons
- "The real-time analysis adds value."
- "HPE ArcSight has a quite steep learning curve."
How has it helped my organization?
- User behavior and problems on the network are visible, which we can then solve.
- We can align policies with how people actually behave.
- MSSP options are very good.
What is most valuable?
- Large scale installations work well.
- The new user interface is nice.
- The real-time analysis adds value.
- The default packages on the new HPE Marketplace are useful and give nice default dashboards and reports for most of the well-known products.
What needs improvement?
HPE ArcSight has a quite steep learning curve. If you get to know the product well, it is the most powerful product that I have worked with. It would be nice if new users could start using the product more easily.
What do I think about the stability of the solution?
I would prefer to roll out HPE ArcSight ESM on physical hardware. Without proper tuning, running ESM on VMware does not work well. Loggers and connectors work fine on virtual components.
10,000 events per second, including correlation, on pretty normal hardware work well.
What do I think about the scalability of the solution?
We encountered no issues with scalability. If needed, ESM can be setup in tiered form. Loggers can be scaled horizontally very efficiently. One box can handle a lot of events.
How are customer service and technical support?
Customer Service:
Seven out of 10. Basic questions get answered quickly. More in depth questions require more time, which can be a problem. It has improved over the last two years.
Technical Support:
Initially, the level of technical support was not so good. Once you get put through to the people in the US, you will get the better answers.
Which solution did I use previously and why did I switch?
I have also used LogRhythm, which in my opinion has less features than ArcSight. 80% of use cases work well on both, for the most interesting 20%, I would use ArcSight.
How was the initial setup?
Initial setup was straightforward. From the manuals, it is clear what components need to be installed where. Not having to install agents on servers is a big advantage of ArcSight over other solutions that I have worked with.
What about the implementation team?
We did not use a vendor team to do the implementation. Our in-house teams could roll out ArcSight very well. Cooperation of a lot of teams is often needed to implement SIEM solutions: networking, OS, and compliancy. Depending on your company structure, cooperation between teams can cost the most time.
What was our ROI?
I have not been involved in the ROI calculations and considerations, thus I cannot give my thoughts on this point.
What's my experience with pricing, setup cost, and licensing?
Do not scale out (horizontally) too quickly. A good box can handle a lot of EPS. You will not need to buy more licenses if you use one box in a good way. Also, aggregation can help a lot in pushing down licensing costs.
Which other solutions did I evaluate?
We also looked at Splunk and LogRhythm for every installation. All three have their own benefits. For large scale installations with multiple users and (sub) companies, ArcSight is the best option.
What other advice do I have?
Get a training course and start working with it quickly after getting your course. It is easy to forget all the options ArcSight has.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Manager at a financial services firm with 1,001-5,000 employees
It provides event correlation across multiple device categories. The web console should have all the features of the standard console.
What is most valuable?
- Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
- Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
- Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.
How has it helped my organization?
This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.
What needs improvement?
The web console should have all the features of the standard console.
In addition, the upgrade process should be simpler.
For how long have I used the solution?
I have used this solution for 10 years and 8 months.
What was my experience with deployment of the solution?
I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.
What do I think about the scalability of the solution?
Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.
How are customer service and technical support?
I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.
There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.
Which solution did I use previously and why did I switch?
I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.
How was the initial setup?
In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.
The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.
What about the implementation team?
We carried out a pilot implementation based on the initial SOW, including several basic use cases. This allowed us to understand what is really happening in the environment and we learned that most of the default rules are not appropriate for us. After the pilot was successful, we bought the solution.
What was our ROI?
Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.
What's my experience with pricing, setup cost, and licensing?
In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.
What other advice do I have?
You must understand your environment and its dynamics.
Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Expert at a tech services company
The correlation capabilities are valuable. It is too restrictive to suit the flexibility needs of the infrastructure.
What is most valuable?
Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.
How has it helped my organization?
HPE ArcSight has helped us gain visibility of the solutions across the organization. We have been constantly identifying anomalous activities both internally as well as externally. These include malware proliferation, data loss, proxy bypass attempts, phishing and spear-phishing, port scans, etc
What needs improvement?
It can be more user-friendly. The product is too restrictive to suit the flexibility needs of the infrastructure. It is sometimes hard to implement the solution as recommended by HPE.
For how long have I used the solution?
I have used this solution for around four and a half years. Currently, we are using HPE ArcSight Express 5, ESM 6.8, Connector Appliances and SmartConnectors 7.4.
What do I think about the stability of the solution?
In version 5, I used to experience some issues as it was using Oracle DB. Although, I do not have any problems in version 6+.
What do I think about the scalability of the solution?
This product is not easily scalable. We particularly required skilled personnel to do this activity and it also took a significant amount of time.
How are customer service and technical support?
The technical support is poor.
Which solution did I use previously and why did I switch?
We were not using any other solution before. We started using HPE ArcSight straightaway.
How was the initial setup?
Setting up of the ArcSight solution is always complex compared to other solutions out there. There are a lot of parameters and dependencies involved. Adding infrastructure complexity will add more complications. Distributed deployment is also difficult to implement.
What's my experience with pricing, setup cost, and licensing?
It is very expensive for larger deployments.
Which other solutions did I evaluate?
We are now working with open-source systems and Splunk solutions. We are decommissioning HPE ArcSight as it is getting impractical to manage and maintain the solution.
What other advice do I have?
There are better products in the market for medium to large-scale deployments. It is recommend to use this product for small-scale deployments, i.e., 200-800 EPS.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Security Administrator at a government with 1,001-5,000 employees
With the console, I can move between analyzing events and creating content. SmartConnectors are not resilient and sometimes crash.
What is most valuable?
The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.
How has it helped my organization?
The ability to correlate such a diverse range of information into a single location is invaluable.
What needs improvement?
SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.
For how long have I used the solution?
I have been using ArcSight for two years.
What do I think about the stability of the solution?
I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.
What do I think about the scalability of the solution?
The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).
How are customer service and technical support?
I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files.
I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.
Which solution did I use previously and why did I switch?
I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.
How was the initial setup?
Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.
What's my experience with pricing, setup cost, and licensing?
ArcSight is exclusively an enterprise product and it is priced accordingly.
Which other solutions did I evaluate?
We evaluated QRadar and Splunk.
What other advice do I have?
Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Architect at a tech services company with 51-200 employees
Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors.
What is most valuable?
The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.
How has it helped my organization?
My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.
What needs improvement?
Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.
For how long have I used the solution?
I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.
What was my experience with deployment of the solution?
We have had no issues with the deployment.
What do I think about the stability of the solution?
If you encounter serious performance problems, you didn't size correctly prior to deployment.
What do I think about the scalability of the solution?
The scalability options are pretty good although costly.
How are customer service and technical support?
Customer Service:
Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.
Technical Support:I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.
Which solution did I use previously and why did I switch?
As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.
What about the implementation team?
As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.
What's my experience with pricing, setup cost, and licensing?
We would like it to be cheaper, but the licensing model is pretty simple.
What other advice do I have?
You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.
Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.
Disclosure: My company has a business relationship with this vendor other than being a customer: We integrate ArcSight for our customers.
IT Security Consultant at a tech services company with 51-200 employees
The ESM and logger are powerful tools but log support needs improvement
What is most valuable?
Too many to name, but here are a few:
- Its versatility when it comes to vendor support.
- The ESM and logger are powerful tools. If used properly, we can achieve much more than we previously could. The Alert and Case Tracking mechanism contribute to the work of ESM and Logger.
- Express, all-in-one component is best for small businesses.
- NTP is efficient in blocking identified threats.
- ArcSight Flex Connector Development module is an excellent feature if you want to get the logs from unsupported vendor products.
How has it helped my organization?
I am a service provider for this product, so I provide value to the customer based on their requirements. The requirements are generally based on the lines of compliance and better security vision of what is going on in the organization, and who is doing what etc. and to mitigate external threats like port scans, DOS, malware ingestion, phishing etc.
What needs improvement?
Better reporting with the nice look and feel available in the wider market; also more vendor log support. HP should improve their Tech Support status.
For how long have I used the solution?
3+ years
What was my experience with deployment of the solution?
A few, depending on the specific organization's structure and policies.
What do I think about the stability of the solution?
No
What do I think about the scalability of the solution?
The solution itself is very scalable, but it is also a lot more expensive than other players.
How are customer service and technical support?
Customer Service: PoorTechnical Support: Poor
Which solution did I use previously and why did I switch?
No
Which other solutions did I evaluate?
Splunk, RSA Envision, McAfee Nitro and IBM QRadar
What other advice do I have?
Consider the complexity of this solution and choose the right people to deploy it.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Splunk Enterprise Security
Microsoft Sentinel
IBM Security QRadar
Elastic Security
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Securonix Next-Gen SIEM
Google Chronicle Suite
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which is the best SIEM tool for a mid-sized financial services firm: Arcsight or Securonix?
- Exporting Nessus Data Logs to HP ArcSight ESM
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- What Questions Should I Ask Before Buying SIEM?
- RSA-EMC vs. other SIEM products?