ArcSight Enterprise Security Manager (ESM) Reviews

• High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
• High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
• Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.

• Losses from security incidents have significantly decreased.
• Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
• Detailed reports allow for planning and informed decision making.

The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.

The GUI is outdated. Improvements on this are on the way, according to the vendor.

I’ve been using ArcSight for five years.

We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.

Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.

Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.

We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.

Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.

The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.

We evaluated McAfee ESM.

The keys to success with this solution are:

• Careful deployment planning
• Readiness to invest time and resources into training your IT security personnel
• Fine tuning the solution to your specific needs

Intrusion Detection System (IDS)

Security Information and Event Management (SIEM)

To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

For us, there are several valuable features.

• The ability to correctly parse the most number of products comparing to its competitors;
• The ability to create very complex scenarios to detect security risks and anomalies;
• Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
• The ability to create parsers for all kinds of applications and systems is an important differentiator.

It greatly changed our work habits in the organization allowing us to not only trace back security threats, but also to generate usage trends, discover anomalies and so many other usages. It quickly became an indispensable tool.

They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.

There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.

We've had no issues with deployment.

We've had no issues with stability.

We've had no issues with scalability.

We use this solution for clients that want database consulting. They have a lot of general user's data in that demise so they want to have a robust SIEM solution that they trust. They have real-time alerts and monitoring for their data server.

We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR. 

They should make a user manual for the technical people.

I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM.

I would rate the stability as a four out of five. 

The initial setup was easy. It was a two-month project plus one month setting up the best practices cost organization. In total, it was around a three month project.

Pricing is average. 

I would rate this solution a nine out of ten. 

Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.

One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

In general, it is a very stable product. We did multiple implementations, and we never had any major issues.

As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do

There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.

As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.

For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.

We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.

We worked with RSA enVision/RSA SA as a partner:

• RSA enVision was very basic and was very hard to fine-tune.
• RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.

The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.

With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.

In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.

As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.

We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.

Do a live PoC to test all needed features.

Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.

Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.

From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.

From a daily perspective, ArcSight prevents attacks while it actively monitors our systems. It provides us analytics for these attacks and helps keep us abreast of the latest threats because of live threat feeds.

It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.

We've had no issues with deployment, although it's complicated.

It's a pretty stable solution. We've had no issues with instability.

It's very scalable.

They're pretty good and responsive.

The initial setup was complex and required a lot of customization and tinkering. There are other products on the market that are very light, and this is not one of them. To get all the functionalities and to exploit them, it takes a long time to deploy. It takes 3-4 months.

It's very expensive in its licensing model.

Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.

It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.

There are improvements that could be made to help us insure that we're in compliance with our monitoring requirements.

I've been in my group for over eight years and we've used it for the entire time. I'm not sure when the initial implementation was.

We've had no issues with deployment.

It's consistently stable. I've not heard any complaints about instability.

HP has delivered for our company and its size.

The initial setup was done more than eight years ago before I started with the company.

We bring in an HP consultant for development and implementation.

It's a solid product supported by a solid company.

We primarily use the solution for consolidating the logs from all the applications and databases and different centers.

The solution is very good at consolidating logs from a variety of sources.

The solution is pretty stable.

The solution can scale.

The way that scaling is set up isn't very cost-effective.

The automation needs to be improved. Everybody needs automation as there is a lack of analysts these days in all of our security diagnostic accounts. There's too much noise in the data they push to you. It's a lot of white noise, and it takes a lot of time to sort through the all false positives that ArcSight triggers to you.

It's very complicated to see if something is a real case and if it's a threat or not. It's very difficult to be able to check that the information sent as they are sending you thousands of messages per day regarding threats. It's very difficult for an analyst to be able to pinpoint the real root cause of the problem. 

I would suggest that they offer full automation and filtering for white noise. By white noise I mean the bulk of messaging and alerts they have been sending to the security analysts. It's difficult for them to realize if it's a threat or not in the end, and you need to spend a lot of time among other systems that you also need to manage. Maybe only 10% of this information is useful for a security analyst.

The product should improve its ease of use.

They should work to have a more let's say intuitive dashboard, a real-time intuitive dashboard, and to focus it on the most important, critical assets in the company. 

The solution requires a lot of expertise and manpower to deploy the solution.

We've been using the solution for nine years. It's been just under a decade.

The solution is pretty stable. However, they've got some problems in terms of interacting with APIs. To try to make ArcSight speak with other solutions and try to correlate information from IPS/IDS solutions looks pretty complicated. 

The solution can scale if you need it too. It's just an expensive process.

Regarding the scalability, it was a problem that their license model was EPS. If you're familiar with EPS licensing model, events per second, it is not a very good idea as a model as you cannot foresee what's in 2021 or what will be in 2022. From our point, it causes a lack of proper budgeting due to the fact that it's very difficult to budget how many events per second you will generate in all your systems. 

We haven't really dealt with technical support. I wouldn't be able to speak to the quality of their services.

The initial setup is very, very complex, and requires a lot of consultancy and professional services associated with it. It's not at all easy to install the solution as per my knowledge. It's very complicated. 

The licensing model is based on EPS - Events Per Second - and it makes it hard to budget how much the solution will cost.

The solution is pretty expensive.

At a marketing level, we've checked out Splunk. We have not tested it internally on our servers. We simply took a closer look at their marketing and their strategic messaging.

We have used on-premises previously. We have never tested the cloud option if they have one. 

I would rate the solution seven out of ten. I consider Splunk and LogRhythm to be the number one solutions in the market.

I would advise others to try to be very careful when they got a quote from ArcSight, as, in the end, what they offer to you initially is not what you will end up in the end in terms of budgeting and pricing, and the level of expectations.