What needs improvement with ArcSight Enterprise Security Manager (ESM)?

ArcSight is a legacy technology, and many customers want AI-powered technologies integrated with it. That hasn't been done yet, but ArcSight needs to catch up with the newer solutions and technologies available in the market. It can't just rely on the legacy technology from 2010 or 2012. You can't run that in 2024. It's a legacy technology with its own limitations. Customers often face issues that other software or newer solutions can resolve easily. That's the main challenge we face from customers right now. So, the only concerns are that AI needs to be integrated and scalability improved. Those are the main areas to be improved.

It would be nice to have it on the cloud so that you can deploy it easily, saving time and resources.

We have pricing issues. ArcSight ESM may not be the most user-friendly option, and its interface is quite traditional. However, despite these aspects, we find it a good cybersecurity solution. It needs to improve the dashboards, documentation, and support as well. The documentation and community support for ArcSight ESM is not as strong as other solutions. Finding resources and analysts who have experience with ArcSight can be challenging. The solution is less user-friendly than alternatives like Splunk, QRadar, or Sentinel. The technical nature of ArcSight may make analysts hesitant to dive into it, contributing to a steeper learning curve.

More integration with various log sources, especially considering new cloud platforms. Lots of different platforms are now coming. For example, nowadays, we have more products related to cloud platforms. So, we have Azure native security firewalls. We have Oracle native security firewalls. I want that integration with them so that I can receive the logs directly from them and define a unified correlation mechanism for it.

There could be more API features for extracting logs on different devices included in the product.

ArcSight ESM is not easy to use and it should be integrated with other tools that have infrastructure capabilities.

The query language should be less complex. The UI interface is somewhat complex and needs to be simplified. The dashboards don't read in a graphical manner. You have to read the logs and the output whenever you run a query. You need to understand the output. You have to export it to a .CSV and then design the visualization as per your requirements. We're missing visual dashboards and reporting. We'd like to have the reporting of simple histories, and we need dashboards to show details in a presentable format. In the logs, we're capturing multiple fields, some of which we do not need. There should be an option to just keep the fields you require and discard the rest.

The solution can be improved regarding integration with other security products, ease of implementing some features, and feeling like we're not utilizing the solution as best as we could. In the next release, the solution should incorporate some threat intel features and integrate well with other network solutions, EDRs, palm solutions and the sorts. Additionally, the reporting can be improved to bring out very insightful reports showing senior management value for the solution.

ArcSight could improve by using AI and ML. More people are leaning towards this type of solution. They also could improve the product by integrating user and identity behavior analytics. The traits' environment is changing every day. The traditional approach of discovering traits within the environment is gradually changing. We need new approaches to intelligently discover traits within the environment. ArcSight needs to improve its product to move in this direction.

The dashboard looks a bit cumbersome with the current version. They should work on the dashboard and optimize their integration which currently lags with devices of reputed vendors. So, having these custom integrators sometimes works and sometimes doesn't.

ArcSight ESM's UI is a little cumbersome and complex, especially for first-time and occasional users using the console manager. It's also a very complex product, and new users will require assistance from someone expert to avoid making errors.

ArcSight ESM is lacking cloud scalable technology.

The initial setup could be more straightforward.

What could be improved in ArcSight Enterprise Security Manager (ESM) is its analytics feature. That feature should be more powerful and have more correlation in terms of AI/ML, though MicroFocus has done a good job in adding analytics to ArcSight Enterprise Security Manager (ESM) which has become a big draw to customers. What I'd like to see in the next release of the solution is the addition of AI/ML features.

ArcSight ESM could improve by adding more features and documentation. There needs to be more documentation.

The visualization is not very good compared to Splunk. The dashboard and the comparability with new devices could be better. For example, we have a lot of cloud infrastructure that's coming around. Nowadays, most of the appliances are cloud-based. So, the comparability of Splunk is more with cloud infrastructure. With ArcSight, we have to build FlexConnectors to integrate multiple data sources, and we need visualization in that with FlexConnectors. If you go to Splunk, they have their own apps developed, and they work more proactively compared to ArcSight. The performance and speed could be better. Technical support could be improved.

The user interface of ArcSight Enterprise Security Manager could improve. It is not very good. Additionally, they could integrate the web interface better.

ArcSight ESM needs to improve performance, user interface, and automation.

The onboarding process for this solution could be better. Additional features I'd like to see in the next release is a better GUI (graphic user interface), and for them to include intelligence tools, e.g. dark web threat intelligence, etc.

The interface—the console looks pretty old right now, so could benefit from a more modern design. It's functional, but not so as visually appealing as it could be. For additional features, I'd say capabilities regarding the behavioral analytics integrated in the solution. Right now, there's something in place, but it's not integrated on our side of the platform.

I'd like to see an improvement in their training and documentation. SOAR (Security Orchestration, Automation, and Response) would be a good feature to include in the future.

OOB content is limited Microfocus should release the smart connector update on quaterly basis.

Its search part can be improved. When I go to the console and search for a few logs or something else, it takes a lot of time. When I try to search for three days or one week, it takes too much time. This is a major area of improvement. I wanted them to include features like SOAR, threat intelligence, and automation, and they seem to have included all these features in version 7.3 or 7.4.

When I asked our networking juniors for a comparison between LogRhythm and ArcSight, they said that both platforms are almost the same. It is just that LogRhythm is more modern with a digital platform, which probably gives it some advantage over ArcSight. ArcSight is a very old and mature product that is running on an old platform. It is an old legacy platform. In terms of new features, it just requires platform upgrades so that it becomes lighter and easily adaptable, specifically in the cloud. It would be a good thing if they can also make reporting easier.

I am having issues with report generation with older versions. I don't know if this is because of compatibility issues, but report generation has been a little bit difficult in older versions. It is not similar to the newer and current versions. We are looking at moving to the cloud. It would be good if ArcSight ESM can move to the cloud. They already seem to be working on this. It would also be very helpful and great if we can integrate external threat intelligence, machine learning, and AI into this solution. It has good dashboards, but they can always be better. Its stability can also be improved.

The way that scaling is set up isn't very cost-effective. The automation needs to be improved. Everybody needs automation as there is a lack of analysts these days in all of our security diagnostic accounts. There's too much noise in the data they push to you. It's a lot of white noise, and it takes a lot of time to sort through the all false positives that ArcSight triggers to you. It's very complicated to see if something is a real case and if it's a threat or not. It's very difficult to be able to check that the information sent as they are sending you thousands of messages per day regarding threats. It's very difficult for an analyst to be able to pinpoint the real root cause of the problem. I would suggest that they offer full automation and filtering for white noise. By white noise I mean the bulk of messaging and alerts they have been sending to the security analysts. It's difficult for them to realize if it's a threat or not in the end, and you need to spend a lot of time among other systems that you also need to manage. Maybe only 10% of this information is useful for a security analyst. The product should improve its ease of use. They should work to have a more let's say intuitive dashboard, a real-time intuitive dashboard, and to focus it on the most important, critical assets in the company. The solution requires a lot of expertise and manpower to deploy the solution.

The customer experience could be improved. I think they can improve the AI and monitoring. Also, they need an updated database.

The security is difficult. I would like to have a feature that gives us an entire report listing what devices are integrated.

We need to have more data to work with. The more data you have the more you will be able to give off the right information based on the historical information allows you to take more action. When you don't have enough data, you can't really get the right insights. The stability isn't quite perfect. We occasionally run into problems.

The centralized dashboard for the hybrid cloud environment needs to be more focused. It needs to be redefined because it's missing most of the information. ArcSight should also be a little bit easy to use. Currently, integration with various applications and connectors is not that easy. Deployment is easy, but integration is not that easy. ArcSight also has a very high bandwidth consumption to pull the local servers. It should have some kind of better process or ability to transfer files from on-premises to the cloud, from the cloud to on-premises, and from a cloud to another cloud.

A lot of improvements could be made in the product. I think the roadmap is not clear, and there is no AI or machine learning solution.

The deployment typology could be improved. If you want to scale across all the different lines of businesses, it should be easy to do that and it's not. If I'm doing DMX monitoring, I shouldn't need a different SIEM. For the traditional application servers which are RTTR architecture-based, the legacy applications, which might be Java or steam-based applications, require DMX monitoring, currently provided by Nagios. Instead, the monitoring could be different types of monitoring which we could get from ArcSight. It would save the cost of doing the DMX monitoring from Nagios. QRadar has a dashboard which includes most of the monitoring, data and everything. The features in ArcSight could be more like that.

Over the past two years, a lot of improvements have been happening. The biggest requirement is that there is no cloud solution for this product yet. They need to create a cloud version. It's the biggest thing they can do to make the solution better. The dashboard and user interface need some work. It's my understanding that they are developing better versions of those now.

The following needs to be improved: * We would like the ability to easily identify either unused resources or those that are being used sub-optimally. * ESM should make usage of variables and other such deep customizations, highly intuitive. * User behavior analytics is too pricey but an essential tool.

One of the problems for the security center is that there are many logs that need to be retrieved from a variety of network devices. The weakness in this system comes about because, with so many different logs, it is possible that the security analyst will lose information. I would like to have better support for wide-area data analytics. Ideally, I would like to see ArcSight have the ability to consume raw information, or raw data, without being dependent on a log file.

For somebody who is new and just starting with this product, they find it really tough. The software is quite big. It would be nice if the interface were more user-friendly, with, for example, a minimal number of tabs to navigate. A walkthrough that shows everything a normal user might do would be very helpful. I would like to see improvements on the Active Channel side of this solution.

There are several improvements that we would like to see, including: * Building a system based on a log collection (SOC) * A scenario for external encroachment * Operator training