ArcSight Enterprise Security Manager (ESM) Reviews

The ArcSight solution supports your security team with many SIEM features:

• Monitoring
• Analysis
• Alerts
• Incident response

In my opinion, ArcSight is an open solution. It is easy to:

• Customize components
• Use FlexConnector to collect logs from your own application
• Edit rules and the dashboard
• Create work flows
• Enrich information for events

I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.

I have over two years of experience.

It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.

ArcSight can be extended to meet the biggest customers (large enterprise) needs.

ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.

ArcSight configuration and deployment is complex, because it has many components.

I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.

Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.

One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

In general, it is a very stable product. We did multiple implementations, and we never had any major issues.

As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do

There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.

As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.

For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.

We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.

We worked with RSA enVision/RSA SA as a partner:

• RSA enVision was very basic and was very hard to fine-tune.
• RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.

The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.

With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.

In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.

As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.

We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.

Do a live PoC to test all needed features.

Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.

Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.

Intrusion Detection System (IDS)

Security Information and Event Management (SIEM)

To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.

From a daily perspective, ArcSight prevents attacks while it actively monitors our systems. It provides us analytics for these attacks and helps keep us abreast of the latest threats because of live threat feeds.

It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.

We've had no issues with deployment, although it's complicated.

It's a pretty stable solution. We've had no issues with instability.

It's very scalable.

They're pretty good and responsive.

The initial setup was complex and required a lot of customization and tinkering. There are other products on the market that are very light, and this is not one of them. To get all the functionalities and to exploit them, it takes a long time to deploy. It takes 3-4 months.

It's very expensive in its licensing model.

Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.

We deal mainly with enterprise companies - I'm the senior manager and we are partners with ArcSight. 

The solution has a good dashboard, very good real-time reporting and it's easy to use, offering simplicity for implementation and operations.

I'd like to see an improvement in their training and documentation. SOAR (Security Orchestration, Automation, and Response) would be a good feature to include in the future. 

I've been using this solution for six years. 

This solution is stable and scalable. 

They offer 24/7 standby support wherever you are. It's very good. 

Positive

The initial setup is straightforward. 

The cost is reasonable for a good solution.

It's important to set up the organization before implementation, checking internal desktops or IT security internals before buying the solution.

I rate this product an eight out of 10. 

We use ArcSight Enterprise Security Manager for any type of cyber security attack.

It is in the cloud and on the customer's infrastructure. I am only deploying one agent and the agent is deploying all the information from the customers and then sending it to the cloud.

I am an integrator, but we sell our services. I'm not selling the software directly to customers. I'm selling my service with this product.

It is a very useful tool for intelligence building because it has many use cases and many rule sets.

It is quite complex and could use a better UI. So the improvement would be a simplification. It is pretty complicated to use. The architecture is not complex but the setup and use are. 

In the next release, it would be nice if the Logger model and the ESM model would be merged. Right now there are two big models, Logger and ESM, but from a Windows perspective, it is not good because they're sending Logger and ESM separately. So if you need ESM, you have to buy both Logger and ESM but if you only need Logger, you are buying just Logger. You can deploy them on one system, but you have two different systems and different databases. My suggestion would be to merge Logger and ESM together.

I have been using ArcSight Enterprise Security Manager for about a year.

It is stable.

Arc Sight Enterprise Security Manager is scalable.

The number of people running it should be based on the organization's size. If you have a  company with 500 assets, you should have at least one field engineer for the ESM product and two security analysts to operate this software. This is minimum. One engineer and two security analysts is minimum to start if the organization is midsize.

Their technical support is generally good. On a scale of five, I'd give them four out of five.

The initial setup is complex.

Installation is not complex, but Micro Focus also has different intelligence products. One runs on containers and it is quite complex to install and use, but it is a different product. So maybe if we can remove this wall then we should be all right.

I have two products from Micro Focus. I have this ESM and one for Web. It is for user IT behavior analytics. The second product is quite complex and it's linked to it. Then you have to connect these things together. So the complexity is in the Web product, not in ESM.

Our own site deployment took about one month to deploy and we can deploy services for our customers in about two weeks minimum. But that is a minimum. If the infrastructure is big, it may take up to two or three months. If the infrastructure is not logging or if there are many customer applications, it makes it complex to deploy. Every ESM product will be complex to implement if the organization is big and the logging is not enabled correctly.

My advice to anyone considering Arc Sight Enterprise Security Manager is to just read the manual. Just read the manual and documentation. 

On a scale of one to ten, I would rate it a nine.

• Real-time rules for threat detection
• Event correlations that are automated and prioritized according to level of security risk and compliance violation

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

We've been using ArcSight since 2007.

We've deployed it without any issues.

We haven't had any issues with instability.

It's scaled fine for our needs.

We chose ArcSight when they had no real competitor and we stayed with them.

I'm pleased with the current capabilities.

We are using ArcSight Enterprise Security Manager (ESM) for data analytics. We monitor the reports on security event information.

I have been using this solution for approximately one year.

The solution could be more stable.

We have not had any issue with the scalability.

We have approximately 20 users using this solution in my organization.

We have been satisfied with the support.

The installation was easy.

We had assistance with the implementation of the solution. We have approximately five individuals that do the maintenance.

There is a license required for this solution.

I would recommend this solution to others.

I rate ArcSight Enterprise Security Manager (ESM) a seven out of ten.