ArcSight Enterprise Security Manager (ESM) Reviews

From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.

From a daily perspective, ArcSight prevents attacks while it actively monitors our systems. It provides us analytics for these attacks and helps keep us abreast of the latest threats because of live threat feeds.

It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.

We've had no issues with deployment, although it's complicated.

It's a pretty stable solution. We've had no issues with instability.

It's very scalable.

They're pretty good and responsive.

The initial setup was complex and required a lot of customization and tinkering. There are other products on the market that are very light, and this is not one of them. To get all the functionalities and to exploit them, it takes a long time to deploy. It takes 3-4 months.

It's very expensive in its licensing model.

Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.

The most valuable feature for us is its ability to correlate security events and then allowing us to take action to address those events.

We're able to customize it so that it suits our business needs.

Although we're able to customize it, it requires some level of subject-matter expertise for all the special adapters for collection.

We also had initial stability issues that were probably caused by our architecture and not the solution itself.

We've been on the on-site platform for four years.

We've had no issues with deployment.

We had some initial issues withs stability, but we worked through it. I think our architecture and design were initially flawed, so that was more of our problem and not HP's.

We've had no issues scaling it in the last three years.

We've used technical support several time and found them to be good.

We moved from a managed outsource service, provided by a competitor. He wanted to in-source it, or in-house it, so we had the ability to be a little bit more effective and nimble.

The initial setup was complex, but HP's professional services helped us out.

Make sure you staff up internally, and have the right subject-matter expertise to take advantage of the platform. Otherwise, it's not going to help.

It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.

There are improvements that could be made to help us insure that we're in compliance with our monitoring requirements.

I've been in my group for over eight years and we've used it for the entire time. I'm not sure when the initial implementation was.

We've had no issues with deployment.

It's consistently stable. I've not heard any complaints about instability.

HP has delivered for our company and its size.

The initial setup was done more than eight years ago before I started with the company.

We bring in an HP consultant for development and implementation.

It's a solid product supported by a solid company.

The two most valuable features for us are the deployment strategy and its operational ease.

As it's an SIEM solution, it won't prove anything overnight. We're still in the implementation stage and filtering out all the noise. It's operationalized, but we're fine tuning it.

I'd like to see some threat intelligence out of the box rather than adding it in subscriptions. It also needs more straightforward and simplified correlation rules so that a SOC analyst can dive right in rather than undergo a separate induction program. Right now, the attrition rate is high.

We've had it for about eight months now.

We haven't had any issues with deployment.

It is a stable product. We've had no issues with instability.

We haven't had a need to scale yet, and maybe not for another two or three years.

System integrated support is there, but we haven't had any need to contact HP support. We will soon, though, because we don't really know how to fine tune the product.

The threat landscape was the trigger for needing a SIEM product to correlate everything that is going on within the environment.

We'restill in the implementation stage because it's complex. So the basic things are done, but not the full-scale deployment. It's a process.

They're the leader of the SIEM market for fifteen years or so. ArcSight is a very capable product that integrates with many different platforms. It's huge with a lot of moving parts, but nothing can compete with it in terms of capability.

I'm a little concerned that the market is moving around ArcSight. It's a fantastic SIEM, but the recent metrics show that relying too heavily on a SIEM solution isn't protecting us. ArcSight addresses that by integrating with other solutions, but I'd like to see that to be a more central element of it.

We've had no issues with deployment.

It is incredibly stable and road-tested, reasons why it's a market leader.

It's highly scalable. It works in small scenarios as well as the biggest that I can imagine.

Technical support from the vendor has been good. There's a particular challenge with ArcSight not in the technical support, but in the fact that it supports the platform and the integration.

The initial setup is relatively complex because it's not a small solution. It's not only complex to set up, but the interface with business operations is even more complex around scoping, implementing, and running an implementation.

Make sure you tune it to your business and infrastructure, which isn't necessarily part of technical support. It requires some consulting, which is a market challenge of the product.

It's not a one-size-fits-all solution and it isn't sold with the appropriate professional services. So the number one thing with ArcSight is that you have to make sure that you get professional services to help size it for your particular use case, including integrations with your tools, operational model, and security operations.

It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.

We're a large organization, and the tool scales very well for us.

The technical support needs to be improved.

We've had no issues with deployment.

Whether we've had issues with stability is a hard thing to say because we're on the cutting edge of virtualization. When we were on older hardware with physical servers, it was relatively stable. But we ran into issues with support, and we decided to virtualize a lot of the it -- everything from the loggers to the ESM. We see a lot of performance gains, but our biggest hangup is support. The tool itself is great, but when we run into a hiccup, it seems they don't have the expertise on the support side to get us quickly back to where we need to be.

We have well over 100,000 employees and we've virtualized a lot. Again, the problem is with getting support as we scale.

They don't listen when we report an event or issue. We tend to be on the bleeding edge, so we have to do our own troubleshooting and perform our own resolution of events. When we send information, they've often asked for logs. And sometimes we don't get responses at all. I often have to ask for a status update on our tickets, which oftentimes get sent to non-US support teams. They're then re-assigned back to the US and there's a lot of confusion.

Technical support has been so frustrating that we've brought in an intermediary, LiveQuest, to deal with HP support for us.

I've set it up so many times now, it's really hard for me to describe it. It's pretty straightforward and has become second nature for me.

You have to really know your environment. Have a good SE, and be prepared to do a lot of your own homework.

• Powerful Correlation
• Customization 
• Integration capabilities

• Very complex install and management
• Steep learning curve
• Poor Network Investigation
• Poor analytics.

Six years.

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

No. ArcSight is very scalable.

3 out of 5.

We implemented it in-house.

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

If you really want the power and flexibility of customizing your Security monitoring and correlation, go with ArcSight, but beware of the effort involved in set up and maintenance.

Not really a feature, per se, but the ability to do multi-tenant SIEM.

We help our customers do more than 'check a box' for security and compliance and we are very proud of that. We tend to be more like partners to a lot of our customers, and they rely on us to deliver high-fidelity, relevant security alerts. 

There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it. I am not sure why this is, but it is a little hard to be self-sufficient when this is the case. I am sure this is why real ArcSight experts are in demand! Being too feature-rich can be as bad as being oversimplified!

I have been working as an analyst using AS for 9 months now. This work involves monitoring the multi-tenant implementation of AS, sending reports to customers, doing investigations on alerts that come in, and implementing new Connectors and content. Connectors are how AS gets events from the devices.

Again, system complexity can be an issue, but not really.

None. ArcSight is very stable. Period.

Again, none. It is a system that is more than capable of multi-tenant implementations.

They try really, really hard.

No, the folks I work for were at ArcSight before HP acquired it and have always been users and proponents of it. It's a powerful product for sure.

Setup is fairly complex, and with so many features, it is difficult to just 'set it and forget it' with ArcSight. It requires a lot of care and feeding, as well as a pretty good amount of ongoing maintenance and configuration to really get good quality alerts out of it.

In-house experts.

I've been looking at Open Source SIEM recently, and paying a lot of attention to the others in the commercial market, like IBM and MacAfee, but I don't have any practical experience. I have heard mixed reviews about all of them (including AS from some folks I know).

Implementation advice: this is a big job, and unless you are able to hire and train a dedicated SIEM engineer, I would look at getting staff augmentation from HP or other consulting types. Be prepared to Read The Friendly Manual (RTFM), and do a lot of searches online. Take the entry-level certs that HP offers, and get classes if there is budget.