ArcSight Enterprise Security Manager (ESM) Reviews

We use ESM for compliance, log retention, and general security operations. We don't use all the features. We have been late in terms of taking advantage of the cloud option. 

ArcSight is customizable. You can integrate just about anything. I also like the ease of use.

The API integration could be better, and I'd like to see more machine-learning capabilities in the future. 

I have used ArcSight ESM for nearly 12 years.

ArcSight is more stable than other solutions I've used if you take care of the maintenance. I've seldom had significant issues. 

Scaling up ArcSight isn't a challenge.

I've had mixed experiences. Sometimes, it was fine, and it was not so good at other times. It isn't as good as it used to be. 

The setup is simple to me because I've been doing it for a while, but I'm not sure a beginner would find it easy. It could be simpler. I haven't had the opportunity to deploy it on the cloud, but you should be able to do it without problems. 

I rate ArcSight ESM six out of 10 for affordability. In my last company, I evaluated Sentinel. The annual license for ArcSight is equal to about two months of Sentinel. 

I rate ArcSight ESM seven out of 10. I've worked with it my whole life and watched it evolve. ArcSight doesn't do much that other solutions can't. ArcSight has been around for 20-plus years. A lot of companies have moved on to other solutions. At the end of the day, you get out of a SIEM product what you put into it. 

I supervise a team at our company that uses this solution. Our organization uses the solution with our customers. We run a SOC for our clients that are on ArcSight. We provide monitoring, SIM administration, and incident management to our customers.

We have many use cases including multiple route logins, multiple administrator login failures, multiple failures, and successful logins.

I value the event correlation of this product, it handles it well. We are able to eliminate many of the false positives, which eliminates a lot of the noise within the environment.

ArcSight could improve by using AI and ML. More people are leaning towards this type of solution. They also could improve the product by integrating user and identity behavior analytics.

The traits' environment is changing every day. The traditional approach of discovering traits within the environment is gradually changing. We need new approaches to intelligently discover traits within the environment. ArcSight needs to improve its product to move in this direction.

I have been using ArcSight Enterprise Security Manager for one year.

The solution is stable.

We have integrated a couple of technologies into ArcSight, both on-premise and on-cloud. We were able to integrate the DNS and the firewalls. We were not able to integrate the EDR.

When comparing the initial setup of ArcSight ESM with Curator, the setup is easier with Curator. 

We evaluated Curator. Curator is easier to set up than ArcSight, and it has a UI that is simpl to use.

I would recommend ArcSight Enterprise Security Manager to a small degree. However, there are quite a few products on the market now that are easier to use. Other products are providing more insight and providing user entity behavior analytics. 

Overall, I would rate ArcSight ESM a six out of ten.

I primarily use ArcSight ESM for security and network monitoring. We are dealing with Active Directory, so we use ArcSight ESM to track the actions administrators take on accounts, like disabling and enabling accounts or accounts going expired and why.

ArcSight ESM allows us to track the logging of our customers or providers through VPN to a security middleware that tracks and allows them to access backend resources. In this way, we can find if someone is doing an administrative operation at inappropriate times of day or trying to do something they're not allowed to.

ArcSight ESM's UI is a little cumbersome and complex, especially for first-time and occasional users using the console manager. It's also a very complex product, and new users will require assistance from someone expert to avoid making errors. 

I've been using ArcSight ESM for three years.

ArcSight ESM is stable, except when you're doing very complex correlations, but that's a problem common to all products in this area.

We have not had any problems with ArcSight ESM's scalability.

ArcSight's technical support is very good.

The initial setup was not so easy as it's a very technical product, and anybody who doesn't have a lot of technical knowledge will probably find it difficult to set up. It's important to have a clear understanding of your goals when setting up all the infrastructure, as ESM is so complex. The deployment took around an hour or two.

We used a provider team.

ArcSight ESM is a very powerful platform, but you have to be careful in designing rules and defining an initial set of targets because otherwise, you could end up with high costs or a hugely demanding setup. I would rate ArcSight ESM seven out of ten.

We use this solution as a SIEM monitoring tool in our enterprise and for customers who have been using it, like shared operations. It's mostly used for cyber security by cyber security professionals for incident management and analysis.

The solution can be deployed on-prem and on the cloud. It depends on the requirements. We mainly use AWS, but Azure is also used.

We have analysts and architects using this solution. There are more than 20 people who are specialists and are using it. The team can be as large as more than 100 people. It all depends upon infrastructure and the clients that the particular infrastructure is supporting.

Usability is the most valuable feature. The accessibility is quite good. If a new person wants to be trained in this product, it's easy for them to be trained, as opposed to other products like Splunk or Sentinel.

ArcSight is good, and it's also scaling up.

The visualization is not very good compared to Splunk.

The dashboard and the comparability with new devices could be better. For example, we have a lot of cloud infrastructure that's coming around. Nowadays, most of the appliances are cloud-based. So, the comparability of Splunk is more with cloud infrastructure. With ArcSight, we have to build FlexConnectors to integrate multiple data sources, and we need visualization in that with FlexConnectors. If you go to Splunk, they have their own apps developed, and they work more proactively compared to ArcSight.

The performance and speed could be better. Technical support could be improved.

I have been using this solution for six years.

The solution is stable because we have been using this product for quite a number of clients. They use ArcSight as a primary tool for SIEM. We have been using it in the cyber security space for quite a long time. It is stable, but people are needed to manage this tool.

ArcSight's technical support hasn't been as good as it was in the past. I don't find it to be very good. My queries are not being properly resolved.

I also use Splunk and sometimes Sentinel.

This is the oldest SIM I have been working on. After that, Splunk came into the market. I worked for Accenture, and Splunk gave free training because of the partnership with Accenture. Their training framework was good compared to ArcSight. A lot of people started switching to Splunk. Nobody's support is perfect, but Splunk's support is almost perfect and better than ArcSight.

The primary factor is the cost. ArcSight is cost-effective, but Splunk is not because it charges for UBA, and ArcSight charges on EPS. Splunk is also in automation and machine-learning tools. So, if a customer is willing to spend big so they can switch to Splunk, that's what I've seen for most of the clients.

Initial setup is complex, not straightforward, because there are some devices that are not supported by ArcSight. So, we have to build a development strategy for each of the devices.

For the implementation strategy, it can be software-based or it can be a multi-side-based also. It depends on the type of clients you have and the agents. They have a central server from which you can deploy the agents and install them, and then they can send to the ESM side on which you can correlate. From there, the incident reporting will be done based on multiple systems.

A consultant is required for smooth setup.

We have seen ROI because this space keeps on changing very dynamically. It depends on your customer. There is definitely a return on investment, but it's not large because these types of solutions are for compliance purposes. We see many cyber attacks happen nowadays, but they definitely prevent some of the major incidents. It will give direct results to an organization, maybe in some intangible manner. But because this is a compliance thing, you definitely have to implement at least one SIEM in the infrastructure.

The licensing cost is affordable if you get an enterprise license. The licensing is based on EPS, so you can probably provide a package of license for multiple ESMs with their correlational end fees. It is cost-effective.

Licensing depends on what type of customer you are. There will be licenses for each and every appliance. There will be three types of appliances like ESM, ArcMC, and Logger. For these three components, you need to buy a separate license.

I would rate this solution 7 out of 10. 

My advice is to get proper training. It also depends on which component someone is working on. ArcSight support will not be able to help every time because ArcSight professional services are pretty costly. I haven't seen any organization taking ArcSight professional support. We only have normal support. It needs a bunch of experts to support these kind of operations.

You will need a strategy for how deployment is going to be, how much the capacity planning will be, what the configuration of servers will be, how they will architect it, etc.

We use it for our internal and vendor daily base of log analysis and threat analysis.

It is a robust product and has multiple valuable features. For example, it has robust threat intelligence built into its customization and great templates that provide ease of use.

The dashboard looks a bit cumbersome with the current version. They should work on the dashboard and optimize their integration which currently lags with devices of reputed vendors. So, having these custom integrators sometimes works and sometimes doesn't.

We have been using this solution for almost ten years. It is deployed on private cloud.

We haven't experienced any stability challenges. It works if we get enough hardware and software provisions for the vendor recommendation.

On-premises is a challenge to scale, and we haven't tried the cloud but we've heard it's quite scalable and robust.

We do not use technical support that often. They are very good, but they should train their L1-level support. Overall, they're a good strong team.

The setup is neither easy nor difficult and depends on the expertise. It requires really good expertise to build from scratch. The setup itself is not a big hassle, and in a week, the system is up and running, but the main challenge is the integration. We keep integrating, and with the password of the integrated direct, it's fine.

It is a licensed product.

I rate this solution an eight out of ten in terms of the inbuilt features and how it has grown into a strong solution over the years. The team has done an excellent job with the features, integrations, and compatibility.

Regarding advice, I think the assessment on currently sizing the product to their need is key. It's an expensive product, so sizing is the most important choice. In addition, I believe moving to cloud has more robust integration features. They are building new custom solutions that can be integrated with ESM for better analysis.

ArcSight ESM is used as a security information and event management (SIEM) solution. It has been used in banks.

The most valuable features of ArcSight ESM are the dashboards, ease of management for anyone, and simple for teams to provide reports related to cyber security. There are a lot of good features that are provided.

ArcSight ESM could improve the alerts for the storage capacities or actions.

I have been using ArcSight Enterprise Security Manager (ESM) for approximately six years.

ArcSight ESM is stable.

The scalability of ArcSight ESM is very good.

On the client's bank site, there are approximately 1,500 users using the solution.

The support for ArcSight ESM has been very good.

The deployment of ArcSight ESM is easy.

We have approximately six people from our information security department managing ArcSight ESM. The deployment was done by four engineers.

ArcSight ESM is an affordable solution, it cost approximately $200,000 for three years. This price was at a substantial discount.

We have evaluated IBM QRadar before choosing ArcSight ESM.

My advice to others is once they evaluate ArcSight ESM they will love it.

I rate ArcSight ESM an eight out of ten.

We are using ArcSight ESM in our company for security information and event management.

The most valuable feature of ArcSight ESM is its ease of use.

ArcSight ESM could improve by adding more features and documentation. There needs to be more documentation.

I am been using ArcSight Enterprise Security Manager (ESM) for approximately 10 years.

ArcSight ESM is stable.

The scalability of ArcSight ESM is good.

We have approximately 10 people using this solution. There are 1,000 devices using the solution. We are using the solution to its full capacity. 

The support is not very good.

I rate the support from ArcSight ESM a four out of five.

Positive

The initial setup of ArcSight ESM is easy. The deployment process took approximately one week.

I did the implementation of ArcSight ESM myself. We have two people for maintenance.

I rate ArcSight Enterprise Security Manager an eight out of ten

ArcSight monitors any down time with patch management. Whenever any project is on-boarded such as in our security core or asset and wealth management technology, the hardware goes through ArcSight. That is basically our use case whether we're doing the patch management, or the upgrades on that tool, or managing the centralized desktop. ArcSight monitors the failures in the cloud. We have the tech classifications in the CMDB which is integrated with ArcSight and ArcSight pulls out everything on the CMDB and I'm able to see it all - the CMDB database and the CVS scores which are also integrated in ArcSight. I can know that for a particular monitoring track or detected incident, this is the particular CVS score. I'm a VP and enterprise architect, and we're customers of ArcSight. 

The user interfaces are quite good and speedy, and I like the consoles too. The typology and the setup are also good. It's very similar to QRadar, so it's user friendly although I believe QRadar rates better. 

The deployment typology could be improved. If you want to scale across all the different lines of businesses, it should be easy to do that and it's not. If I'm doing DMX monitoring, I shouldn't need a different SIEM. For the traditional application servers which are RTTR architecture-based, the legacy applications, which might be Java or steam-based applications, require DMX monitoring, currently provided by Nagios. Instead, the monitoring could be different types of monitoring which we could get from ArcSight. It would save the cost of doing the DMX monitoring from Nagios. QRadar has a dashboard which includes most of the monitoring, data and everything. The features in ArcSight could be more like that.

I've been using this solution for 10 years. 

Scalability is okay although if we had better typology, we could scale more and performance could be better. It's similar to QRadar. We are onboarded for security core processing or data disk core processing. If I wanted to add another 20 line of businesses under that, it should be okay. There's a trade off between the security and performance so the more secure your typology is, will result in degraded performance. We currently have around 2,000 users but hope to increase that number. 

Technical support is available 24/7, They are on a rota basis for the different regions. If I'm looking for support here in India, it's available 2 1/2 hours ahead of Singapore, 3 1/2 hours ahead for the Japanese team. In the UK region, we have support available from 11:00am. And if I'm looking for post 7:00pm in India, then I have the support teams available from the States. They're quite good and they offer other professional services too, including for incident management. 

The initial setup doesn't take too much time. 

I'm neutral on whether I would recommend this solution. It depends on what typology you are using, and your use cases. If you have a different endpoint, or security tool already doing what this product does and it's already integrated with CMDB, and there's a tool at the endpoint giving the CVS Score, then you don't need an SIEM platform. 

On the pricing side, QRadar is much costlier compared to ArcSight. There's a trade off. Anyone aiming for something specific will go for ArcSight monitoring rather than going for Qradar because deployment of the SIEM is not so easy for the larger deployment typologies in the financial services sector. It's not easy to scale up for different lines of businesses unless you have proper planning, methodologies, processes, and your SOPs are in place. If you follow the proper SOPs, things are easier.

I would rate this solution a six out of 10.