ArcSight Enterprise Security Manager (ESM) Reviews

Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.

Ease of use, access and simplicity: HPW ArcSight makes it hard to capitalize on reports without the use of the console. Other SIEM tools have made it clear that event correlation results can be used not only to send out alerts, but also to provide easily accessible results to management.

ArcSight can be quite complicated to use for "non-IT" user. In terms of "ease of use", access and simplicity, HPE could do a better job, since customers acquiring the product should be spending more time on implementing use cases than on understanding the product and the console organization.

Also, in terms of installation, we are no longer in an era where installing a product should be a laborious process. Instead, it should be simple and fast.

Also, when it comes to data onboarding, managing ArcSight connectors in a multi-technology environment, there is no simple way to guarantee that data parsing is happening properly.

Finally, having simple-to-set-up, multi-site high availability, in contrast to single-site HA, would be very welcome.

I’ve been using ArcSight for three years.

We have had some issues on the SmartConnector layer, since not all parsers provide perfect results (especially in the case of proxy data). Also, there have been some issues on the HA modules, since HA works sort of like a local r-sync (no remote HA).

No scalability issues have been encountered so far. ArcSight's architecture is very scalable, especially when set up in a layered architecture.

Support is slow and doesn't always have the required skill set to solve the issues.

We did not have a previous solution.

Initial setup was very complex. Any modification to the OS prior to ESM installation may cause errors in installation. Most errors aren't explicit and require a lot of time, effort and sometimes PS help to solve.

Price is fair compared to other SIEMs (Splunk, QRadar, etc.). It's not the go-to product if you are looking for something cheap. Go for ArcSight, if it provides specific features that your IS requires.

Before ArcSight, we looked at QRadar and Splunk.

My first advice is "be patient". It takes a lot of time to deploy an ArcSight infrastructure, but the result is worth it. Technically, it’s a very powerful tool. It would be worth it to take the time to learn some of the hidden features.

We are using ArcSight ESM in our company for security information and event management.

The most valuable feature of ArcSight ESM is its ease of use.

ArcSight ESM could improve by adding more features and documentation. There needs to be more documentation.

I am been using ArcSight Enterprise Security Manager (ESM) for approximately 10 years.

ArcSight ESM is stable.

The scalability of ArcSight ESM is good.

We have approximately 10 people using this solution. There are 1,000 devices using the solution. We are using the solution to its full capacity. 

The support is not very good.

I rate the support from ArcSight ESM a four out of five.

Positive

The initial setup of ArcSight ESM is easy. The deployment process took approximately one week.

I did the implementation of ArcSight ESM myself. We have two people for maintenance.

I rate ArcSight Enterprise Security Manager an eight out of ten

Our primary use case is to prioritize internationally used references.

This process has helped to improve our organization because we have centralized the intra-group security equipment logs.

We've been working hard to implement Violation scenarios as a rule.

The features that we have found to be most valuable are:

1. Connectivity with the SOC system
2. Flexible connectivity with third-party solutions

There are several improvements that we would like to see, including:

1. Building a system based on a log collection (SOC)
   
2. A scenario for external encroachment
3. Operator training

We use Micro Focus ArcSight SIEM version 6.3, 6.4, and 6.5 in multiple sites and customer ranges. The SIEM log monitoring tool is very efficient at providing us the details for any file system changes, logins, OSPF, and BGP as well as other router and server changes.

It is a vital tool for live monitoring and helps us to understand the traffic alerts of any major issue on the network, thereby reducing hacking attempts. Before our staff had to review raw logs directly to understand if there has been any attempt to the system, but with ArcSight, once the rules are defined, it becomes easy to detect changes and generate automated logs. 

Another benefit is this tool sends an automated mail to all the operators, which makes it easy to share the information and reporting.

Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the SIEM tool. The analytics feature is not reliable and needs improvement for more detailed analysis.

The product that we used in our office under different environments is highly stable. We have used certain specific versions unless required specifically by the client.

This product is designed for easy scalability and can easily scale up without major challenges. However, we have a specific team which looks after the setup and maintenance of the tool.

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve our issues. 

Since I have been in the organisation, we have used Micro Focus ArcSight for 80% of the clients. We have also used Splunk for certain clients based on their requirements.

We have a separate team for this functionality. I am not aware of the process. However, complete client cooperation is required in the setup or else there can be certain counterproductive alerts.

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

We have used Micro Focus ArcSight from the beginning.

• It has flexible and rich correlation capabilities. This is the most mature product in this area.
• It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
• Active Lists - This is the most powerful feature which supports correlation. It also has multi-column active lists, parameters manipulation, and correlation capabilities that provide great flexibility.
• Full control of correlation flow - There are no black-box closed rules, unlike with McAfee Nitro, and no default aggregation which is hard to analyze, unlike Offenses in QRadar.

This is the best product to build and supports SOC operations and SOC use cases.

The layout of the analyst's console need improvement. It has had no significant changes in at least nine years. Also, the advanced statistics in visualizations simply don't work, and I've performed an analysis of these functions.

We've been using it for nine years.

We have had no issues with the deployment.

We have had no issues with the stability.

We have had no issues scaling it for our needs.

I have not had to use tech support for at least two years now. From what I recall, they were good.

The initial setup was simple and the implementation was straightforward as the supporting documentation is pretty good. Help for setup, which is available from the analyst console, is really great and complex with diagrams and screens.

ArcSight makes it easy to achieve ROI because of its great flexibility.

This is the best SIEM solution on the market comparing to its competitors. I'm also familiar with IBM QRadar, RSA Security Analytics, McAfee Nitro, and Splunk.

From a customer perspective, the most important thing is network visibility. Companies have more visibility on what is happening in the network, so they will be able to make decisions, whether automatic or human decisions, based on the analysis given by ArcSight Enterprise Security Manager (ESM). This helps improve the security within the organization.

The features I found most important in this solution are artificial intelligence and correlation tools. Machine learning which was recently added to the platform is also an important feature.

The onboarding process for this solution could be better.

Additional features I'd like to see in the next release is a better GUI (graphic user interface), and for them to include intelligence tools, e.g. dark web threat intelligence, etc.

We've distributed ArcSight Enterprise Security Manager (ESM) in the last 12 months.

This solution is stable.

We are a distributor here in Bulgaria for Micro Focus. We distribute ArcSight Enterprise Security Manager (ESM) here in Bulgaria and we are in touch with Micro Focus for the ArcSight portfolio.

I'm not a very technical guy. Especially for our market here in Bulgaria, it's very important to have local technical support from Micro Focus, e.g. presales engineers, to be able to close more sales, because the main competitor here: IBM Security QRadar has representation with local technical engineers. This is important when we are trying to do a new business.

Deploying this solution requires three to five engineers: network and EMC engineers.

ArcSight Enterprise Security Manager (ESM) is a very popular product with our customers, though we are trying to promote it daily and weekly to make it even more popular. We have a dedicated marketing channel for this.

My advice to future clients looking into implementing this solution is that every company needs it, especially in this day and age when it is mandatory to have cyber security investigation and protection. Another advice is that if you want this project to be successful, you must rely on a local technical team who will be able to implement and configure the product.

I'm rating ArcSight Enterprise Security Manager (ESM) an eight out of ten because there is still room for improvement.

The feature that I have found the most useful is that it can be deployed to the cloud.

The centralized dashboard for the hybrid cloud environment needs to be more focused. It needs to be redefined because it's missing most of the information.

ArcSight should also be a little bit easy to use. Currently, integration with various applications and connectors is not that easy. Deployment is easy, but integration is not that easy. 

ArcSight also has a very high bandwidth consumption to pull the local servers. It should have some kind of better process or ability to transfer files from on-premises to the cloud, from the cloud to on-premises, and from a cloud to another cloud.

I have been using ArcSight for six years. 

It is very stable.

It is not always scalable.

I didn't take any kind of support.

I have worked with IBM QRadar. IBM QRadar is very expensive, and it is not easy to deploy like ArcSight. It can't be deployed without an SME. ArcSight is better than IBM QRadar.

The initial setup was very straightforward. It hardly took four weeks. 

If you have data centers, an SME or in-house resource to train people, and no budget constraint, then go with IBM. If you have a limited budget, hybrid environment, and untrained manpower, then go for Darktrace, AlienVault, or some other solution.

I would rate ArcSight an eight out of ten. 

The most valuable feature for us is its ability to correlate security events and then allowing us to take action to address those events.

We're able to customize it so that it suits our business needs.

Although we're able to customize it, it requires some level of subject-matter expertise for all the special adapters for collection.

We also had initial stability issues that were probably caused by our architecture and not the solution itself.

We've been on the on-site platform for four years.

We've had no issues with deployment.

We had some initial issues withs stability, but we worked through it. I think our architecture and design were initially flawed, so that was more of our problem and not HP's.

We've had no issues scaling it in the last three years.

We've used technical support several time and found them to be good.

We moved from a managed outsource service, provided by a competitor. He wanted to in-source it, or in-house it, so we had the ability to be a little bit more effective and nimble.

The initial setup was complex, but HP's professional services helped us out.

Make sure you staff up internally, and have the right subject-matter expertise to take advantage of the platform. Otherwise, it's not going to help.