ArcSight Enterprise Security Manager (ESM) Reviews

The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:

• Allows me to look at the traffic in real time
• Allows me to add filters that remove the traffic that is not interesting
• Allows me to narrow down my research to only important traffic.
• Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
• Allows me to create reports, evaluate my findings, and send information to my customers.

I was able to provide intelligence reports to my customers. The organization relies on this information in order to sell services.

I would like to see the following:

• An improvement in the connector/agent configuration.
  The connector configuration is CLI based. If the connectors are pre-defined and built by HPE, then the configuration/installation seems to be OK.

• Making the FlexConnector configuration less complex.
  You need development skills in order to do your job in creating/configuring agents and connectors. I tried to learn the syntax in order to customize the software (connectors and agents) for a particular device, and it was a nightmare. The cost for this work, via HPE consultancy, is huge.

I've been using this product for three and a half years. I am one of the supporters of the product.

Some of the connectors need to be developed in-house. There were also issues with forwarding events. We noticed that some logs were lost between connectors and the central reporting unit.

I would give technical support a rating of 4 or 5 out of 10.

We also use Splunk to compare features. ArcSight is the favorite solution for my organization.

The initial setup is straightforward, but the customization can become a nightmare very easily.

We had an in-house implementation. I would recommend a dedicated team for implementation, support, and operation.

This product requires a dedicate team to operate it from a to z. HPE support needs to be clearly defined and considered.

We have two connectors. One is a smart connector, and one is a select connector. It's a simple ESM tool. 

It offers easy integrations.

It's flexible for managing the monitoring of all activities on your network. It offers easy management and good dashboards.

There is good visibility over all of the traffic and logs and the health of the devices. It makes maintenance very easy.

It works with Linux and Mac, and other network devices, including firewalls and proxies. 

The solution can take logs from the cloud. That said, we do need to deploy a cloud connector to make that happen.

The query language should be less complex. 

The UI interface is somewhat complex and needs to be simplified. 

The dashboards don't read in a graphical manner. You have to read the logs and the output whenever you run a query. You need to understand the output. You have to export it to a .CSV and then design the visualization as per your requirements.

We're missing visual dashboards and reporting. We'd like to have the reporting of simple histories, and we need dashboards to show details in a presentable format.

In the logs, we're capturing multiple fields, some of which we do not need. There should be an option to just keep the fields you require and discard the rest. 

I've been using the solution for almost two years. 

Stability could be better. I would rate it six out of ten. I've seen a lot of crashes for the connector or server.

The scalability is pretty good. I would rate it eight out of ten. 

It's an enterprise solution. We have deployed the solution deployed to 30 or 40 clients. 

We do not have plans to increase usage.

We have not used technical support. Our team provides support to the customer. I'm not sure how they have assisted, if applicable. 

The initial setup can be complex in comparison to other things. It's not difficult. There are just multiple components to consider. Deployment-wise, it is okay, just not simple. It becomes more complex when you have to develop multiple components at the same time. 

We have witnessed an ROI so far.

The pricing depends on the client. It does have the same price range as other solutions. The pricing we pitch is based on EPS level for management. 

I'm not sure which version of the solution I'm using. 

Users should have a good knowledge of the management of logging, including how to write log queries and the development of custom connectors. There is some technical skill necessary.

I'd rate the solution seven out of ten overall. 

Public Cloud

I'm an administrator, and I implement ArcSight Enterprise Security Manager (ESM). I use ArcSight SIEM and have all the security information, events, logins, and security logs. We compile all the information so we can file and stop it from happening or provide an alert. 

ArcSight Enterprise Security Manager (ESM) works perfectly. It's a stable and scalable product.

The initial setup could be more straightforward. 

ArcSight Enterprise Security Manager (ESM) is a stable solution. However, it depends on how well it's deployed in the customer's location. 

Because SIEM doesn't have much to do with blocking the traffic, even if it doesn't get deployed well, it doesn't matter to the customer because the work is going on, and the traffic is flowing in. 

It's just that the correlation will never happen. The security post of the company goes for all; that's the only problem. Apart from that, there would be no problem with the operations website. 

ArcSight Enterprise Security Manager (ESM) is scalable, but you must size it well.

ArcSight technical support is a bit better than the QRadar.

The initial setup is complex. In general, it takes about three months to implement this solution.

I will only make recommendations based on the customer's requirements and environment.

On a scale from one to ten, I would give ArcSight Enterprise Security Manager (ESM) a seven.

On-premises

We have a customer who is using this solution for information security monitoring.

For the typical malware or intrusion, this solution assists us by identifying the symptoms based on network traffic from the application servers. We are then able to prevent others from accessing critical information.

I really like the dashboard.

One of the problems for the security center is that there are many logs that need to be retrieved from a variety of network devices. The weakness in this system comes about because, with so many different logs, it is possible that the security analyst will lose information. I would like to have better support for wide-area data analytics.

Ideally, I would like to see ArcSight have the ability to consume raw information, or raw data, without being dependent on a log file.

Between five and six years.

There are more than six thousand users. However, because it is a log-based system, the scalability is limited. As such, our customer is looking for a solution that can scale better as the number of users and the number of devices in the infrastructure increases.

There is not much in terms of support that is available for this solution. There are not many people with the competency for visualization and creating use cases.

The initial setup of this solution is pretty complex. Once this installation is complete, we need to set up the use cases.

Deployment for this solution took between three and six months and was performed with four to five people.

A reseller assisted our customer with the deployment.

The cost of the solution is not very high, although hiring a qualified analyst to work with the product is expensive.

In summary, this solution requires a dedicated person that has specific competency in this product. It is not a plug and play product that allows you to simply focus on the analytics. It is not easy for an amateur.

The suitability of this solution depends on the complexity of the system. If the organization is very large, for example nationwide, then a log-based approach such as this one will be very difficult to implement. 

Obviously, if the device does not generate a log then it is not supported by this solution. Our client has successfully deployed it for use with several devices, including firewalls and IPS, but they have no support for some in-house applications.

I would rate this solution a five out of ten.

• Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer.
• Having a single solution that can actually manage the entire infrastructure, soup to nuts.
• Ability to detect and then take action on it.

Reducing my OPEX cost by reducing the overhead and training costs of employees and staff. Before we would have to have a large number of staff to be able to go in and do consulting opportunities, to mitigate and remediate security intrusions on given clients. Now using ArcSight, albeit there maybe a capital upfront cost to buy the software product, it enables us to speed our time to resolution.

ArcSight needs to go the same route that HPE's doing with the virtualization engine of the HP 380. Basically making it more of a single pane of glass to be able to deploy and take a tangible action on a security event. Today it takes still a lot of consulting dollars to go into trying to deploy ArcSight. You have to have a very powerful technologist or technologist team to deploy ArcSight at scale and be able to actually understand the events coming inbound and make the right tangible decisions from those points of ingress or points of notification. That today, albeit, not horribly hard, as long as you have a trained professional that knows the product. It would be nice to be able to basically make that a one pane of glass, much like HPE's done with the virtualization concept. It would make that pain point a little less. It's not going to make it perfect, but it would be nice to see improvement in that area.

My opinion from a stability's standpoint ... we don't have any issues. The product runs 24/7/365. Whenever HPE introduces a patch or an enhancement for security concerns, we've never had a problem being able to ingest that on the fly with little-to-no downtime outside of what's been expected from the release of the patch.

I've not had any problems with scaling into tens of thousands of nodes. I guess the biggest problem you're going to have with that would be actually the compute power to make the tangible decisions that's needed on large-scale environments where you have hundreds of firewalls coming in from different points of ingress. That would be a concern, but again that's not because of the ArcSight, it's just basically that's compute power.

It has improved substantially over the last two years. I'm going to rate them at 3/5 because when you call in the time to remediation is long right now. I'm not going to fault any one person on that. It's a complex security tool, so calling in and trying to get that omission, crystal ball appearance is difficult. I get that. Is there room for improvement? Of course there is.

Well we have different tools out there, but the most common ones everybody's going to know about is Splunk. Feature, function and price was why we switched When we're able to actually deliver the similar features and functions, add in additional intellectual property from HPE with respect to decision trees of ArcSight and being able to take tangible actions on the stuff that's coming inbound, that's great. Other tools can do that. Now you're just talking about price in the industry. We're able to deliver the same features and functionality at a lower cost to the client, typically we'll win with ArcSight.

Straightforward for the most part but there are limitations. For example in the virtualization engine of the J80, the Instant On, which is a OneView Instant On product line. It does work great, as long as you have your infrastructure. Our clients give us all the necessary requirements, such as the AD and IP address, the DNS, the subnets and stuff. As long as all that works seamlessly, then we can usually bind that HP 380, the Instant On into the infrastructure seamlessly. Does it always work smooth? No. But that's not necessarily HPE's fault, it's because the infrastructure doesn't always lend itself to easy integration.

I'm going to rate it at a 9. There's always room for improvement, of course, and maybe I'll be fair and give it an 8.5. The only reason I would do that is because, again, coming up with that single pane of glass, easier management style, and more about deployment. You don't have to have that powerhouse technologist that knows every trick of the trade to go in and deploy it and get all the bells and whistles. Is that a perfect model that will ever be achieved? Of course not. Can there be improvement? Sure there can. What I'm shooting for is have an ArcSight solution that can get me 90 percent there, and then the customization of ArcSight will be reduced substantially, so that the customers' adoption of a new security style tool will be easier to swallow, and it will lend itself to a larger footprint over time as the customer builds comfort with the product.

With respect to the software on ArcSight, concept's the same on that. When we actually ask for improvements on the product, they've made those enhancements and made those fixes. Now with respect to me asking for a single pane of glass? I know they're working on it, I'm sure they are. It's a pain point that not only we have, but a lot of our customers have. If we're having the same conversation next year, I'll be disappointed. I'm hoping that the single pane of glass comes out soon.

• It has flexible and rich correlation capabilities. This is the most mature product in this area.
• It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
• Active Lists - This is the most powerful feature which supports correlation. It also has multi-column active lists, parameters manipulation, and correlation capabilities that provide great flexibility.
• Full control of correlation flow - There are no black-box closed rules, unlike with McAfee Nitro, and no default aggregation which is hard to analyze, unlike Offenses in QRadar.

This is the best product to build and supports SOC operations and SOC use cases.

The layout of the analyst's console need improvement. It has had no significant changes in at least nine years. Also, the advanced statistics in visualizations simply don't work, and I've performed an analysis of these functions.

We've been using it for nine years.

We have had no issues with the deployment.

We have had no issues with the stability.

We have had no issues scaling it for our needs.

I have not had to use tech support for at least two years now. From what I recall, they were good.

The initial setup was simple and the implementation was straightforward as the supporting documentation is pretty good. Help for setup, which is available from the analyst console, is really great and complex with diagrams and screens.

ArcSight makes it easy to achieve ROI because of its great flexibility.

This is the best SIEM solution on the market comparing to its competitors. I'm also familiar with IBM QRadar, RSA Security Analytics, McAfee Nitro, and Splunk.

Correlation Rules, Dashboards, Active Channels, Active Lists and many more. All these features make this product better than it's competitors.

ArcSight functions to integrate all network & security logs. It's very easy to use and thus real time monitoring has become easy by implementing active channel with all correlated alerts. SOC can monitor these correlated alerts and take action on them.

ArcSight uses Oracle DB, which is a bit slow for read/write functions and the main downside to this product. Recently, HP came up with a custom DB for ArcSight 6.0 which they are calling CORR engine. With these Read/Write functions, response is good but unfortunately I've encountered many other minor issues which have room for improvement.

I've been using it for the last 6 years.

Yes, minor issues were encountered and resolved in a timely manner by HP support.

Yes, Read/Write functions to DB is the main concern and this slows down the events processing.

I don't think there are any issues with Scalability.

Customer Service: GoodTechnical Support: Pretty good and timely.

Slightly complex, but manageable.

With the help of a vendor team. They are really helpful and cooperative.

I think that the overall experience with this solution is good, but in particular, I think that the dashboards are quite interactive.

For somebody who is new and just starting with this product, they find it really tough. The software is quite big. It would be nice if the interface were more user-friendly, with, for example, a minimal number of tabs to navigate.

A walkthrough that shows everything a normal user might do would be very helpful.

I would like to see improvements on the Active Channel side of this solution.

Between one and two years.

The software itself seems to be stable, as we have not actually experienced any bugs. The connection depends on the network side, but overall it seems to be working fine.

This solution would be more scalable if the interface were more user-friendly. There are rules and alerts, and the user has to have the proper knowledge of all of these things. With a walk-through, I think that it would be quite easy to scale.

We have two people using this solution, and we perform monitoring on a daily basis. In our environment, adding users is quite rare. 

We did have a couple of problems recently where one of the modules was not communicating well. In terms of support, I think that they are quite good.

This is the first solution that we have used for monitoring.

I was not involved in the initial setup of this solution.

This is a really good solution and I would recommend it. If you know how to work it, and how to configure it properly, then it can give you lots and lots of information. On the other hand, it provides so much detail that people can miss things. If the interface and reports were minimized and consolidated then it would be better.

I would rate this solution a seven out of ten.