ArcSight Enterprise Security Manager (ESM) Reviews

We use ArcSight primarily to provide logs for the incident response team and cyber security analysts to evaluate everything happening in the network. 

The most important feature is ArcSight's event correlation capabilities. It's powerful and easy. I also like the flex connector capability. It's easy to develop a new connector that isn't fully supported out of the box. For example, say you created a solution internally that's completely different, and it's not unsupported by the solution. You can write your own connector using the flex connector.

When we need to consume old events, we have to wait for a long time. ArcSight should improve the database capability to reply to queries faster. It would also be interesting if they implemented network visibility. For example, they could add a feature like NetWitness with a model just for looking through the packets.

I rate ArcSight Enterprise Security Manager nine out of 10. 

On-premises

I use ArcSight Enterprise Security Manager to make some letters, queries, administration of the smart collectors, and logger for deporting.

The user interface of ArcSight Enterprise Security Manager could improve. It is not very good. Additionally, they could integrate the web interface better.

I have been using ArcSight Enterprise Security Manager(ESM) for approximately five years.

The stability of ArcSight Enterprise Security Manager is good.

 ArcSight Enterprise Security Manager has good scalability.

We have three administrators and seven analysts using this solution in my organization.

The support from ArcSight Enterprise Security Manager is very good. However, we have some questions that have not been resolved.

I rate the technical support from ArcSight Enterprise Security Manager a four out of five.

The initial setup is difficult because you need to have some extra knowledge to complete it.

We have a license to use this solution. The price of ArcSight Enterprise Security Manager is expensive.

My advice to others is for them to have some training before they use the solution.

I rate ArcSight Enterprise Security Manager a nine out of ten.

We have a customer who is using this solution for information security monitoring.

For the typical malware or intrusion, this solution assists us by identifying the symptoms based on network traffic from the application servers. We are then able to prevent others from accessing critical information.

I really like the dashboard.

One of the problems for the security center is that there are many logs that need to be retrieved from a variety of network devices. The weakness in this system comes about because, with so many different logs, it is possible that the security analyst will lose information. I would like to have better support for wide-area data analytics.

Ideally, I would like to see ArcSight have the ability to consume raw information, or raw data, without being dependent on a log file.

Between five and six years.

There are more than six thousand users. However, because it is a log-based system, the scalability is limited. As such, our customer is looking for a solution that can scale better as the number of users and the number of devices in the infrastructure increases.

There is not much in terms of support that is available for this solution. There are not many people with the competency for visualization and creating use cases.

The initial setup of this solution is pretty complex. Once this installation is complete, we need to set up the use cases.

Deployment for this solution took between three and six months and was performed with four to five people.

A reseller assisted our customer with the deployment.

The cost of the solution is not very high, although hiring a qualified analyst to work with the product is expensive.

In summary, this solution requires a dedicated person that has specific competency in this product. It is not a plug and play product that allows you to simply focus on the analytics. It is not easy for an amateur.

The suitability of this solution depends on the complexity of the system. If the organization is very large, for example nationwide, then a log-based approach such as this one will be very difficult to implement. 

Obviously, if the device does not generate a log then it is not supported by this solution. Our client has successfully deployed it for use with several devices, including firewalls and IPS, but they have no support for some in-house applications.

I would rate this solution a five out of ten.

Correlation Rules, Dashboards, Active Channels, Active Lists and many more. All these features make this product better than it's competitors.

ArcSight functions to integrate all network & security logs. It's very easy to use and thus real time monitoring has become easy by implementing active channel with all correlated alerts. SOC can monitor these correlated alerts and take action on them.

ArcSight uses Oracle DB, which is a bit slow for read/write functions and the main downside to this product. Recently, HP came up with a custom DB for ArcSight 6.0 which they are calling CORR engine. With these Read/Write functions, response is good but unfortunately I've encountered many other minor issues which have room for improvement.

I've been using it for the last 6 years.

Yes, minor issues were encountered and resolved in a timely manner by HP support.

Yes, Read/Write functions to DB is the main concern and this slows down the events processing.

I don't think there are any issues with Scalability.

Customer Service: GoodTechnical Support: Pretty good and timely.

Slightly complex, but manageable.

With the help of a vendor team. They are really helpful and cooperative.

Creating dashboards and real-time channels for real-time monitoring: This feature gives real-time alerts for the monitoring team to act upon. In certain cases, we can also create real-time email alerts for relevant teams for faster actions and resolutions.

This product has helped us and our customer for monitoring the security of different applications as well as different hardware devices. It helps in keeping an eye on each activity logged into our internal environment. This also helped us and our customer to meet the local regulatory requirement.

The correlation and storage have to be improved. The correlation works fine, if we have less amount of rules being written, but it becomes slow if we have more than 200 rules written for any correlation. This created buffer-buckets for all events flowing into the system. There are other ways in which this can be improved.

For the last one year, I have been using the current version, i.e., HPE ArcSight ESM, Hardware Appliance L5600, Software Version 6.8.

Before that, I have used the earlier versions, i.e., v4.5 and v5.0 for nearly three years.

I have not encountered any stability issues with HPE ESM. It was stable all the time.

We didn't encounter any scalability issues. We were able to scale it as and when required.

The technical support needs improvement, as sometimes it takes time to get the actual response on the issue. It takes more than two days to reach a resolution as the support team needs a lot of basic information.

I was not using any other solution previously.

The setup was straightforward but it still needs involvement from the support team as sometimes credentials do not work.

This is based on the requirement and budget. I would not like to comment on the pricing or licensing.

We looked at other solutions such as Splunk and IBM QRadar.

I think the ability to create rules more flexible than in other products (i.e. IBM QRadar) is its most valuable feature. It has good options for shaping data and using them in very complex rules.

It has increased our detective capabilities in the cybersecurity landscape. We're able to build SOC around it, and make it a central tool for detecting network compromises.

Performance is the product's Achilles' heel. The aggregation can't be done for a long period of time, i.e. one week. On top of that, in comparison to the competition, ArcSight works very slowly and the WebUI is not very user-friendly.

We've been using it for 10 months and the program is still in the development phase.

There were no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it to our needs.

The level of technical support is low. I think HP should invest money to train support people. Furthermore, sometimes I feel they are overworked because they used to sending notifications about cases without closing them.

Previously, I worked with IBM QRadar.

SIEM in general is not straightforward. I think the initial setup was simple, but to get value from this product, you have to do something more than the initial setup.

We did it in-house with help from the vendor's professional services. My advice is to think first where you would like to put your collectors. Assess if your network will be able to lift extra loads, assess what logging level will be required, and if log sources are capable of delivering it.

ArcSight was chosen by my new company management without asking me for my opinion.

• Powerful Correlation
• Customization 
• Integration capabilities

• Very complex install and management
• Steep learning curve
• Poor Network Investigation
• Poor analytics.

Six years.

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

No. ArcSight is very scalable.

3 out of 5.

We implemented it in-house.

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

If you really want the power and flexibility of customizing your Security monitoring and correlation, go with ArcSight, but beware of the effort involved in set up and maintenance.

We primarily provide this solution to clients.

The simplicity of the solution is the most valuable aspect of the product.

The product is quite mature. It's been around for a long time.

The integration is easy for the most part.

Over the past two years, a lot of improvements have been happening.

The biggest requirement is that there is no cloud solution for this product yet. They need to create a cloud version. It's the biggest thing they can do to make the solution better.

The dashboard and user interface need some work. It's my understanding that they are developing better versions of those now.

I've been using the solution for eight years or so. I started working on Version Five and have continued to update it from there.

The stability of the solution is very good. It's pretty perfect, actually. We don't have crashes. It doesn't freeze. There aren't bugs or glitches. It's completely reliable.

The solution is easily scalable. If an organization needs to expand it, they most certainly can.

What we used to do traditionally, to scale, that each device throws up certain EPS and we size the solution accordingly. Once they have a cloud solution, it will be even easier to scale.

The solution works for any size of organization, from small companies to large enterprises.

The solution's technical support is excellent. I'm in India, however, their support is on a global scale.

HP as an organization had one toll-free number. You plug in your requirements. However, by the time it reached the team, it became difficult as everyone was routed centrally. However, once the site was taken over by Micro Focus, we are seeing some great improvements in the support.

The initial setup is not complex. It's very straightforward.

If you have a well-skilled technician, you probably only need a few people to handle the deployment and maintenance.

In terms of how long a deployment takes, a SIEM implementation depends on the number of devices, and which we are integrating with. The kind of dashboards and reports the customer is looking for also come into play in calculating the amount of time that will be needed. Therefore, the duration of the implementation would be purely dependent on the client's specific needs.

A standard deployment is typically four weeks. However, I've seen some deployments take as long as 12 weeks.

We deploy the solution for our clients. We also tend to handle the maintenance for our clients as well.

I have some experience with Splunk and Curator.

There are a few differences. Splunk, for example, is a native cloud product. That makes it excellent for scalability. Any on-premise challenges a company might face are answered by Splunk.

In both solutions, you are able to integrate and manage other devices as well, which isn't necessarily true on Arcsight.

We're an authorized partner. We provide this solution to our clients.

In terms of implementation, new users should make a list of the requirements they need in order to have a broad idea of what they want the solution to achieve. Once they understand their requirements, it will be easier to find a solution that will match them.

For Arcsight, users need to go in with the compliance packs. Arcsight has some additional modules called compliance packs, which can get you automatic reports. That needs to be configured pretty well. 

The biggest piece everyone needs to consider is the sizing part. It's an on-premise solution. If you are not buffering the sizing with at least about 25% additional computation and the storage space, then you're in for trouble down the line. Always go bigger than you need.

Overall, I'd rate the solution seven out of ten.

ArcSight, in the last one and a half years, have been delivering on time, in terms of a better dashboard, a better user interface, and now, with an add-on EDA. MailStore is also getting into it. We are seeing that they are catching up with what the market needs. We will have to wait and see what the new release brings. Version Eight is coming in now. They seem to be doing everything now and are committing for some great features in a future release.

On-premises