ArcSight Enterprise Security Manager (ESM) Reviews

This product is one of the best SIEM solutions, which helps SOC analysts to consolidate all security-relevant logs of many products into one place in a common format. It doesn’t require that you have expertise in each and every product. It facilitates pinpointing indicators of compromise and investigating security incidents more quickly than the legacy way of checking every product log separately. The old way required a huge effort (and the pain) of human correlation.

• SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.
• Filtration, Aggregation: Both features provide a good way to save EPS (events per second).
• Logger: Long log retention, fast search, and reporting.
• ESM/Express: Correlation via standard rules and data monitors, active list, session list, active channels, reports, trends, queries, dashboards (query viewers and data monitors), and lightweight rules.

Developing more products/modules that make it more independent from relying on other vendors’ products to get all the necessary logs. For example, develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network.

Overall, the product stability is very good. But without continuous tuning of the developed content and improper usage of the product, you can encounter performance issues with ESM/Express, and sometimes hangs, which requires a services restart.

No.

Sometimes very good and sometimes moderate.

No.

Straightforward for Logger and Express appliance; more considerations for ESM software version.

HPE ArcSight pricing might be more expensive than other SIEM solutions, but in my opinion it has powerful features and great flexibility in developing complex use cases. So, in my opinion, it's worth trying first (via PoC, for example) before making any decision based on cost.

No.

If you are implementing Express/ESM, I advise disabling all out-of-the-box content and building your own. Also, keep monitoring partial matches and your session/active list sizes as you develop your correlation rules, as it has a big performance hit on the system.

• Alert correlation
• Reporting
• Retention

These are the features we find most valuable for us and which we use the most.

It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.

Due simply to the user features available out-of-the-box, the convenience it can bring to any organization (when deployed and configured correctly) can greatly assist any enterprise in many facets, from an increased and enhanced security posture, to auditory regulations and even data retention.

It needs additional and better user customization for SmartConnectors. It has additional device support for more obscure log sources.  

Also needed is a configuration wizard for organizations lacking the in-depth knowledge required to integrate the solution successfully.

We've had no issues with deployment.

We've had no issues with instability. It's been stable for us.

We've been able to scale it for our needs. We've had no issues with scalability.

It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.

We're a large organization, and the tool scales very well for us.

The technical support needs to be improved.

We've had no issues with deployment.

Whether we've had issues with stability is a hard thing to say because we're on the cutting edge of virtualization. When we were on older hardware with physical servers, it was relatively stable. But we ran into issues with support, and we decided to virtualize a lot of the it -- everything from the loggers to the ESM. We see a lot of performance gains, but our biggest hangup is support. The tool itself is great, but when we run into a hiccup, it seems they don't have the expertise on the support side to get us quickly back to where we need to be.

We have well over 100,000 employees and we've virtualized a lot. Again, the problem is with getting support as we scale.

They don't listen when we report an event or issue. We tend to be on the bleeding edge, so we have to do our own troubleshooting and perform our own resolution of events. When we send information, they've often asked for logs. And sometimes we don't get responses at all. I often have to ask for a status update on our tickets, which oftentimes get sent to non-US support teams. They're then re-assigned back to the US and there's a lot of confusion.

Technical support has been so frustrating that we've brought in an intermediary, LiveQuest, to deal with HP support for us.

I've set it up so many times now, it's really hard for me to describe it. It's pretty straightforward and has become second nature for me.

You have to really know your environment. Have a good SE, and be prepared to do a lot of your own homework.

We have a large footprint of 25 plus subsidiaries reporting into a consolidated security reporting and action team using ArcSight ESM.

ArcSight ESM has improved our organization because we have better incident reporting. It was originally deployed in order to fulfill compliance requirements. We were required to have security monitoring, ArcSight ESM was a quick and effective way to be able to meet that minimum requirement.

The most valuable features of ArcSight ESM are ease of use and readily usable components.

ArcSight ESM is lacking cloud scalable technology.

I have been using ArcSight Enterprise Security Manager (ESM) for approximately three years.

ArcSight ESM has average capabilities. It's not seen as being particularly robust or usable for advanced threats.

The scalability of ArcSight ESM is average to poor.

We have approximately 60,000 users using the solution.

The support from ArcSight ESM is very poor. We had a negative experience.

I rate the support from ArcSight ESM one out of five.

We did not use a solution prior to ArcSight ESM.

The initial setup of ArcSight ESM was relatively straightforward. The full deployment took us approximately six months. The implementation strategy was to get basic monitoring templates as fast as possible.

We used an integrator for the implementation of ArcSight ESM.

The ROI was not important at first because we were trying to cover our basic compliance requirement for monitoring.

We're paying a fee for an MSSP, and the cost of the total cost of ArcSight ESM was approximately three to four million dollars a year. The price was less than similar solutions. We did not have additional fees.

We evaluated other solutions prior to choosing ArcSight ESM, such as Splunk and RSA NetWitness. We decided on ArcSight ESM because it was cost-effective.

We are replacing ArcSight ESM with Microsoft Sentinel. We wanted to shift to cloud-based, cloud-scalable technology.

My advice to others is for them to take a hard look at the total cost of ownership, specifically the maintenance and upkeep that's required to maintain the appropriate service levels.

I rate ArcSight ESM a four out of five.

We use it to monitor several web traffic sources and to look for compromised indicators within that traffic. The traffic comes from several applications that we've exposed on the internet.

The most valuable feature is the real-time alerts. We're also currently looking to incorporate some of the SOAR capabilities that are new to the platform.

The interface—the console looks pretty old right now, so could benefit from a more modern design.  It's functional, but not so as visually appealing as it could be.

For additional features, I'd say capabilities regarding the behavioral analytics integrated in the solution. Right now, there's something in place, but it's not integrated on our side of the platform.

I've been using ArcSight since 2015, so about six years.

My impressions are that it is stable.

On our end it's pretty good. We haven't had any problems adding more sources.

I've used their customer service and support a couple of times. It was a good service.

Setup was relatively easy. The initial deployment was around five hours. For full deployment with all the sources, it took longer.

I would rate this solution an eight out of ten. It's been useful and would recommend it to others. I'd also advise to take just the initial architect for implementation because that was critical for us in making the appropriate selections prior to deployment.

The valuable features are:

• Integration and log collection with different devices.
• Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
• Correlations of logs from different device types.
• Built-in content such as reports, dashboard, compliance, and standard packages.
• Option to correlate logs with business data.
• Option to adjust the product to different roles: operations, decision makers, and administrators.
• You can adjust the web console interface to match the specific role.
• Integration with other products, such as databases and IPSs.
• Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
• Correlations of logs from different device types.
• Ready-made content that can be used immediately.
• Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.

I would like to see the following improvements:

• Less time to administer and track logs on separate devices.
• Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
• Reporting: I would like an easier way to find the root cause.
• Simplicity: I would like to see an easier way to figure out which column has the mapped data.
• Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
• Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.
• Better documentation or "how-to" videos: Usually documentation for devices, whose logs are going to be collected, is poor. Those guides are split in two parts: 1. To-do content for device administrator. 2. To-do content on the ArcSight side. When a customer uses these guides, it is not clear what he has to do. Sometimes the customer asks specific questions that the ArcSight implementer cannot answer. Some of these questions are about specific roles, privileges needed for a domain, or database use when the specific source is added.
• Simplified licensing and license extension for console users: Console users are licensed separately. Those licenses are expensive. The web console is introduced with limited features.

There were some stability issues in the partner versions. The client versions were stable.

There were no scalability issues.

The technical support was not very good. They are slow and not very efficient. I rely on personal contacts to solve my issues.

The installation was straightforward. It has some built-in connectors that are easy to set up.

The product is not cheap. If you set it up and use it well, it is a worthwhile purchase.

We evaluated Splunk and McAfee Log Manager.

Prior to implementation, do an internal assessment and analyze business, technical, and other requirements. Know your inventory and ask for a project methodology approach. Ask your partner for a referral visit to other customer sites.

• High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
• High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
• Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.

• Losses from security incidents have significantly decreased.
• Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
• Detailed reports allow for planning and informed decision making.

The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.

The GUI is outdated. Improvements on this are on the way, according to the vendor.

I’ve been using ArcSight for five years.

We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.

Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.

Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.

We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.

Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.

The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.

We evaluated McAfee ESM.

The keys to success with this solution are:

• Careful deployment planning
• Readiness to invest time and resources into training your IT security personnel
• Fine tuning the solution to your specific needs

For us, there are several valuable features.

• The ability to correctly parse the most number of products comparing to its competitors;
• The ability to create very complex scenarios to detect security risks and anomalies;
• Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
• The ability to create parsers for all kinds of applications and systems is an important differentiator.

It greatly changed our work habits in the organization allowing us to not only trace back security threats, but also to generate usage trends, discover anomalies and so many other usages. It quickly became an indispensable tool.

They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.

There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.

We've had no issues with deployment.

We've had no issues with stability.

We've had no issues with scalability.