ArcSight Enterprise Security Manager (ESM) Reviews

We are resellers. We deal with many vendors to provide and implement solutions for our clients. We primarily use this product for logging data.

The most useful features are directories, price, and live reporting.

The customer experience could be improved.

I think they can improve the AI and monitoring. Also, they need an updated database.

I have been dealing with this solution for approximately three years.

We are working with the last updated version.

The stability can be improved. The competitors are more stable.

It's a scalable product and the scalability is good.

Our clients are usually enterprise companies.

The technical support is good. They have been able to resolve our issues.

We are using SIEM. It has a better dashboard and is more complete.

The initial setup can be simple and also complex. It depends on the client's infrastructure.

We implement the solution and maintain it for the clients.

It's a good price, it's one of the cheaper solutions.

There are no additional costs.

Depending on the size of the companies, I would recommend this solution. It's more suited for small to medium-sized companies.

I would rate this solution an eight out of ten.

On-premises

We use this solution for clients that want database consulting. They have a lot of general user's data in that demise so they want to have a robust SIEM solution that they trust. They have real-time alerts and monitoring for their data server.

We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR. 

They should make a user manual for the technical people.

I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM.

I would rate the stability as a four out of five. 

The initial setup was easy. It was a two-month project plus one month setting up the best practices cost organization. In total, it was around a three month project.

Pricing is average. 

I would rate this solution a nine out of ten. 

• User behavior and problems on the network are visible, which we can then solve. 
• We can align policies with how people actually behave. 
• MSSP options are very good.

• Large scale installations work well.
• The new user interface is nice. 
• The real-time analysis adds value. 
• The default packages on the new HPE Marketplace are useful and give nice default dashboards and reports for most of the well-known products.

HPE ArcSight has a quite steep learning curve. If you get to know the product well, it is the most powerful product that I have worked with. It would be nice if new users could start using the product more easily.

I would prefer to roll out HPE ArcSight ESM on physical hardware. Without proper tuning, running ESM on VMware does not work well. Loggers and connectors work fine on virtual components.

10,000 events per second, including correlation, on pretty normal hardware work well.

We encountered no issues with scalability. If needed, ESM can be setup in tiered form. Loggers can be scaled horizontally very efficiently. One box can handle a lot of events.

Customer Service:

Seven out of 10. Basic questions get answered quickly. More in depth questions require more time, which can be a problem. It has improved over the last two years.

Technical Support:

Initially, the level of technical support was not so good. Once you get put through to the people in the US, you will get the better answers.

I have also used LogRhythm, which in my opinion has less features than ArcSight. 80% of use cases work well on both, for the most interesting 20%, I would use ArcSight.

Initial setup was straightforward. From the manuals, it is clear what components need to be installed where. Not having to install agents on servers is a big advantage of ArcSight over other solutions that I have worked with.

We did not use a vendor team to do the implementation. Our in-house teams could roll out ArcSight very well. Cooperation of a lot of teams is often needed to implement SIEM solutions: networking, OS, and compliancy. Depending on your company structure, cooperation between teams can cost the most time.

I have not been involved in the ROI calculations and considerations, thus I cannot give my thoughts on this point.

Do not scale out (horizontally) too quickly. A good box can handle a lot of EPS. You will not need to buy more licenses if you use one box in a good way. Also, aggregation can help a lot in pushing down licensing costs.

We also looked at Splunk and LogRhythm for every installation. All three have their own benefits. For large scale installations with multiple users and (sub) companies, ArcSight is the best option.

Get a training course and start working with it quickly after getting your course. It is easy to forget all the options ArcSight has.

• Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
• Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
• Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.

This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.

The web console should have all the features of the standard console.

In addition, the upgrade process should be simpler.

I have used this solution for 10 years and 8 months.

I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.

Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.

I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.

There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.

I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.

In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.

The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.

We carried out a pilot implementation based on the initial SOW, including several basic use cases. This allowed us to understand what is really happening in the environment and we learned that most of the default rules are not appropriate for us. After the pilot was successful, we bought the solution.

Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.

In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.

You must understand your environment and its dynamics.

Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.

Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.

HPE ArcSight has helped us gain visibility of the solutions across the organization. We have been constantly identifying anomalous activities both internally as well as externally. These include malware proliferation, data loss, proxy bypass attempts, phishing and spear-phishing, port scans, etc

It can be more user-friendly. The product is too restrictive to suit the flexibility needs of the infrastructure. It is sometimes hard to implement the solution as recommended by HPE.

I have used this solution for around four and a half years. Currently, we are using HPE ArcSight Express 5, ESM 6.8, Connector Appliances and SmartConnectors 7.4.

In version 5, I used to experience some issues as it was using Oracle DB. Although, I do not have any problems in version 6+.

This product is not easily scalable. We particularly required skilled personnel to do this activity and it also took a significant amount of time.

The technical support is poor.

We were not using any other solution before. We started using HPE ArcSight straightaway.

Setting up of the ArcSight solution is always complex compared to other solutions out there. There are a lot of parameters and dependencies involved. Adding infrastructure complexity will add more complications. Distributed deployment is also difficult to implement.

It is very expensive for larger deployments.

We are now working with open-source systems and Splunk solutions. We are decommissioning HPE ArcSight as it is getting impractical to manage and maintain the solution.

There are better products in the market for medium to large-scale deployments. It is recommend to use this product for small-scale deployments, i.e., 200-800 EPS.

The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.

The ability to correlate such a diverse range of information into a single location is invaluable.

SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.

I have been using ArcSight for two years.

I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.

The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).

I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files.

I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.

I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.

Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.

ArcSight is exclusively an enterprise product and it is priced accordingly.

We evaluated QRadar and Splunk.

Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.

The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.

My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.

Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.

I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.

We have had no issues with the deployment.

If you encounter serious performance problems, you didn't size correctly prior to deployment.

The scalability options are pretty good although costly.

Customer Service:

Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.

Technical Support:

I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.

As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.

As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.

We would like it to be cheaper, but the licensing model is pretty simple.

You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.

Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.

Too many to name, but here are a few:

1. Its versatility when it comes to vendor support.
2. The ESM and logger are powerful tools. If used properly, we can achieve much more than we previously could. The Alert and Case Tracking mechanism contribute to the work of ESM and Logger.
3. Express, all-in-one component is best for small businesses.
4. NTP is efficient in blocking identified threats.
5. ArcSight Flex Connector Development module is an excellent feature if you want to get the logs from unsupported vendor products.

I am a service provider for this product, so I provide value to the customer based on their requirements. The requirements are generally based on the lines of compliance and better security vision of what is going on in the organization, and who is doing what etc. and to mitigate external threats like port scans, DOS, malware ingestion, phishing etc.

Better reporting with the nice look and feel available in the wider market; also more vendor log support. HP should improve their Tech Support status.

3+ years

A few, depending on the specific organization's structure and policies.

No

The solution itself is very scalable, but it is also a lot more expensive than other players.

Customer Service: PoorTechnical Support: Poor

No

Splunk, RSA Envision, McAfee Nitro and IBM QRadar

Consider the complexity of this solution and choose the right people to deploy it.