OpenText Enterprise Security Manager Reviews

• Real-time rules for threat detection
• Event correlations that are automated and prioritized according to level of security risk and compliance violation

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

We've been using ArcSight since 2007.

We've deployed it without any issues.

We haven't had any issues with instability.

It's scaled fine for our needs.

We chose ArcSight when they had no real competitor and we stayed with them.

I'm pleased with the current capabilities.

The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.

My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.

Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.

I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.

We have had no issues with the deployment.

If you encounter serious performance problems, you didn't size correctly prior to deployment.

The scalability options are pretty good although costly.

Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.

I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.

As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.

As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.

We would like it to be cheaper, but the licensing model is pretty simple.

You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.

Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.

• It has flexible and rich correlation capabilities. This is the most mature product in this area.
• It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
• Active Lists - This is the most powerful feature which supports correlation. It also has multi-column active lists, parameters manipulation, and correlation capabilities that provide great flexibility.
• Full control of correlation flow - There are no black-box closed rules, unlike with McAfee Nitro, and no default aggregation which is hard to analyze, unlike Offenses in QRadar.

This is the best product to build and supports SOC operations and SOC use cases.

The layout of the analyst's console need improvement. It has had no significant changes in at least nine years. Also, the advanced statistics in visualizations simply don't work, and I've performed an analysis of these functions.

We've been using it for nine years.

We have had no issues with the deployment.

We have had no issues with the stability.

We have had no issues scaling it for our needs.

I have not had to use tech support for at least two years now. From what I recall, they were good.

The initial setup was simple and the implementation was straightforward as the supporting documentation is pretty good. Help for setup, which is available from the analyst console, is really great and complex with diagrams and screens.

ArcSight makes it easy to achieve ROI because of its great flexibility.

This is the best SIEM solution on the market comparing to its competitors. I'm also familiar with IBM QRadar, RSA Security Analytics, McAfee Nitro, and Splunk.

The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.

When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation.

They need to fix some bugs and increase the search performance speed. Sometimes there are issues when I perform log correlations.

We have had no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it for our needs.

5/10

5/10

The initial setup was quite easy and straightforward.

I work for a reseller, and we set up ArcSight for our customers, and I am learning a lot about its architecture.

For SIEM, I think HP ArcSight is a leading competitor alongside Splunk.

You need to learn about architecture and practice more before implementation since this product is not easy to learn and takes time to master.

• Logger
• Command Center

The ArcSight ESM allows for easy log analysis as well as correlation and alerting. Logger is an indexed database which allows for faster, historical searching. The versatility to use SQL queries is helpful.

There are some limitations on the functionality of Rules that I would like to see expanded. I would like to see some better support options in the ArcSight community for HP Protect. Unless someone in your organization is an ArcSight SME, you are going to have a difficult time getting answers.

I've used it for two years.

There were no issues with the deployment.

We've not had any issues with the stability.

We've had no issues scaling it for our needs.

I would give it 3/10. A lot of the support is community based. That strategy can work, but the answers are sometimes incomplete, incorrect, and can take a long time to get.

I have used QRadar and Splunk. Both have great functionality that make them easy to use, but ArcSight has a very consistent layout and their logic is easy to figure out.

I was not involved in the setup.

I'm not involved in pricing or licensing.

It's a well rounded product especially with the addition of Logger and Command Center. I felt it was easy to understand and use right from the start. There are some companies that do not take advantage of everything ArcSight can offer. A problem I think ArcSight can fix with better support alternatives.

The real-time correlation (CORR) engine and ability to build complex correlations from simple 'building blocks', provided the base 'building blocks' are well throughout in the first place, are the most valuable features for us.

The ways in which it's improved our organization are too numerous to mention. But you have to have good, steady resources and well worked-out use cases. ArcSight can report on many things and save on repetitious daliy monitoring.

There's a lot of improvements that need to be made, too many to mention all of them, but some improvements with the Con App would be a good start.

We've used it for over eight years.

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

With HP themselves, they need a lot of pushing to get them to get seriously involved with issues, given that they are paid a lot of money to provide support and deliver top SLAs.

We mainly use HP ArcSight, but also Splunk. I didn't have a say in making the choices.

The initial setup was fairly straightforward, but the overall architecture planning needs seasoned professionals who understand what ArcSight is and how it needs to be deployed.

The installation had already been implemented by an HP subsidiary who were fairly good when performing the installation. Despite that, they did a poor job of implementing the hardware.

The HP products are expensive.

It's a fantastic product and highly configurable, but it needs nothing less than a seasoned cyber security professional with serious engineering expertise and a real desire to provide meaningful use cases. Anyone that says ArcSight is 'fire and forget' should not be allowed to work in cyber security!

If you want Arcsight implemented correctly, start by sizing your organization, and looking at data flows and the available data streams. Be mindful of regulatory and compliance reporting, Risk and Legal as well, as you may need to factor in any and all of these when working with enterprise solutions.

I think the ability to create rules more flexible than in other products (i.e. IBM QRadar) is its most valuable feature. It has good options for shaping data and using them in very complex rules.

It has increased our detective capabilities in the cybersecurity landscape. We're able to build SOC around it, and make it a central tool for detecting network compromises.

Performance is the product's Achilles' heel. The aggregation can't be done for a long period of time, i.e. one week. On top of that, in comparison to the competition, ArcSight works very slowly and the WebUI is not very user-friendly.

We've been using it for 10 months and the program is still in the development phase.

There were no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it to our needs.

The level of technical support is low. I think HP should invest money to train support people. Furthermore, sometimes I feel they are overworked because they used to sending notifications about cases without closing them.

Previously, I worked with IBM QRadar.

SIEM in general is not straightforward. I think the initial setup was simple, but to get value from this product, you have to do something more than the initial setup.

We did it in-house with help from the vendor's professional services. My advice is to think first where you would like to put your collectors. Assess if your network will be able to lift extra loads, assess what logging level will be required, and if log sources are capable of delivering it.

ArcSight was chosen by my new company management without asking me for my opinion.

For us, there are several valuable features.

• The ability to correctly parse the most number of products comparing to its competitors;
• The ability to create very complex scenarios to detect security risks and anomalies;
• Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
• The ability to create parsers for all kinds of applications and systems is an important differentiator.

It greatly changed our work habits in the organization allowing us to not only trace back security threats, but also to generate usage trends, discover anomalies and so many other usages. It quickly became an indispensable tool.

They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.

There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.

We've had no issues with deployment.

We've had no issues with stability.

We've had no issues with scalability.