OpenText Enterprise Security Manager Reviews

It is our SIEM of choice in our managed SIEM services offering. Its multi-tenant capability, virtually universal connector framework, and licensing model made it the clear choice to deliver a value-add as an MSSP.

Without it, we would not have a managed SIEM offering to speak of. We spent over a year evaluating leading competitors and ArcSight was the clear winner. It opened up a completely new line of business for us.

• Smart Connectors and Flex Wizard
• Multi-tenant access
• Customization for dashboards and reporting
• Improvements made to the ADP platform

The marketplace is a bit of a joke; steps should be taken to improve participation. 

Micro Focus desperately needs to improve their core offering rather than adding more "solutions" to the greater ArcSight portfolio. In other words, instead of selling a separate, slick, intuitive add-on (i.e., ArcSight Investigate), just make the console GUI better! 

Customer engagement and support could be improved across the board. 

It has absolutely improved the efficiency of our security team. We use it internally as well. It is such a powerful tool that our internal security team became a customer of our ArcSight managed service. 

Several thousand and growing.

We had one issue and customer service was very slow to resolve it.

No scalability issues.

Unfortunately, this may be the single biggest complaint I have. We have had a bad experience in several different stages of engagement with ArcSight support. 

Customer service during the transition from HPE to Micro Focus was abysmal where it became disruptive to our service delivery. Things have improved in the time since and gotten better lately, but there is still room for improvement.

We have not use a previous solution past its initial evaluation period.

The initial setup is very complex. We had to architect a deployment which allowed us to incorporate an ever growing number of customers into our hosted instance of ArcSight. At the time, ArcSight did not have much of an MSSP program, and we didn't get near the help that we needed. 

We implemented it in-house.

Thanks to Micro Focus's licensing model, as an MSSP, we are able to see a complete return on our investment almost immediately.

Customers without a ton of resources to dedicate to deployment may be better served by a managed ArcSight service. A lot of the complex setup and administration duties are more effectively offloaded to a provider who can operate within an economy of scale to mitigate them.

We evaluated Splunk, QRadar, and LogRhythm. 

It has its quirks, but ultimately, it delivers capabilities that no other SIEM could provide. 

We use Micro Focus ArcSight SIEM version 6.3, 6.4, and 6.5 in multiple sites and customer ranges. The SIEM log monitoring tool is very efficient at providing us the details for any file system changes, logins, OSPF, and BGP as well as other router and server changes.

It is a vital tool for live monitoring and helps us to understand the traffic alerts of any major issue on the network, thereby reducing hacking attempts. Before our staff had to review raw logs directly to understand if there has been any attempt to the system, but with ArcSight, once the rules are defined, it becomes easy to detect changes and generate automated logs. 

Another benefit is this tool sends an automated mail to all the operators, which makes it easy to share the information and reporting.

Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the SIEM tool. The analytics feature is not reliable and needs improvement for more detailed analysis.

The product that we used in our office under different environments is highly stable. We have used certain specific versions unless required specifically by the client.

This product is designed for easy scalability and can easily scale up without major challenges. However, we have a specific team which looks after the setup and maintenance of the tool.

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve our issues. 

Since I have been in the organisation, we have used Micro Focus ArcSight for 80% of the clients. We have also used Splunk for certain clients based on their requirements.

We have a separate team for this functionality. I am not aware of the process. However, complete client cooperation is required in the setup or else there can be certain counterproductive alerts.

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

We have used Micro Focus ArcSight from the beginning.

• User behavior and problems on the network are visible, which we can then solve. 
• We can align policies with how people actually behave. 
• MSSP options are very good.

• Large scale installations work well.
• The new user interface is nice. 
• The real-time analysis adds value. 
• The default packages on the new HPE Marketplace are useful and give nice default dashboards and reports for most of the well-known products.

HPE ArcSight has a quite steep learning curve. If you get to know the product well, it is the most powerful product that I have worked with. It would be nice if new users could start using the product more easily.

I would prefer to roll out HPE ArcSight ESM on physical hardware. Without proper tuning, running ESM on VMware does not work well. Loggers and connectors work fine on virtual components.

10,000 events per second, including correlation, on pretty normal hardware work well.

We encountered no issues with scalability. If needed, ESM can be setup in tiered form. Loggers can be scaled horizontally very efficiently. One box can handle a lot of events.

Customer Service:

Seven out of 10. Basic questions get answered quickly. More in depth questions require more time, which can be a problem. It has improved over the last two years.

Technical Support:

Initially, the level of technical support was not so good. Once you get put through to the people in the US, you will get the better answers.

I have also used LogRhythm, which in my opinion has less features than ArcSight. 80% of use cases work well on both, for the most interesting 20%, I would use ArcSight.

Initial setup was straightforward. From the manuals, it is clear what components need to be installed where. Not having to install agents on servers is a big advantage of ArcSight over other solutions that I have worked with.

We did not use a vendor team to do the implementation. Our in-house teams could roll out ArcSight very well. Cooperation of a lot of teams is often needed to implement SIEM solutions: networking, OS, and compliancy. Depending on your company structure, cooperation between teams can cost the most time.

I have not been involved in the ROI calculations and considerations, thus I cannot give my thoughts on this point.

Do not scale out (horizontally) too quickly. A good box can handle a lot of EPS. You will not need to buy more licenses if you use one box in a good way. Also, aggregation can help a lot in pushing down licensing costs.

We also looked at Splunk and LogRhythm for every installation. All three have their own benefits. For large scale installations with multiple users and (sub) companies, ArcSight is the best option.

Get a training course and start working with it quickly after getting your course. It is easy to forget all the options ArcSight has.

Recent attacks like Shamoon and WannaCry were under continuous monitoring by using this solution. It is understood that every SIEM is a detective technology and not a preventive, but by tweaking the use case conditions one could identify potential security breaches.

Customization. ArcSight gives you a platform to on-board out-of-the-box devices with a more accurate way of collecting desired logs/events. Competitors offer the something similar but ArcSight does gives you more detail.

Complexity, administration. Administration of ArcSight is not an easy job. The admin needs to be well experienced in it to identify the root cause and fix it.

Yes, quite a few times. But that depends on the admin, on how well the tool is maintained. Proper health checks are required on regular basis.

Yes. Storage is an issue. Before deploying the product in the organization, proper scaling has to be done or else you end up losing the oldest data, hence failing to meet the audit.

Eight out of 10.

No.

It was complex a few years. Lately it is all GUI and things are quite straightforward.

ArcSight is pretty expensive compared with its competitors. I believe that is fine as it provides value.

No.

On-boarding is easy but administration is challenging and more fun.

This product is one of the best SIEM solutions, which helps SOC analysts to consolidate all security-relevant logs of many products into one place in a common format. It doesn’t require that you have expertise in each and every product. It facilitates pinpointing indicators of compromise and investigating security incidents more quickly than the legacy way of checking every product log separately. The old way required a huge effort (and the pain) of human correlation.

• SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.
• Filtration, Aggregation: Both features provide a good way to save EPS (events per second).
• Logger: Long log retention, fast search, and reporting.
• ESM/Express: Correlation via standard rules and data monitors, active list, session list, active channels, reports, trends, queries, dashboards (query viewers and data monitors), and lightweight rules.

Developing more products/modules that make it more independent from relying on other vendors’ products to get all the necessary logs. For example, develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network.

Overall, the product stability is very good. But without continuous tuning of the developed content and improper usage of the product, you can encounter performance issues with ESM/Express, and sometimes hangs, which requires a services restart.

No.

Sometimes very good and sometimes moderate.

No.

Straightforward for Logger and Express appliance; more considerations for ESM software version.

HPE ArcSight pricing might be more expensive than other SIEM solutions, but in my opinion it has powerful features and great flexibility in developing complex use cases. So, in my opinion, it's worth trying first (via PoC, for example) before making any decision based on cost.

No.

If you are implementing Express/ESM, I advise disabling all out-of-the-box content and building your own. Also, keep monitoring partial matches and your session/active list sizes as you develop your correlation rules, as it has a big performance hit on the system.

The valuable features are:

• Integration and log collection with different devices.
• Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
• Correlations of logs from different device types.
• Built-in content such as reports, dashboard, compliance, and standard packages.
• Option to correlate logs with business data.
• Option to adjust the product to different roles: operations, decision makers, and administrators.
• You can adjust the web console interface to match the specific role.
• Integration with other products, such as databases and IPSs.
• Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
• Correlations of logs from different device types.
• Ready-made content that can be used immediately.
• Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.

I would like to see the following improvements:

• Less time to administer and track logs on separate devices.
• Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
• Reporting: I would like an easier way to find the root cause.
• Simplicity: I would like to see an easier way to figure out which column has the mapped data.
• Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
• Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.
• Better documentation or "how-to" videos: Usually documentation for devices, whose logs are going to be collected, is poor. Those guides are split in two parts: 1. To-do content for device administrator. 2. To-do content on the ArcSight side. When a customer uses these guides, it is not clear what he has to do. Sometimes the customer asks specific questions that the ArcSight implementer cannot answer. Some of these questions are about specific roles, privileges needed for a domain, or database use when the specific source is added.
• Simplified licensing and license extension for console users: Console users are licensed separately. Those licenses are expensive. The web console is introduced with limited features.

There were some stability issues in the partner versions. The client versions were stable.

There were no scalability issues.

The technical support was not very good. They are slow and not very efficient. I rely on personal contacts to solve my issues.

The installation was straightforward. It has some built-in connectors that are easy to set up.

The product is not cheap. If you set it up and use it well, it is a worthwhile purchase.

We evaluated Splunk and McAfee Log Manager.

Prior to implementation, do an internal assessment and analyze business, technical, and other requirements. Know your inventory and ask for a project methodology approach. Ask your partner for a referral visit to other customer sites.

The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:

• Allows me to look at the traffic in real time
• Allows me to add filters that remove the traffic that is not interesting
• Allows me to narrow down my research to only important traffic.
• Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
• Allows me to create reports, evaluate my findings, and send information to my customers.

I was able to provide intelligence reports to my customers. The organization relies on this information in order to sell services.

I would like to see the following:

• An improvement in the connector/agent configuration.
  The connector configuration is CLI based. If the connectors are pre-defined and built by HPE, then the configuration/installation seems to be OK.

• Making the FlexConnector configuration less complex.
  You need development skills in order to do your job in creating/configuring agents and connectors. I tried to learn the syntax in order to customize the software (connectors and agents) for a particular device, and it was a nightmare. The cost for this work, via HPE consultancy, is huge.

I've been using this product for three and a half years. I am one of the supporters of the product.

Some of the connectors need to be developed in-house. There were also issues with forwarding events. We noticed that some logs were lost between connectors and the central reporting unit.

I would give technical support a rating of 4 or 5 out of 10.

We also use Splunk to compare features. ArcSight is the favorite solution for my organization.

The initial setup is straightforward, but the customization can become a nightmare very easily.

We had an in-house implementation. I would recommend a dedicated team for implementation, support, and operation.

This product requires a dedicate team to operate it from a to z. HPE support needs to be clearly defined and considered.

Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.

Ease of use, access and simplicity: HPW ArcSight makes it hard to capitalize on reports without the use of the console. Other SIEM tools have made it clear that event correlation results can be used not only to send out alerts, but also to provide easily accessible results to management.

ArcSight can be quite complicated to use for "non-IT" user. In terms of "ease of use", access and simplicity, HPE could do a better job, since customers acquiring the product should be spending more time on implementing use cases than on understanding the product and the console organization.

Also, in terms of installation, we are no longer in an era where installing a product should be a laborious process. Instead, it should be simple and fast.

Also, when it comes to data onboarding, managing ArcSight connectors in a multi-technology environment, there is no simple way to guarantee that data parsing is happening properly.

Finally, having simple-to-set-up, multi-site high availability, in contrast to single-site HA, would be very welcome.

I’ve been using ArcSight for three years.

We have had some issues on the SmartConnector layer, since not all parsers provide perfect results (especially in the case of proxy data). Also, there have been some issues on the HA modules, since HA works sort of like a local r-sync (no remote HA).

No scalability issues have been encountered so far. ArcSight's architecture is very scalable, especially when set up in a layered architecture.

Support is slow and doesn't always have the required skill set to solve the issues.

We did not have a previous solution.

Initial setup was very complex. Any modification to the OS prior to ESM installation may cause errors in installation. Most errors aren't explicit and require a lot of time, effort and sometimes PS help to solve.

Price is fair compared to other SIEMs (Splunk, QRadar, etc.). It's not the go-to product if you are looking for something cheap. Go for ArcSight, if it provides specific features that your IS requires.

Before ArcSight, we looked at QRadar and Splunk.

My first advice is "be patient". It takes a lot of time to deploy an ArcSight infrastructure, but the result is worth it. Technically, it’s a very powerful tool. It would be worth it to take the time to learn some of the hidden features.