OpenText Enterprise Security Manager Reviews

The ArcSight solution supports your security team with many SIEM features:

• Monitoring
• Analysis
• Alerts
• Incident response

In my opinion, ArcSight is an open solution. It is easy to:

• Customize components
• Use FlexConnector to collect logs from your own application
• Edit rules and the dashboard
• Create work flows
• Enrich information for events

I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.

I have over two years of experience.

It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.

ArcSight can be extended to meet the biggest customers (large enterprise) needs.

ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.

ArcSight configuration and deployment is complex, because it has many components.

I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.

• High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
• High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
• Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.

• Losses from security incidents have significantly decreased.
• Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
• Detailed reports allow for planning and informed decision making.

The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.

The GUI is outdated. Improvements on this are on the way, according to the vendor.

I’ve been using ArcSight for five years.

We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.

Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.

Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.

We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.

Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.

The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.

We evaluated McAfee ESM.

The keys to success with this solution are:

• Careful deployment planning
• Readiness to invest time and resources into training your IT security personnel
• Fine tuning the solution to your specific needs

Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.

One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

In general, it is a very stable product. We did multiple implementations, and we never had any major issues.

As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do

There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.

As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.

For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.

We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.

We worked with RSA enVision/RSA SA as a partner:

• RSA enVision was very basic and was very hard to fine-tune.
• RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.

The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.

With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.

In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.

As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.

We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.

Do a live PoC to test all needed features.

Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.

Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.

The most valuable features are flexible setup of the architecture and large coverage of devices. Most devices deployed in enterprise environments are covered out-of-the-box by ArcSight. Unlike a few other solutions, the last-mile connectivity with ArcSight agent servers is free and flexible across all location deployments.

I have implemented it for a few organizations and they have benefited by early attack detection and usage of the right incident response mechanisms.

I would like to see high-end, predictive analytics. ArcSight ESM has some features that help in advanced correlation rules creation. However, intelligence around predictive analytics, understanding the current security posture and ability to map it with possible threats in the future is not something that is present in ArcSight at the moment.

We’ve been using ArcSight for 3 years.

I have not had any issues with stability.

I have not had any issues with scalability.

I have never used technical support much, but will give it 3/5.

The connectors are straightforward. The baselining is where the issues start.

Licensing is straightforward, but the solution is fairly pricey.

We looked at QRadar and LogRhythm.

Ensure your scope is very clear and so are the components.

Correlation and flexibility are the most valuable features.

ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.

I would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.

We have used ArcSight for 6 years.

Initial deployment of ArcSight is pretty challenging. It takes at least 3-4 months to install, integrate, define content and fine tune before starting the security operation.

Customer service is fast in response, but very standard in their approach, which takes lot of time for simple issues.

I have used RSA enVision, QRadar and Splunk. ArcSight is better than them all when it comes to filtering, normalization, aggregation, dashboards, reporting and correlation, multi-tenancy and custom devices support.

Initial setup was complex as the integration of a custom application takes lot of time and effort. Then, fine tuning requires at least 6 weeks to analyze and tune each alert separately.

We implemented through HPE itself and I would advise to go through a vendor as they would hand over the SIEM post-fine tuning which is a mammoth task.

ROI can be measured in terms of detected security incidents and compliance positive tests, which in turn boost the business. Our security incident count increased from 3 per month to 46 and all were real security threats. Had those gone undetected and realized, there would have been possible data theft, information stealing, damage of brand reputation, etc.

An organization that has enough budget for SIEM and really cares about security and not only about compliance must go with ArcSight. SMB organizations who want to start a SOC or have just a log management solution for compliance requirements can go for cheaper options such as QRadar, LogRhythm, AlienVault, etc. For MSSP, ArcSight is indeed the best SIEM available in the market, as segregation of logs, access restriction, different log retention, customized view for dashboard and reports to clients are present with ease.

Lastly, ArcSight is like Apple. If you have money, go for iPhone and you will certainly not regret it. But if your budget is the primary constraint, then another SIEM must be explored.

• Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.
• Detection - Caliber to detect subtle attacks with a powerful correlation engine.
• Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.

By using ArcSight ESM and its correlation technology, it thwarts multiple attacks from external sources before exploitations such as SQL injection, UNIX password file attempt, brute force to published servers, and more.

In addition, internal frauds have been prevented through preventing unauthorized login attempts to the firewall, database, critical servers, etc.

ArcSight Connector appliance needs some improvement, as it has some bugs which triggers issues most of the time. I believe that the Connector is going to hit end-of-service.

We experienced no issues with the deployment.

We had the bugs in Connector as detailed in the Areas for Improvement section.

We've had no issues with scalability.

3.5*

Technical support should be improved. Many times, I've raised a case but none of them solved it and it took the guys from the Protect724 forum so solve my issue. The support team simply collects the logs from end users and makes you wait, and you carry on passing the same information which is available in the Admin guide.

All you need is proper planning and pre-requisites information, and it's straightforward. Some newbies say that this product is hard to handle, but basically practice makes perfect.

HP are doing their job perfectly by bringing new features in every version, such as RepSM, HA capability, etc. It has never failed me.

• Alert correlation
• Reporting
• Retention

These are the features we find most valuable for us and which we use the most.

It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.

Due simply to the user features available out-of-the-box, the convenience it can bring to any organization (when deployed and configured correctly) can greatly assist any enterprise in many facets, from an increased and enhanced security posture, to auditory regulations and even data retention.

It needs additional and better user customization for SmartConnectors. It has additional device support for more obscure log sources.  

Also needed is a configuration wizard for organizations lacking the in-depth knowledge required to integrate the solution successfully.

We've had no issues with deployment.

We've had no issues with instability. It's been stable for us.

We've been able to scale it for our needs. We've had no issues with scalability.

- We use this product for managed SIEM services and its stability and maturity helps with standard deployments (hardly any surprises)

- A bit on the slow side for reports requiring query of old data

- High availability achievable through complicated configurations (i.e. load balancers)

- The user interface is a bit dated