ArcSight Enterprise Security Manager (ESM) Reviews

Flexibility, high ingestion rate, and complexity of use cases.

ArcSight gives us better visibility into threats that were unknown earlier. We now have an ability to assess end-to-end communications, as well as alerts from various security solutions along the path.

The most valuable features are lists, correlation, escalation matrix, and customers.

The following needs to be improved:

1. We would like the ability to easily identify either unused resources or those that are being used sub-optimally.
2. ESM should make usage of variables and other such deep customizations, highly intuitive.
3. User behavior analytics is too pricey but an essential tool.

We have been using ArcSight for eight years.

The ArcSight solution supports your security team with many SIEM features:

• Monitoring
• Analysis
• Alerts
• Incident response

In my opinion, ArcSight is an open solution. It is easy to:

• Customize components
• Use FlexConnector to collect logs from your own application
• Edit rules and the dashboard
• Create work flows
• Enrich information for events

I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.

I have over two years of experience.

It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.

ArcSight can be extended to meet the biggest customers (large enterprise) needs.

ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.

ArcSight configuration and deployment is complex, because it has many components.

I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.

We are using ArcSight Enterprise Security Manager (ESM) for data analytics. We monitor the reports on security event information.

I have been using this solution for approximately one year.

The solution could be more stable.

We have not had any issue with the scalability.

We have approximately 20 users using this solution in my organization.

We have been satisfied with the support.

The installation was easy.

We had assistance with the implementation of the solution. We have approximately five individuals that do the maintenance.

There is a license required for this solution.

I would recommend this solution to others.

I rate ArcSight Enterprise Security Manager (ESM) a seven out of ten.

Our primary use case is for security purposes. We are customers of ArcSight and I'm an information security analyst.

I think the correlation feature is one of the best features of ArcSight.

A lot of improvements could be made in the product. I think the roadmap is not clear, and there is no AI or machine learning solution. 

I've been using this solution for five years. 

We haven't had any issues with stability. 

I think there is good technical skill with the technical support but their attitude and response time is not good. 

I recall that the initial setup was quite complex. We took subscription services for two weeks which covered the period of deployment. 

We are actually moving to another solution because the roadmap is not clear. We are just a small team and we don't need to monitor 24/7. We're looking to replace it with another more intelligent solution like Splunk or Securonix.

Honestly, I won't recommend the ArcSight to another person. 

I would rate this solution a four out of 10. 

The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.

My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.

Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.

I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.

We have had no issues with the deployment.

If you encounter serious performance problems, you didn't size correctly prior to deployment.

The scalability options are pretty good although costly.

Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.

I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.

As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.

As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.

We would like it to be cheaper, but the licensing model is pretty simple.

You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.

Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.

The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.

When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation.

They need to fix some bugs and increase the search performance speed. Sometimes there are issues when I perform log correlations.

We have had no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it for our needs.

5/10

5/10

The initial setup was quite easy and straightforward.

I work for a reseller, and we set up ArcSight for our customers, and I am learning a lot about its architecture.

For SIEM, I think HP ArcSight is a leading competitor alongside Splunk.

You need to learn about architecture and practice more before implementation since this product is not easy to learn and takes time to master.

We use ArcSight Enterprise Security Manager for any type of cyber security attack.

It is in the cloud and on the customer's infrastructure. I am only deploying one agent and the agent is deploying all the information from the customers and then sending it to the cloud.

I am an integrator, but we sell our services. I'm not selling the software directly to customers. I'm selling my service with this product.

It is a very useful tool for intelligence building because it has many use cases and many rule sets.

It is quite complex and could use a better UI. So the improvement would be a simplification. It is pretty complicated to use. The architecture is not complex but the setup and use are. 

In the next release, it would be nice if the Logger model and the ESM model would be merged. Right now there are two big models, Logger and ESM, but from a Windows perspective, it is not good because they're sending Logger and ESM separately. So if you need ESM, you have to buy both Logger and ESM but if you only need Logger, you are buying just Logger. You can deploy them on one system, but you have two different systems and different databases. My suggestion would be to merge Logger and ESM together.

I have been using ArcSight Enterprise Security Manager for about a year.

It is stable.

Arc Sight Enterprise Security Manager is scalable.

The number of people running it should be based on the organization's size. If you have a  company with 500 assets, you should have at least one field engineer for the ESM product and two security analysts to operate this software. This is minimum. One engineer and two security analysts is minimum to start if the organization is midsize.

Their technical support is generally good. On a scale of five, I'd give them four out of five.

The initial setup is complex.

Installation is not complex, but Micro Focus also has different intelligence products. One runs on containers and it is quite complex to install and use, but it is a different product. So maybe if we can remove this wall then we should be all right.

I have two products from Micro Focus. I have this ESM and one for Web. It is for user IT behavior analytics. The second product is quite complex and it's linked to it. Then you have to connect these things together. So the complexity is in the Web product, not in ESM.

Our own site deployment took about one month to deploy and we can deploy services for our customers in about two weeks minimum. But that is a minimum. If the infrastructure is big, it may take up to two or three months. If the infrastructure is not logging or if there are many customer applications, it makes it complex to deploy. Every ESM product will be complex to implement if the organization is big and the logging is not enabled correctly.

My advice to anyone considering Arc Sight Enterprise Security Manager is to just read the manual. Just read the manual and documentation. 

On a scale of one to ten, I would rate it a nine.

It's the security analyst for incident response, forensic investigations, and security monitoring.

It has improved our organization because we had many investigations that it helped us with. 

The webpage algorithm is the most valuable feature because it was the fastest feature for searching the logs, events, and correlation.

The security area has room for improvement. 

I would rate this solution a seven out of ten. To make it a ten they should develop a design for the security operations. It's a SIEM solution and I can see that it has some segregation of the consoles and duties for the different parties when we want to monitor different components like the security operations center.