ArcSight Enterprise Security Manager (ESM) Reviews

• Real-time rules for threat detection
• Event correlations that are automated and prioritized according to level of security risk and compliance violation

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

We've been using ArcSight since 2007.

We've deployed it without any issues.

We haven't had any issues with instability.

It's scaled fine for our needs.

We chose ArcSight when they had no real competitor and we stayed with them.

I'm pleased with the current capabilities.

Too many to name, but here are a few:

1. Its versatility when it comes to vendor support.
2. The ESM and logger are powerful tools. If used properly, we can achieve much more than we previously could. The Alert and Case Tracking mechanism contribute to the work of ESM and Logger.
3. Express, all-in-one component is best for small businesses.
4. NTP is efficient in blocking identified threats.
5. ArcSight Flex Connector Development module is an excellent feature if you want to get the logs from unsupported vendor products.

I am a service provider for this product, so I provide value to the customer based on their requirements. The requirements are generally based on the lines of compliance and better security vision of what is going on in the organization, and who is doing what etc. and to mitigate external threats like port scans, DOS, malware ingestion, phishing etc.

Better reporting with the nice look and feel available in the wider market; also more vendor log support. HP should improve their Tech Support status.

3+ years

A few, depending on the specific organization's structure and policies.

No

The solution itself is very scalable, but it is also a lot more expensive than other players.

Customer Service: PoorTechnical Support: Poor

No

Splunk, RSA Envision, McAfee Nitro and IBM QRadar

Consider the complexity of this solution and choose the right people to deploy it.

It is easy to use when we created some dashboards for analytics. ArcSight allows you to create a dashboard and provides an on-the-fly filter.

It makes things easy when I create a new alert.

They need to improve the Web UI, similar to how it is done with Splunk.

ArcSight is still using a Java app to do analytics.

ArcSight Express is using HTML5, which is good. However, the capabilities of ArcSight Express are not good when the data grows.

I did not have any issues with stability.

I did not have any issues with scalability.

Technical support responds quickly.

We previously used RSA enVision. We had issues with the report generation.

The installation is very easy.

The licensing should come with EPS format, and not with EPD format.

You need to first know the SIEM concept. SIEM can grow significantly, so you need to understand how to use a collector properly.

Recent attacks like Shamoon and WannaCry were under continuous monitoring by using this solution. It is understood that every SIEM is a detective technology and not a preventive, but by tweaking the use case conditions one could identify potential security breaches.

Customization. ArcSight gives you a platform to on-board out-of-the-box devices with a more accurate way of collecting desired logs/events. Competitors offer the something similar but ArcSight does gives you more detail.

Complexity, administration. Administration of ArcSight is not an easy job. The admin needs to be well experienced in it to identify the root cause and fix it.

Yes, quite a few times. But that depends on the admin, on how well the tool is maintained. Proper health checks are required on regular basis.

Yes. Storage is an issue. Before deploying the product in the organization, proper scaling has to be done or else you end up losing the oldest data, hence failing to meet the audit.

Eight out of 10.

No.

It was complex a few years. Lately it is all GUI and things are quite straightforward.

ArcSight is pretty expensive compared with its competitors. I believe that is fine as it provides value.

No.

On-boarding is easy but administration is challenging and more fun.

• Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.
• Detection - Caliber to detect subtle attacks with a powerful correlation engine.
• Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.

By using ArcSight ESM and its correlation technology, it thwarts multiple attacks from external sources before exploitations such as SQL injection, UNIX password file attempt, brute force to published servers, and more.

In addition, internal frauds have been prevented through preventing unauthorized login attempts to the firewall, database, critical servers, etc.

ArcSight Connector appliance needs some improvement, as it has some bugs which triggers issues most of the time. I believe that the Connector is going to hit end-of-service.

We experienced no issues with the deployment.

We had the bugs in Connector as detailed in the Areas for Improvement section.

We've had no issues with scalability.

Customer Service:

3.5*

Technical Support:

Technical support should be improved. Many times, I've raised a case but none of them solved it and it took the guys from the Protect724 forum so solve my issue. The support team simply collects the logs from end users and makes you wait, and you carry on passing the same information which is available in the Admin guide.

All you need is proper planning and pre-requisites information, and it's straightforward. Some newbies say that this product is hard to handle, but basically practice makes perfect.

HP are doing their job perfectly by bringing new features in every version, such as RepSM, HA capability, etc. It has never failed me.

We help our customers to implement the solution to detect known threats by state of the art variety of use cased offerings.

Arcsight ESM help customer in Automation for their complex security use case in order to detect the bad guys.

Corelation Engine by corelating the cross domain logs.

OOB content is limited Microfocus should release the smart connector update on quaterly basis.

I've been working with the Micro Focus ArcSight portfolio for nearly six years.

I am satisfied with the solution's stability.

I am satisfied with the solution's scalability. 

We are satisfied with technical support and most of our problems have been resolved.

Simple and pretty straight forward.

We provide the implementation and maintenance services of the solution for our customers.

According to the Gartner Reports and Gartner Reviews, the main competitors of the solution are IBM and Splunk. They provide their services world-wide and do much implementation in the region. 

the plus point for Arcsight ESM is having cross domain corelation feature.

I rate ArcSight Enterprise Security Manager (ESM) as a 8 out of ten.

On-premises

The most valuable features are flexible setup of the architecture and large coverage of devices. Most devices deployed in enterprise environments are covered out-of-the-box by ArcSight. Unlike a few other solutions, the last-mile connectivity with ArcSight agent servers is free and flexible across all location deployments.

I have implemented it for a few organizations and they have benefited by early attack detection and usage of the right incident response mechanisms.

I would like to see high-end, predictive analytics. ArcSight ESM has some features that help in advanced correlation rules creation. However, intelligence around predictive analytics, understanding the current security posture and ability to map it with possible threats in the future is not something that is present in ArcSight at the moment.

We’ve been using ArcSight for 3 years.

I have not had any issues with stability.

I have not had any issues with scalability.

I have never used technical support much, but will give it 3/5.

The connectors are straightforward. The baselining is where the issues start.

Licensing is straightforward, but the solution is fairly pricey.

We looked at QRadar and LogRhythm.

Ensure your scope is very clear and so are the components.

Scalability and Adaptability. By Scalability, I mean, the number of supported devices by ArcSight. You can make changes to the current deployment if required or add a new region in the scope by adding components of ArcSight. By Adaptability I mean, once the analysts see what can be achieved by utilizing the various resources of ArcSight, it motivates them to come up with new ideas and how to implement them. The interface is quite user friendly compared to other Vendors.

We could extract meaningful data of the billions of Security Events and relate it with the extra information we had for our assets.

Support from the vendor and pricing.

3 Years.

No

Yes, Oracle bugs mostly.

No.

Good.

I have worked on multiple SIEM products. I work as a Senior Security Analyst and have a minimal role in deciding the solution. I only work where it is explicitly an HP ArcSight environment or deployment.

Straightforward.

Through an in-house team.

Best SIEM product but it's high on pricing and licensing.