ArcSight Enterprise Security Manager (ESM) Reviews

We use this solution as a SIEM monitoring tool in our enterprise and for customers who have been using it, like shared operations. It's mostly used for cyber security by cyber security professionals for incident management and analysis.

The solution can be deployed on-prem and on the cloud. It depends on the requirements. We mainly use AWS, but Azure is also used.

We have analysts and architects using this solution. There are more than 20 people who are specialists and are using it. The team can be as large as more than 100 people. It all depends upon infrastructure and the clients that the particular infrastructure is supporting.

Usability is the most valuable feature. The accessibility is quite good. If a new person wants to be trained in this product, it's easy for them to be trained, as opposed to other products like Splunk or Sentinel.

ArcSight is good, and it's also scaling up.

The visualization is not very good compared to Splunk.

The dashboard and the comparability with new devices could be better. For example, we have a lot of cloud infrastructure that's coming around. Nowadays, most of the appliances are cloud-based. So, the comparability of Splunk is more with cloud infrastructure. With ArcSight, we have to build FlexConnectors to integrate multiple data sources, and we need visualization in that with FlexConnectors. If you go to Splunk, they have their own apps developed, and they work more proactively compared to ArcSight.

The performance and speed could be better. Technical support could be improved.

I have been using this solution for six years.

The solution is stable because we have been using this product for quite a number of clients. They use ArcSight as a primary tool for SIEM. We have been using it in the cyber security space for quite a long time. It is stable, but people are needed to manage this tool.

ArcSight's technical support hasn't been as good as it was in the past. I don't find it to be very good. My queries are not being properly resolved.

I also use Splunk and sometimes Sentinel.

This is the oldest SIM I have been working on. After that, Splunk came into the market. I worked for Accenture, and Splunk gave free training because of the partnership with Accenture. Their training framework was good compared to ArcSight. A lot of people started switching to Splunk. Nobody's support is perfect, but Splunk's support is almost perfect and better than ArcSight.

The primary factor is the cost. ArcSight is cost-effective, but Splunk is not because it charges for UBA, and ArcSight charges on EPS. Splunk is also in automation and machine-learning tools. So, if a customer is willing to spend big so they can switch to Splunk, that's what I've seen for most of the clients.

Initial setup is complex, not straightforward, because there are some devices that are not supported by ArcSight. So, we have to build a development strategy for each of the devices.

For the implementation strategy, it can be software-based or it can be a multi-side-based also. It depends on the type of clients you have and the agents. They have a central server from which you can deploy the agents and install them, and then they can send to the ESM side on which you can correlate. From there, the incident reporting will be done based on multiple systems.

A consultant is required for smooth setup.

We have seen ROI because this space keeps on changing very dynamically. It depends on your customer. There is definitely a return on investment, but it's not large because these types of solutions are for compliance purposes. We see many cyber attacks happen nowadays, but they definitely prevent some of the major incidents. It will give direct results to an organization, maybe in some intangible manner. But because this is a compliance thing, you definitely have to implement at least one SIEM in the infrastructure.

The licensing cost is affordable if you get an enterprise license. The licensing is based on EPS, so you can probably provide a package of license for multiple ESMs with their correlational end fees. It is cost-effective.

Licensing depends on what type of customer you are. There will be licenses for each and every appliance. There will be three types of appliances like ESM, ArcMC, and Logger. For these three components, you need to buy a separate license.

I would rate this solution 7 out of 10. 

My advice is to get proper training. It also depends on which component someone is working on. ArcSight support will not be able to help every time because ArcSight professional services are pretty costly. I haven't seen any organization taking ArcSight professional support. We only have normal support. It needs a bunch of experts to support these kind of operations.

You will need a strategy for how deployment is going to be, how much the capacity planning will be, what the configuration of servers will be, how they will architect it, etc.

Hybrid Cloud

Amazon Web Services (AWS)

ArcSight Enterprise Security Manager (ESM) is used in the customer side, specifically where there is an investment because the solution, when implemented, helps with integration. ArcSight Enterprise Security Manager (ESM) is able to ingest logs and integrate with all the third-party products, so its utility becomes higher. Integration is very important because if the solution isn't able to integrate with others, then data doesn't come under SIEM and becomes incomplete.

ArcSight Enterprise Security Manager (ESM) helped my company in terms of correlating alerts. The solution also helped in both alert-giving and understanding alerts. It also dismisses repeat alerts and removes false positives. ArcSight Enterprise Security Manager (ESM) also gives you the main reason for the alert so it saves time in terms of investigating all alerts, including false alerts, so it improved my company.

What I found most valuable in ArcSight Enterprise Security Manager (ESM) is its good integration with third-party products. The solution also has good core capabilities.

What could be improved in ArcSight Enterprise Security Manager (ESM) is its analytics feature. That feature should be more powerful and have more correlation in terms of AI/ML, though MicroFocus has done a good job in adding analytics to ArcSight Enterprise Security Manager (ESM) which has become a big draw to customers.

What I'd like to see in the next release of the solution is the addition of AI/ML features.

I've been using ArcSight Enterprise Security Manager (ESM) for almost five years, and I'm still using it.

ArcSight Enterprise Security Manager (ESM) has great stability.

ArcSight Enterprise Security Manager (ESM) is a scalable solution.

The technical support team of ArcSight Enterprise Security Manager (ESM) is very helpful. I would rate technical support for the solution five out of five.

The initial setup for ArcSight Enterprise Security Manager (ESM) was straightforward and the process was very well-explained. How long the process takes would differ from environment to environment and from customer to customer, but it could take one to two days.

We implemented ArcSight Enterprise Security Manager (ESM) ourselves.

I'm unsure on the exact ROI for ArcSight Enterprise Security Manager (ESM) because in cybersecurity you could never predict how much you saved, but my company got good value out of it.

I'm not using the latest version of ArcSight Enterprise Security Manager (ESM).

ArcSight Enterprise Security Manager (ESM) is not being used by the entire organization, but at least a thousand users use it, though I'm not 100% sure. The solution is used daily, and it's integrated and customized and has become part of the internal monitoring and compliance check of my company.

My advice to others who want to implement ArcSight Enterprise Security Manager (ESM) is that it's a great product, especially because it increased its feature sets and it has good integration with third-party solutions, for example, with other OEMs, with CrowdStrike, etc. The value proposition of the solution is also getting better and better, and usage-wise, ArcSight Enterprise Security Manager (ESM) is also good.

I would rate ArcSight Enterprise Security Manager (ESM) nine out of ten because even if it's an old product, it's been working well for quite some time. It has a huge customer base. I've not seen any issues, so I'm rating it a nine, but not a ten because there's always room for improvement.

My company is a reseller of ArcSight Enterprise Security Manager (ESM).

On-premises

ArcSight ESM provides us the flexibility to write our own passwords and customize the solution. It lets us search and log a variety of SmartConnectors. It has 480-plus SmartConnectors. 

ArcSight's features are already ahead of many competitors, but may they could offer some more training about how to find tools, how to get them working, and how to optimize them. I'd also like to see a greater focus on cloud content and the ability to write rules from the browser.

We've been using ArcSight ESM for around 10 years.

ArcSight is scalable. I started out with three data centers, and now I have it deployed at more than 48 locations.

I rate ArcSight support seven out of 10. Sometimes, it takes ages to get an issue resolved. I have ArcSight experience, so I normally try to fix things on my own or find a workaround, but it's tough to get support when I need it.

It goes on for days. If you call in the morning and explain it to the engineer, but the issue isn't fixed, you have to explain it to another person when the shift changes. It's usually okay, but it can be challenging if you're dealing with an urgent issue and you don't have the proper documentation.  

Neutral

I have used McAfee Nitro, IBM QRadar, and DNIF HyperCloud. Other solutions aren't as simple to set up or as stable. ArcSight is better in terms of coverage. The technology is more than 20 years old.

The setup is quite simple, and the documentation is thorough. 

We looked at three other solutions. I was working for a government organization, and there was an Indian company developing its own team. ArcSight was head and shoulders above the rest in features like aggregation filtering, bandwidth, parsing, etc. It was there.

Hopefully, we're still way ahead, but the IT data architecture is getting a bit complex with the introduction of Kubernetes and everything. It will be complicated in terms of resources, deployment, etc., but I think ArcSight can still be what it used to be if we sort this out.

I rate ArcSight ESM seven out of 10. I would recommend ArcSight depending on an organization's needs. I don't have much experience in terms of pricing, but ArcSight can provide a lot of functionality if a company requires it.

On-premises

We use ESM for compliance, log retention, and general security operations. We don't use all the features. We have been late in terms of taking advantage of the cloud option. 

ArcSight is customizable. You can integrate just about anything. I also like the ease of use.

The API integration could be better, and I'd like to see more machine-learning capabilities in the future. 

I have used ArcSight ESM for nearly 12 years.

ArcSight is more stable than other solutions I've used if you take care of the maintenance. I've seldom had significant issues. 

Scaling up ArcSight isn't a challenge.

I've had mixed experiences. Sometimes, it was fine, and it was not so good at other times. It isn't as good as it used to be. 

The setup is simple to me because I've been doing it for a while, but I'm not sure a beginner would find it easy. It could be simpler. I haven't had the opportunity to deploy it on the cloud, but you should be able to do it without problems. 

I rate ArcSight ESM six out of 10 for affordability. In my last company, I evaluated Sentinel. The annual license for ArcSight is equal to about two months of Sentinel. 

I rate ArcSight ESM seven out of 10. I've worked with it my whole life and watched it evolve. ArcSight doesn't do much that other solutions can't. ArcSight has been around for 20-plus years. A lot of companies have moved on to other solutions. At the end of the day, you get out of a SIEM product what you put into it. 

On-premises

I supervise a team at our company that uses this solution. Our organization uses the solution with our customers. We run a SOC for our clients that are on ArcSight. We provide monitoring, SIM administration, and incident management to our customers.

We have many use cases including multiple route logins, multiple administrator login failures, multiple failures, and successful logins.

I value the event correlation of this product, it handles it well. We are able to eliminate many of the false positives, which eliminates a lot of the noise within the environment.

ArcSight could improve by using AI and ML. More people are leaning towards this type of solution. They also could improve the product by integrating user and identity behavior analytics.

The traits' environment is changing every day. The traditional approach of discovering traits within the environment is gradually changing. We need new approaches to intelligently discover traits within the environment. ArcSight needs to improve its product to move in this direction.

I have been using ArcSight Enterprise Security Manager for one year.

The solution is stable.

We have integrated a couple of technologies into ArcSight, both on-premise and on-cloud. We were able to integrate the DNS and the firewalls. We were not able to integrate the EDR.

When comparing the initial setup of ArcSight ESM with Curator, the setup is easier with Curator. 

We evaluated Curator. Curator is easier to set up than ArcSight, and it has a UI that is simpl to use.

I would recommend ArcSight Enterprise Security Manager to a small degree. However, there are quite a few products on the market now that are easier to use. Other products are providing more insight and providing user entity behavior analytics. 

Overall, I would rate ArcSight ESM a six out of ten.

On-premises

We have outsourced our SOX management to an IT company because I cannot maintain and manage that in the bank. We had selected them because they were using ArcSight. They are a very professional security company. They came up with this suggestion of switching from ArcSight to LogRhythm. We are currently using ArcSight, but we would be switching to LogRhythm.

They are using the latest version of ArcSight ESM. It is all on-prem. Our production setup cannot be on a public cloud. In India, cloud deployment is not allowed for financial services. It has to be either a co-location or in-house.

The reports that we are from getting from ArcSight are very valuable. The reporting in ArcSight is good. Our regulators ask us for the reports on a regular basis, and we have been able to provide the required data.

Its overall functionality in terms of log analysis and the speed at which it does that is also valuable. It is very quick. Whatever alerts we had configured were extremely fast. We immediately get alerts when there is unauthorized access or unknown access, or even positive access. This is where we found the difference between ArcSight and other solutions.

When I asked our networking juniors for a comparison between LogRhythm and ArcSight, they said that both platforms are almost the same. It is just that LogRhythm is more modern with a digital platform, which probably gives it some advantage over ArcSight. ArcSight is a very old and mature product that is running on an old platform. It is an old legacy platform. 

In terms of new features, it just requires platform upgrades so that it becomes lighter and easily adaptable, specifically in the cloud. It would be a good thing if they can also make reporting easier. 

We have been using this solution for one year.

It is pretty stable.

It is pretty scalable.

I have not been in touch with ArcSight for technical support. I only talked to my vendor, who monitored my network. My vendor got in touch with ArcSight support.

The setup ran into a couple of months because the configuration of the endpoint devices to collect the logs was really tedious. It took some time to bring the environment into a condition to get it monitored by ArcSight.

It is a very good product. I would rate ArcSight ESM an eight out of ten.

On-premises

Custom data parsers and custom event / asset categorization.

Allowing for non conventional data feeds from HR into our overall security monitoring practice has allowed us to catch gaps in our exit checklist for employees among other things.

The network modeling and asset categorization needs to be simplified to facilitate wider adaptation amongst customers.

I have been working with ArcSight for over 8 years.

I have never deployed an ArcSight installation without encountering several issues, I have over 40 deployments to my credit.

Absolutely, the new CORR engine is a vast improvement but was pushed out to customers too quickly. Several key components of our analysis workflow broke due to the new event processing scheme.

Not so much on the ESM level, but it gets expensive to scale at the logger level.

Customer Service: Support can use vast improvements, but your technical account managers are great. No complaints there.Technical Support: Lacking.

I am a Sr. Principal Architect and design and go with the best solution for the customer, currently deploying a solution around Logstash, elasticsearch and kibana.

Lots of moving parts.

Hard to determine, ArcSight is a product that costs millions to implement and takes several months to years before the ROI is clear.

For this particular project $2.4 million USD.

Understanding of your environment and data sources is key before correlation can occur. You make sure your environment is at a point that augmentation of the existing analysis workflow is required and not using a SIEM to establish one.

I primarily use ArcSight ESM for security and network monitoring. We are dealing with Active Directory, so we use ArcSight ESM to track the actions administrators take on accounts, like disabling and enabling accounts or accounts going expired and why.

ArcSight ESM allows us to track the logging of our customers or providers through VPN to a security middleware that tracks and allows them to access backend resources. In this way, we can find if someone is doing an administrative operation at inappropriate times of day or trying to do something they're not allowed to.

ArcSight ESM's UI is a little cumbersome and complex, especially for first-time and occasional users using the console manager. It's also a very complex product, and new users will require assistance from someone expert to avoid making errors. 

I've been using ArcSight ESM for three years.

ArcSight ESM is stable, except when you're doing very complex correlations, but that's a problem common to all products in this area.

We have not had any problems with ArcSight ESM's scalability.

ArcSight's technical support is very good.

The initial setup was not so easy as it's a very technical product, and anybody who doesn't have a lot of technical knowledge will probably find it difficult to set up. It's important to have a clear understanding of your goals when setting up all the infrastructure, as ESM is so complex. The deployment took around an hour or two.

We used a provider team.

ArcSight ESM is a very powerful platform, but you have to be careful in designing rules and defining an initial set of targets because otherwise, you could end up with high costs or a hugely demanding setup. I would rate ArcSight ESM seven out of ten.

On-premises