ArcSight Enterprise Security Manager (ESM) Reviews

We are using ArcSight ESM in our company for security information and event management.

The most valuable feature of ArcSight ESM is its ease of use.

ArcSight ESM could improve by adding more features and documentation. There needs to be more documentation.

I am been using ArcSight Enterprise Security Manager (ESM) for approximately 10 years.

ArcSight ESM is stable.

The scalability of ArcSight ESM is good.

We have approximately 10 people using this solution. There are 1,000 devices using the solution. We are using the solution to its full capacity. 

The support is not very good.

I rate the support from ArcSight ESM a four out of five.

Positive

The initial setup of ArcSight ESM is easy. The deployment process took approximately one week.

I did the implementation of ArcSight ESM myself. We have two people for maintenance.

I rate ArcSight Enterprise Security Manager an eight out of ten

We use the product for everything. It serves as our company's management platform, handling our tech needs, block systems, alerts, custom rules, triggered events, analytics, investigations, incident closures, case creations, whitelists, and various other tasks.

We utilize ArcSight ESM for real-time threat detection in our organization. We have custom rules that we've developed on top of the WAN services, along with scheduled licensing activities.

It provides more granular data compared to solutions like Azure or Splunk. While ArcSight ESM may be considered less user-friendly, it offers a high level of customization, allowing for configuration and adaptation to specific use cases, especially regarding alerting and incident response.

Its integrations are working well. Though I haven't used the solution for an extended period, it seems highly customizable. This level of customization is not commonly found in many solutions. While solutions like Kubernetes offer a variety of apps through app extensions, it allows users to build their features to a considerable extent.

We have pricing issues. ArcSight ESM may not be the most user-friendly option, and its interface is quite traditional. However, despite these aspects, we find it a good cybersecurity solution. It needs to improve the dashboards, documentation, and support as well.

The documentation and community support for ArcSight ESM is not as strong as other solutions. Finding resources and analysts who have experience with ArcSight can be challenging. The solution is less user-friendly than alternatives like Splunk, QRadar, or Sentinel. The technical nature of ArcSight may make analysts hesitant to dive into it, contributing to a steeper learning curve.

I have been using the product for two months. 

During the pandemic, there were challenges related to stability, particularly with the discrepancy in events being pulled in. The issue was attributed to connectors, and there were problems with certificates that needed updating. As a result, events were regularly stopped by these connectors. I rate the tool's stability a seven out of ten. 

The solution is scalable. My company has 20 users. 

I haven't contacted the tool's technical support yet. 

I would recommend ArcSight ESM to others depending on the organization's size and specific requirements. For larger organizations, I might not recommend it, but for SMEs, it could be a suitable choice. If it meets your organization's specific use cases and requirements, and if you can ensure that you have resources trained to work with it, then it could be a suitable choice.

I rate the overall product a seven out of ten. 

The feature that I have found the most useful is that it can be deployed to the cloud.

The centralized dashboard for the hybrid cloud environment needs to be more focused. It needs to be redefined because it's missing most of the information.

ArcSight should also be a little bit easy to use. Currently, integration with various applications and connectors is not that easy. Deployment is easy, but integration is not that easy. 

ArcSight also has a very high bandwidth consumption to pull the local servers. It should have some kind of better process or ability to transfer files from on-premises to the cloud, from the cloud to on-premises, and from a cloud to another cloud.

I have been using ArcSight for six years. 

It is very stable.

It is not always scalable.

I didn't take any kind of support.

I have worked with IBM QRadar. IBM QRadar is very expensive, and it is not easy to deploy like ArcSight. It can't be deployed without an SME. ArcSight is better than IBM QRadar.

The initial setup was very straightforward. It hardly took four weeks. 

If you have data centers, an SME or in-house resource to train people, and no budget constraint, then go with IBM. If you have a limited budget, hybrid environment, and untrained manpower, then go for Darktrace, AlienVault, or some other solution.

I would rate ArcSight an eight out of ten. 

We primarily provide this solution to clients.

The simplicity of the solution is the most valuable aspect of the product.

The product is quite mature. It's been around for a long time.

The integration is easy for the most part.

Over the past two years, a lot of improvements have been happening.

The biggest requirement is that there is no cloud solution for this product yet. They need to create a cloud version. It's the biggest thing they can do to make the solution better.

The dashboard and user interface need some work. It's my understanding that they are developing better versions of those now.

I've been using the solution for eight years or so. I started working on Version Five and have continued to update it from there.

The stability of the solution is very good. It's pretty perfect, actually. We don't have crashes. It doesn't freeze. There aren't bugs or glitches. It's completely reliable.

The solution is easily scalable. If an organization needs to expand it, they most certainly can.

What we used to do traditionally, to scale, that each device throws up certain EPS and we size the solution accordingly. Once they have a cloud solution, it will be even easier to scale.

The solution works for any size of organization, from small companies to large enterprises.

The solution's technical support is excellent. I'm in India, however, their support is on a global scale.

HP as an organization had one toll-free number. You plug in your requirements. However, by the time it reached the team, it became difficult as everyone was routed centrally. However, once the site was taken over by Micro Focus, we are seeing some great improvements in the support.

The initial setup is not complex. It's very straightforward.

If you have a well-skilled technician, you probably only need a few people to handle the deployment and maintenance.

In terms of how long a deployment takes, a SIEM implementation depends on the number of devices, and which we are integrating with. The kind of dashboards and reports the customer is looking for also come into play in calculating the amount of time that will be needed. Therefore, the duration of the implementation would be purely dependent on the client's specific needs.

A standard deployment is typically four weeks. However, I've seen some deployments take as long as 12 weeks.

We deploy the solution for our clients. We also tend to handle the maintenance for our clients as well.

I have some experience with Splunk and Curator.

There are a few differences. Splunk, for example, is a native cloud product. That makes it excellent for scalability. Any on-premise challenges a company might face are answered by Splunk.

In both solutions, you are able to integrate and manage other devices as well, which isn't necessarily true on Arcsight.

We're an authorized partner. We provide this solution to our clients.

In terms of implementation, new users should make a list of the requirements they need in order to have a broad idea of what they want the solution to achieve. Once they understand their requirements, it will be easier to find a solution that will match them.

For Arcsight, users need to go in with the compliance packs. Arcsight has some additional modules called compliance packs, which can get you automatic reports. That needs to be configured pretty well. 

The biggest piece everyone needs to consider is the sizing part. It's an on-premise solution. If you are not buffering the sizing with at least about 25% additional computation and the storage space, then you're in for trouble down the line. Always go bigger than you need.

Overall, I'd rate the solution seven out of ten.

ArcSight, in the last one and a half years, have been delivering on time, in terms of a better dashboard, a better user interface, and now, with an add-on EDA. MailStore is also getting into it. We are seeing that they are catching up with what the market needs. We will have to wait and see what the new release brings. Version Eight is coming in now. They seem to be doing everything now and are committing for some great features in a future release.

Our primary use case is to prioritize internationally used references.

This process has helped to improve our organization because we have centralized the intra-group security equipment logs.

We've been working hard to implement Violation scenarios as a rule.

The features that we have found to be most valuable are:

1. Connectivity with the SOC system
2. Flexible connectivity with third-party solutions

There are several improvements that we would like to see, including:

1. Building a system based on a log collection (SOC)
   
2. A scenario for external encroachment
3. Operator training

Our primary use case if for analyzing cybersecurity. 

When WannaCry attacks I can minimize the damage. My company had no protection at the time. We get alerts in ArcSight and then whenever a user got a copy of WannaCry and the WannaCry malware wants to connect to the mother ship, it alerts me in the ArcSight dashboard, and that helps us a lot. We then just go to the user and erase the malware.

In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they still use scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop.

They should do something similar to what Splunk is doing. They have Enterprise Security and ArcSight should include some use cases that concentrate on Enterprise Security.

It's quite stable. 

Our initial sizing is enough for our needs. 

The initial setup was straightforward. The correlation engine took us a lot of time. It took us three months to do the implementation. We required two staff for deployment. 

We used a partner for the implementation. 

The pricing is great compared to others.

At the time that we were looking into options, we did a PoC for Splunk. We found that ArcSight is more user-friendly than Splunk because Splunk uses more scripting in the configuration and initial setup.

I would rate it an eight out of ten. Not a ten because of the drag and drop feature I'd like for them to include and because I think they should include more enterprise security use cases. 

We use Micro Focus ArcSight SIEM version 6.3, 6.4, and 6.5 in multiple sites and customer ranges. The SIEM log monitoring tool is very efficient at providing us the details for any file system changes, logins, OSPF, and BGP as well as other router and server changes.

It is a vital tool for live monitoring and helps us to understand the traffic alerts of any major issue on the network, thereby reducing hacking attempts. Before our staff had to review raw logs directly to understand if there has been any attempt to the system, but with ArcSight, once the rules are defined, it becomes easy to detect changes and generate automated logs. 

Another benefit is this tool sends an automated mail to all the operators, which makes it easy to share the information and reporting.

Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the SIEM tool. The analytics feature is not reliable and needs improvement for more detailed analysis.

The product that we used in our office under different environments is highly stable. We have used certain specific versions unless required specifically by the client.

This product is designed for easy scalability and can easily scale up without major challenges. However, we have a specific team which looks after the setup and maintenance of the tool.

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve our issues. 

Since I have been in the organisation, we have used Micro Focus ArcSight for 80% of the clients. We have also used Splunk for certain clients based on their requirements.

We have a separate team for this functionality. I am not aware of the process. However, complete client cooperation is required in the setup or else there can be certain counterproductive alerts.

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

We have used Micro Focus ArcSight from the beginning.

The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:

• Allows me to look at the traffic in real time
• Allows me to add filters that remove the traffic that is not interesting
• Allows me to narrow down my research to only important traffic.
• Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
• Allows me to create reports, evaluate my findings, and send information to my customers.

I was able to provide intelligence reports to my customers. The organization relies on this information in order to sell services.

I would like to see the following:

• An improvement in the connector/agent configuration.
  The connector configuration is CLI based. If the connectors are pre-defined and built by HPE, then the configuration/installation seems to be OK.

• Making the FlexConnector configuration less complex.
  You need development skills in order to do your job in creating/configuring agents and connectors. I tried to learn the syntax in order to customize the software (connectors and agents) for a particular device, and it was a nightmare. The cost for this work, via HPE consultancy, is huge.

I've been using this product for three and a half years. I am one of the supporters of the product.

Some of the connectors need to be developed in-house. There were also issues with forwarding events. We noticed that some logs were lost between connectors and the central reporting unit.

I would give technical support a rating of 4 or 5 out of 10.

We also use Splunk to compare features. ArcSight is the favorite solution for my organization.

The initial setup is straightforward, but the customization can become a nightmare very easily.

We had an in-house implementation. I would recommend a dedicated team for implementation, support, and operation.

This product requires a dedicate team to operate it from a to z. HPE support needs to be clearly defined and considered.