ArcSight Enterprise Security Manager (ESM) Reviews

We use this solution in our customers company and we deploy the solution on cloud and on-premises.

The out-of-the-box rules that help us configure functioning rules within the environment are valuable. For example, they have good resources to help detect and populate the dashboard if something malicious happens. Additionally, we value a good visual representation of a company and network infrastructure.

The solution can be improved regarding integration with other security products, ease of implementing some features, and feeling like we're not utilizing the solution as best as we could. In the next release, the solution should incorporate some threat intel features and integrate well with other network solutions, EDRs, palm solutions and the sorts. Additionally, the reporting can be improved to bring out very insightful reports showing senior management value for the solution.

We have been using the solution for approximately six months.

The solution is stable. I rate it an eight out of ten.

The solution is scalable and has approximately 500 users utilizing it for enterprise businesses.

Customer service and support are one of the biggest challenges we are having. Although it is provided, and once you log tickets, they follow up quickly, sometimes some of the challenges we face drag on for a while because of ironing out specific details about technical support and payments.

The initial setup was a bit complex. Getting things running and configured took a while. Furthermore, some integrations were unavailable, and some had to be custom scripted, so getting the solution up and running was a bit tedious.

We implement in-house, and it takes approximately two months to complete implementation.

The licensing costs are high and the solution is priced through events that come in so the cost tends to be heavy on the client. The price of the license could be lower.

I rate the solution a six out of ten. The solution is good, but its integration and reporting features can be improved. I advise users to have a mature security infrastructure and scale up their technical resources. However, for smaller organizations considering the solution, I advise them to think of other solutions before using ArcSight Enterprise Security Manager.

We use ArcSight primarily to provide logs for the incident response team and cyber security analysts to evaluate everything happening in the network. 

The most important feature is ArcSight's event correlation capabilities. It's powerful and easy. I also like the flex connector capability. It's easy to develop a new connector that isn't fully supported out of the box. For example, say you created a solution internally that's completely different, and it's not unsupported by the solution. You can write your own connector using the flex connector.

When we need to consume old events, we have to wait for a long time. ArcSight should improve the database capability to reply to queries faster. It would also be interesting if they implemented network visibility. For example, they could add a feature like NetWitness with a model just for looking through the packets.

I rate ArcSight Enterprise Security Manager nine out of 10. 

On-premises

We are resellers. We deal with many vendors to provide and implement solutions for our clients. We primarily use this product for logging data.

The most useful features are directories, price, and live reporting.

The customer experience could be improved.

I think they can improve the AI and monitoring. Also, they need an updated database.

I have been dealing with this solution for approximately three years.

We are working with the last updated version.

The stability can be improved. The competitors are more stable.

It's a scalable product and the scalability is good.

Our clients are usually enterprise companies.

The technical support is good. They have been able to resolve our issues.

We are using SIEM. It has a better dashboard and is more complete.

The initial setup can be simple and also complex. It depends on the client's infrastructure.

We implement the solution and maintain it for the clients.

It's a good price, it's one of the cheaper solutions.

There are no additional costs.

Depending on the size of the companies, I would recommend this solution. It's more suited for small to medium-sized companies.

I would rate this solution an eight out of ten.

On-premises

There are many features that are good for clients who are looking for a good SIEM solution. They like the ease of creating a business that is effective and impressive. 

The security is difficult. 

I would like to have a feature that gives us an entire report listing what devices are integrated.

I have been using ArcSight for the last five years. 

In the beginning, we got good support but it hasn't been what it used to be. On weekends we get the list of devices that are integrated but if we need to generate the lists of rights, it doesn't send the logs.

The initial setup was simple. The initial setup took five to six days.

I would rate it a seven out of ten. In the next release, I would like for them to include a list of integrated devices. 

Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.

HPE ArcSight has helped us gain visibility of the solutions across the organization. We have been constantly identifying anomalous activities both internally as well as externally. These include malware proliferation, data loss, proxy bypass attempts, phishing and spear-phishing, port scans, etc

It can be more user-friendly. The product is too restrictive to suit the flexibility needs of the infrastructure. It is sometimes hard to implement the solution as recommended by HPE.

I have used this solution for around four and a half years. Currently, we are using HPE ArcSight Express 5, ESM 6.8, Connector Appliances and SmartConnectors 7.4.

In version 5, I used to experience some issues as it was using Oracle DB. Although, I do not have any problems in version 6+.

This product is not easily scalable. We particularly required skilled personnel to do this activity and it also took a significant amount of time.

The technical support is poor.

We were not using any other solution before. We started using HPE ArcSight straightaway.

Setting up of the ArcSight solution is always complex compared to other solutions out there. There are a lot of parameters and dependencies involved. Adding infrastructure complexity will add more complications. Distributed deployment is also difficult to implement.

It is very expensive for larger deployments.

We are now working with open-source systems and Splunk solutions. We are decommissioning HPE ArcSight as it is getting impractical to manage and maintain the solution.

There are better products in the market for medium to large-scale deployments. It is recommend to use this product for small-scale deployments, i.e., 200-800 EPS.

Intrusion Detection System (IDS)

Security Information and Event Management (SIEM)

To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

For us, there are several valuable features.

• The ability to correctly parse the most number of products comparing to its competitors;
• The ability to create very complex scenarios to detect security risks and anomalies;
• Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
• The ability to create parsers for all kinds of applications and systems is an important differentiator.

It greatly changed our work habits in the organization allowing us to not only trace back security threats, but also to generate usage trends, discover anomalies and so many other usages. It quickly became an indispensable tool.

They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.

There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.

We've had no issues with deployment.

We've had no issues with stability.

We've had no issues with scalability.

Not really a feature, per se, but the ability to do multi-tenant SIEM.

We help our customers do more than 'check a box' for security and compliance and we are very proud of that. We tend to be more like partners to a lot of our customers, and they rely on us to deliver high-fidelity, relevant security alerts. 

There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it. I am not sure why this is, but it is a little hard to be self-sufficient when this is the case. I am sure this is why real ArcSight experts are in demand! Being too feature-rich can be as bad as being oversimplified!

I have been working as an analyst using AS for 9 months now. This work involves monitoring the multi-tenant implementation of AS, sending reports to customers, doing investigations on alerts that come in, and implementing new Connectors and content. Connectors are how AS gets events from the devices.

Again, system complexity can be an issue, but not really.

None. ArcSight is very stable. Period.

Again, none. It is a system that is more than capable of multi-tenant implementations.

They try really, really hard.

No, the folks I work for were at ArcSight before HP acquired it and have always been users and proponents of it. It's a powerful product for sure.

Setup is fairly complex, and with so many features, it is difficult to just 'set it and forget it' with ArcSight. It requires a lot of care and feeding, as well as a pretty good amount of ongoing maintenance and configuration to really get good quality alerts out of it.

In-house experts.

I've been looking at Open Source SIEM recently, and paying a lot of attention to the others in the commercial market, like IBM and MacAfee, but I don't have any practical experience. I have heard mixed reviews about all of them (including AS from some folks I know).

Implementation advice: this is a big job, and unless you are able to hire and train a dedicated SIEM engineer, I would look at getting staff augmentation from HP or other consulting types. Be prepared to Read The Friendly Manual (RTFM), and do a lot of searches online. Take the entry-level certs that HP offers, and get classes if there is budget.