OpenText Enterprise Security Manager Reviews

- We use this product for managed SIEM services and its stability and maturity helps with standard deployments (hardly any surprises)

- A bit on the slow side for reports requiring query of old data

- High availability achievable through complicated configurations (i.e. load balancers)

- The user interface is a bit dated

• Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer.
• Having a single solution that can actually manage the entire infrastructure, soup to nuts.
• Ability to detect and then take action on it.

Reducing my OPEX cost by reducing the overhead and training costs of employees and staff. Before we would have to have a large number of staff to be able to go in and do consulting opportunities, to mitigate and remediate security intrusions on given clients. Now using ArcSight, albeit there maybe a capital upfront cost to buy the software product, it enables us to speed our time to resolution.

ArcSight needs to go the same route that HPE's doing with the virtualization engine of the HP 380. Basically making it more of a single pane of glass to be able to deploy and take a tangible action on a security event. Today it takes still a lot of consulting dollars to go into trying to deploy ArcSight. You have to have a very powerful technologist or technologist team to deploy ArcSight at scale and be able to actually understand the events coming inbound and make the right tangible decisions from those points of ingress or points of notification. That today, albeit, not horribly hard, as long as you have a trained professional that knows the product. It would be nice to be able to basically make that a one pane of glass, much like HPE's done with the virtualization concept. It would make that pain point a little less. It's not going to make it perfect, but it would be nice to see improvement in that area.

My opinion from a stability's standpoint ... we don't have any issues. The product runs 24/7/365. Whenever HPE introduces a patch or an enhancement for security concerns, we've never had a problem being able to ingest that on the fly with little-to-no downtime outside of what's been expected from the release of the patch.

I've not had any problems with scaling into tens of thousands of nodes. I guess the biggest problem you're going to have with that would be actually the compute power to make the tangible decisions that's needed on large-scale environments where you have hundreds of firewalls coming in from different points of ingress. That would be a concern, but again that's not because of the ArcSight, it's just basically that's compute power.

It has improved substantially over the last two years. I'm going to rate them at 3/5 because when you call in the time to remediation is long right now. I'm not going to fault any one person on that. It's a complex security tool, so calling in and trying to get that omission, crystal ball appearance is difficult. I get that. Is there room for improvement? Of course there is.

Well we have different tools out there, but the most common ones everybody's going to know about is Splunk. Feature, function and price was why we switched When we're able to actually deliver the similar features and functions, add in additional intellectual property from HPE with respect to decision trees of ArcSight and being able to take tangible actions on the stuff that's coming inbound, that's great. Other tools can do that. Now you're just talking about price in the industry. We're able to deliver the same features and functionality at a lower cost to the client, typically we'll win with ArcSight.

Straightforward for the most part but there are limitations. For example in the virtualization engine of the J80, the Instant On, which is a OneView Instant On product line. It does work great, as long as you have your infrastructure. Our clients give us all the necessary requirements, such as the AD and IP address, the DNS, the subnets and stuff. As long as all that works seamlessly, then we can usually bind that HP 380, the Instant On into the infrastructure seamlessly. Does it always work smooth? No. But that's not necessarily HPE's fault, it's because the infrastructure doesn't always lend itself to easy integration.

I'm going to rate it at a 9. There's always room for improvement, of course, and maybe I'll be fair and give it an 8.5. The only reason I would do that is because, again, coming up with that single pane of glass, easier management style, and more about deployment. You don't have to have that powerhouse technologist that knows every trick of the trade to go in and deploy it and get all the bells and whistles. Is that a perfect model that will ever be achieved? Of course not. Can there be improvement? Sure there can. What I'm shooting for is have an ArcSight solution that can get me 90 percent there, and then the customization of ArcSight will be reduced substantially, so that the customers' adoption of a new security style tool will be easier to swallow, and it will lend itself to a larger footprint over time as the customer builds comfort with the product.

With respect to the software on ArcSight, concept's the same on that. When we actually ask for improvements on the product, they've made those enhancements and made those fixes. Now with respect to me asking for a single pane of glass? I know they're working on it, I'm sure they are. It's a pain point that not only we have, but a lot of our customers have. If we're having the same conversation next year, I'll be disappointed. I'm hoping that the single pane of glass comes out soon.

Intrusion Detection System (IDS)

Security Information and Event Management (SIEM)

To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

• Real-time rules for threat detection
• Event correlations that are automated and prioritized according to level of security risk and compliance violation

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

We've been using ArcSight since 2007.

We've deployed it without any issues.

We haven't had any issues with instability.

It's scaled fine for our needs.

We chose ArcSight when they had no real competitor and we stayed with them.

I'm pleased with the current capabilities.

The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.

My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.

Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.

I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.

We have had no issues with the deployment.

If you encounter serious performance problems, you didn't size correctly prior to deployment.

The scalability options are pretty good although costly.

Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.

I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.

As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.

As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.

We would like it to be cheaper, but the licensing model is pretty simple.

You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.

Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.

• It has flexible and rich correlation capabilities. This is the most mature product in this area.
• It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
• Active Lists - This is the most powerful feature which supports correlation. It also has multi-column active lists, parameters manipulation, and correlation capabilities that provide great flexibility.
• Full control of correlation flow - There are no black-box closed rules, unlike with McAfee Nitro, and no default aggregation which is hard to analyze, unlike Offenses in QRadar.

This is the best product to build and supports SOC operations and SOC use cases.

The layout of the analyst's console need improvement. It has had no significant changes in at least nine years. Also, the advanced statistics in visualizations simply don't work, and I've performed an analysis of these functions.

We've been using it for nine years.

We have had no issues with the deployment.

We have had no issues with the stability.

We have had no issues scaling it for our needs.

I have not had to use tech support for at least two years now. From what I recall, they were good.

The initial setup was simple and the implementation was straightforward as the supporting documentation is pretty good. Help for setup, which is available from the analyst console, is really great and complex with diagrams and screens.

ArcSight makes it easy to achieve ROI because of its great flexibility.

This is the best SIEM solution on the market comparing to its competitors. I'm also familiar with IBM QRadar, RSA Security Analytics, McAfee Nitro, and Splunk.

The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.

When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation.

They need to fix some bugs and increase the search performance speed. Sometimes there are issues when I perform log correlations.

We have had no issues with the deployment.

There have been no stability issues.

We have had no issues scaling it for our needs.

5/10

5/10

The initial setup was quite easy and straightforward.

I work for a reseller, and we set up ArcSight for our customers, and I am learning a lot about its architecture.

For SIEM, I think HP ArcSight is a leading competitor alongside Splunk.

You need to learn about architecture and practice more before implementation since this product is not easy to learn and takes time to master.

• Logger
• Command Center

The ArcSight ESM allows for easy log analysis as well as correlation and alerting. Logger is an indexed database which allows for faster, historical searching. The versatility to use SQL queries is helpful.

There are some limitations on the functionality of Rules that I would like to see expanded. I would like to see some better support options in the ArcSight community for HP Protect. Unless someone in your organization is an ArcSight SME, you are going to have a difficult time getting answers.

I've used it for two years.

There were no issues with the deployment.

We've not had any issues with the stability.

We've had no issues scaling it for our needs.

I would give it 3/10. A lot of the support is community based. That strategy can work, but the answers are sometimes incomplete, incorrect, and can take a long time to get.

I have used QRadar and Splunk. Both have great functionality that make them easy to use, but ArcSight has a very consistent layout and their logic is easy to figure out.

I was not involved in the setup.

I'm not involved in pricing or licensing.

It's a well rounded product especially with the addition of Logger and Command Center. I felt it was easy to understand and use right from the start. There are some companies that do not take advantage of everything ArcSight can offer. A problem I think ArcSight can fix with better support alternatives.