What is our primary use case?
ArcSight monitors any down time with patch management. Whenever any project is on-boarded such as in our security core or asset and wealth management technology, the hardware goes through ArcSight. That is basically our use case whether we're doing the patch management, or the upgrades on that tool, or managing the centralized desktop. ArcSight monitors the failures in the cloud. We have the tech classifications in the CMDB which is integrated with ArcSight and ArcSight pulls out everything on the CMDB and I'm able to see it all - the CMDB database and the CVS scores which are also integrated in ArcSight. I can know that for a particular monitoring track or detected incident, this is the particular CVS score. I'm a VP and enterprise architect, and we're customers of ArcSight.
What is most valuable?
The user interfaces are quite good and speedy, and I like the consoles too. The typology and the setup are also good. It's very similar to QRadar, so it's user friendly although I believe QRadar rates better.
What needs improvement?
The deployment typology could be improved. If you want to scale across all the different lines of businesses, it should be easy to do that and it's not. If I'm doing DMX monitoring, I shouldn't need a different SIEM. For the traditional application servers which are RTTR architecture-based, the legacy applications, which might be Java or steam-based applications, require DMX monitoring, currently provided by Nagios. Instead, the monitoring could be different types of monitoring which we could get from ArcSight. It would save the cost of doing the DMX monitoring from Nagios. QRadar has a dashboard which includes most of the monitoring, data and everything. The features in ArcSight could be more like that.
For how long have I used the solution?
I've been using this solution for 10 years.
What do I think about the scalability of the solution?
Scalability is okay although if we had better typology, we could scale more and performance could be better. It's similar to QRadar. We are onboarded for security core processing or data disk core processing. If I wanted to add another 20 line of businesses under that, it should be okay. There's a trade off between the security and performance so the more secure your typology is, will result in degraded performance. We currently have around 2,000 users but hope to increase that number.
How are customer service and technical support?
Technical support is available 24/7, They are on a rota basis for the different regions. If I'm looking for support here in India, it's available 2 1/2 hours ahead of Singapore, 3 1/2 hours ahead for the Japanese team. In the UK region, we have support available from 11:00am. And if I'm looking for post 7:00pm in India, then I have the support teams available from the States. They're quite good and they offer other professional services too, including for incident management.
How was the initial setup?
The initial setup doesn't take too much time.
What other advice do I have?
I'm neutral on whether I would recommend this solution. It depends on what typology you are using, and your use cases. If you have a different endpoint, or security tool already doing what this product does and it's already integrated with CMDB, and there's a tool at the endpoint giving the CVS Score, then you don't need an SIEM platform.
On the pricing side, QRadar is much costlier compared to ArcSight. There's a trade off. Anyone aiming for something specific will go for ArcSight monitoring rather than going for Qradar because deployment of the SIEM is not so easy for the larger deployment typologies in the financial services sector. It's not easy to scale up for different lines of businesses unless you have proper planning, methodologies, processes, and your SOPs are in place. If you follow the proper SOPs, things are easier.
I would rate this solution a six out of 10.
Which deployment model are you using for this solution?