What is most valuable?
Custom data parsers and custom event / asset categorization.
How has it helped my organization?
Allowing for non conventional data feeds from HR into our overall security monitoring practice has allowed us to catch gaps in our exit checklist for employees among other things.
What needs improvement?
The network modeling and asset categorization needs to be simplified to facilitate wider adaptation amongst customers.
For how long have I used the solution?
I have been working with ArcSight for over 8 years.
What was my experience with deployment of the solution?
I have never deployed an ArcSight installation without encountering several issues, I have over 40 deployments to my credit.
What do I think about the stability of the solution?
Absolutely, the new CORR engine is a vast improvement but was pushed out to customers too quickly. Several key components of our analysis workflow broke due to the new event processing scheme.
What do I think about the scalability of the solution?
Not so much on the ESM level, but it gets expensive to scale at the logger level.
How are customer service and technical support?
Customer Service: Support can use vast improvements, but your technical account managers are great. No complaints there.Technical Support: Lacking.
Which solution did I use previously and why did I switch?
I am a Sr. Principal Architect and design and go with the best solution for the customer, currently deploying a solution around Logstash, elasticsearch and kibana.
How was the initial setup?
Lots of moving parts.
What was our ROI?
Hard to determine, ArcSight is a product that costs millions to implement and takes several months to years before the ROI is clear.
What's my experience with pricing, setup cost, and licensing?
For this particular project $2.4 million USD.
What other advice do I have?
Understanding of your environment and data sources is key before correlation can occur. You make sure your environment is at a point that augmentation of the existing analysis workflow is required and not using a SIEM to establish one.