ArcSight Enterprise Security Manager (ESM) Review

The feature list allows us to input data dynamically to list it as a rule action.

How has it helped my organization?

Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.

What is most valuable?

One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.

What needs improvement?

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

What do I think about the stability of the solution?

In general, it is a very stable product. We did multiple implementations, and we never had any major issues.

As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do

What do I think about the scalability of the solution?

There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.

As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.

For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.

How are customer service and technical support?

We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.

Which solution did I use previously and why did I switch?

We worked with RSA enVision/RSA SA as a partner:

  • RSA enVision was very basic and was very hard to fine-tune.
  • RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.

How was the initial setup?

The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.

With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.

What's my experience with pricing, setup cost, and licensing?

In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.

Which other solutions did I evaluate?

As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.

We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.

What other advice do I have?

Do a live PoC to test all needed features.

Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.

Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.

**Disclosure: My company has a business relationship with this vendor other than being a customer: We are partners with HPE.
More ArcSight Enterprise Security Manager (ESM) reviews from users
...who work at a Financial Services Firm
...who compared it with Splunk
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
522,281 professionals have used our research since 2012.
Add a Comment
ITCS user

author avatarAlireza Ghahrood
Top 10Real User

thnaks 4 share it :D

author avatarDr Trust Tshepo Mapoka
Top 20Reseller

Thanks I agree.