Arcsight Logger Review

It has excellent query syntax and response.


What is most valuable?

It has excellent query syntax and response. Complex queries of large volumes of data generally take seconds if not minutes.

How has it helped my organization?

ArcSight has improved incident response from days to minutes. It also offered ancillary non-security troubleshooting features, which were surprise benefits to teams such as network and operations.

What needs improvement?

I'd like to see more pre-built smart connector supported applications, although the list today is voluminous.

For how long have I used the solution?

We've been using it for two years.

What was my experience with deployment of the solution?

We had no issues with the deployment.

What do I think about the stability of the solution?

We have had no stability issues.

What do I think about the scalability of the solution?

The original Connector Appliance peaked its events-per-second limit much sooner than anticipated and required us to purchase another, and significantly larger, appliance. The issue was self-inflicted as we discovered more use cases when adding new logs and log types.

How are customer service and technical support?

Technical support is excellent. In fact, that was one of the best "features" of the implementation. I never had to wait to reach specialist help, and all engineers that I spoke with were highly technical and were pleasant.

Which solution did I use previously and why did I switch?

I previously used a significant RSA Envision installation that had extremely poor performance with complex queries. It was routine to wait an hour or more for a more complex query. HP ArcSight was introduced by a CISO with previous experience at a previous employer and the improvement was immediately obvious. It was a wise decision that I took with me to my next organization.

What about the implementation team?

It can be difficult to set up connectors to ingest and normalize different log types initially.

What was our ROI?

I would recommend HP professional services for starting up. I used that approach and was able to glean enough through knowledge transfer to hit the ground running from day one in production.

What's my experience with pricing, setup cost, and licensing?

Security makes it difficult to quantify ROI, but I can say that we were able to complete incident response in minutes where the same had taken hours or days.

Which other solutions did I evaluate?

In terms of pricing, size appropriately, and realistically up front. That said, the product architecture is scalable as needs grow.

What other advice do I have?

ArcSight has a Google-like query syntax with boolean-style operands. That said, there is also a GUI to craft queries. I'd recommend learning the GUI as this is the same GUI used in HP's ESM product, the engine that can correlate disparate log events and turn incident response from reactive to proactive alerting. Getting a head start on learning that syntax would help ease into the highly-recommended ESM or ESM Express products.

Disclosure: My company has a business relationship with this vendor other than being a customer: At the time, I formed a strategic partnership with HP Enterprise Security and co-presented their products at a business vertical relevant technology conference, served as a customer reference and referenced HP ArcSight in a case study about my complementary HP (now TrendMicro) TippingPoint Intrusion Prevention System implementation.
Add a Comment
Guest