What is most valuable?
The solution offers very good performance and is efficient.
The provider offered excellent training to help us successfully launch the project.
The interface is user-friendly.
The solution passed compliance thresholds and standard requirements which we hoped to satisfy at the time of launch. At our first audit, we presented the roadmap to our auditor and on the second audit, we presented plans to help us re-conduct our certification. They were able to verify the parameters and reporting. It was very successful.
What needs improvement?
The console in older versions is not user-friendly.
At one point, we experienced an RMA. However, they sent an expert to do an SDN check. Someone came to the company to verify the hardware and try to access the log just to verify what the root cause of the incident was. The hardware was replaced without incident for us.
The solution could benefit from adding in machine learning.
What do I think about the stability of the solution?
The solution is stable. We haven't faced any incidents after deployment.
What do I think about the scalability of the solution?
The solution is scalable, but it depends on the license you acquire. You can expand your license as needed if you need to integrate more infrastructure.
For us, our goal was to integrate all the infrastructure so we acquired a license with the expansion option so that we could integrate all the infrastructure that we wanted to.
In order to expand, users should expect to pay additional fees.
We are in the digital transformation space. This transformation means that very quickly we may need to be able to add more and more servers into our infrastructure. It was important that the solution we chose had a license that covered that capability.
How are customer service and technical support?
We've been in touch with technical support twice. Once was for the RMA when we needed some hardware replaced. I had to check the platform to verify it was done.
Technical support was helpful. For the RMA they sent an engineer to be on-site to verify the hardware and to verify also the root cause about that incident. It didn't take a lot of time to replace the hardware. At that time, we were only the second client to acquire Arcsight in Morocco.
How was the initial setup?
Deployment for the solution took a month, or four weeks, in total. The first week was spent installing the firmware and logging the hardware. We updated to the latest supported version as well. The following weeks were spent deploying the agent to the target systems.
The installation itself was easy, but you needed to be trained to use it because the administration console is a bit difficult. It's not like QRadar or Splunk which both have easy to use consoles. ArcSight is efficient but it wasn't until the last version that they started to use a simpler console.
We did all of the training in order to use the solution. The first was technical - for example, how to install and deploy the system. The second training was admin related - for example, how to manage the solution. There was also training on how to manage the parameters, configure the solution, integrate the agent, and handle reporting.
What's my experience with pricing, setup cost, and licensing?
In our case, we bought a license for a three year period. The technology itself is expensive.
Which other solutions did I evaluate?
At the time we were evaluating other solutions, we looked at Splunk and LogLogic. ArcSight was the first one that positioned itself as a market leader, which was a big reason we chose it.
What other advice do I have?
Arcsight was a technology we used for CM security information event management. We deployed it when I was an Information Security Senior Engineer in a company that provided electricity and water for Casablanca and neighboring cities. Arcsight was a requirement for the ISO27001 standard. It was a requirement because the company was certified. For the first audit, we presented the roadmap that contained the deployment of that kind of solution. After that, we launched an offering to different information system providers. We choose Arcsight as the CM solution.
A requirement of our local regulator, due to the fact that we manipulate sensitive data, was that all data needed to be on-premises which is why we use that deployment model and not a cloud or a hybrid deployment.
ArcSight is a good solution. I'd recommend it. However, I'd advise other companies to acquire a solution that responds to their needs.
I'd rate the solution nine out of ten.
Which deployment model are you using for this solution?