Custom data parsers and custom event / asset categorization.
Improvements to My Organization
Allowing for non conventional data feeds from HR into our overall security monitoring practice has allowed us to catch gaps in our exit checklist for employees among other things.
Room for Improvement
The network modeling and asset categorization needs to be simplified to facilitate wider adaptation amongst customers.
Use of Solution
I have been working with ArcSight for over 8 years.
I have never deployed an ArcSight installation without encountering several issues, I have over 40 deployments to my credit.
Absolutely, the new CORR engine is a vast improvement but was pushed out to customers too quickly. Several key components of our analysis workflow broke due to the new event processing scheme.
Not so much on the ESM level, but it gets expensive to scale at the logger level.
Customer Service and Technical Support
Customer Service: Support can use vast improvements, but your technical account managers are great. No complaints there.Technical Support: Lacking.
I am a Sr. Principal Architect and design and go with the best solution for the customer, currently deploying a solution around Logstash, elasticsearch and kibana.
Lots of moving parts.
Hard to determine, ArcSight is a product that costs millions to implement and takes several months to years before the ROI is clear.
Pricing, Setup Cost and Licensing
For this particular project $2.4 million USD.
Understanding of your environment and data sources is key before correlation can occur. You make sure your environment is at a point that augmentation of the existing analysis workflow is required and not using a SIEM to establish one.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jul 20 2014