What is most valuable?
Not really a feature, per se, but the ability to do multi-tenant SIEM.
How has it helped my organization?
We help our customers do more than 'check a box' for security and compliance and we are very proud of that. We tend to be more like partners to a lot of our customers, and they rely on us to deliver high-fidelity, relevant security alerts.
What needs improvement?
There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it. I am not sure why this is, but it is a little hard to be self-sufficient when this is the case. I am sure this is why real ArcSight experts are in demand! Being too feature-rich can be as bad as being oversimplified!
For how long have I used the solution?
I have been working as an analyst using AS for 9 months now. This work involves monitoring the multi-tenant implementation of AS, sending reports to customers, doing investigations on alerts that come in, and implementing new Connectors and content. Connectors are how AS gets events from the devices.
What was my experience with deployment of the solution?
Again, system complexity can be an issue, but not really.
What do I think about the stability of the solution?
None. ArcSight is very stable. Period.
What do I think about the scalability of the solution?
Again, none. It is a system that is more than capable of multi-tenant implementations.
How are customer service and technical support?
They try really, really hard.
Which solution did I use previously and why did I switch?
No, the folks I work for were at ArcSight before HP acquired it and have always been users and proponents of it. It's a powerful product for sure.
How was the initial setup?
Setup is fairly complex, and with so many features, it is difficult to just 'set it and forget it' with ArcSight. It requires a lot of care and feeding, as well as a pretty good amount of ongoing maintenance and configuration to really get good quality alerts out of it.
What about the implementation team?
Which other solutions did I evaluate?
I've been looking at Open Source SIEM recently, and paying a lot of attention to the others in the commercial market, like IBM and MacAfee, but I don't have any practical experience. I have heard mixed reviews about all of them (including AS from some folks I know).
What other advice do I have?
Implementation advice: this is a big job, and unless you are able to hire and train a dedicated SIEM engineer, I would look at getting staff augmentation from HP or other consulting types. Be prepared to Read The Friendly Manual (RTFM), and do a lot of searches online. Take the entry-level certs that HP offers, and get classes if there is budget.
Disclosure: My company has a business relationship with this vendor other than being a customer: ArcSight partner
Aug 17 2014