ArcSight Review

It enables us to speed our time to resolution.


Valuable Features

  • Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer.
  • Having a single solution that can actually manage the entire infrastructure, soup to nuts.
  • Ability to detect and then take action on it.

Improvements to My Organization

Reducing my OPEX cost by reducing the overhead and training costs of employees and staff. Before we would have to have a large number of staff to be able to go in and do consulting opportunities, to mitigate and remediate security intrusions on given clients. Now using ArcSight, albeit there maybe a capital upfront cost to buy the software product, it enables us to speed our time to resolution.

Room for Improvement

ArcSight needs to go the same route that HPE's doing with the virtualization engine of the HP 380. Basically making it more of a single pane of glass to be able to deploy and take a tangible action on a security event. Today it takes still a lot of consulting dollars to go into trying to deploy ArcSight. You have to have a very powerful technologist or technologist team to deploy ArcSight at scale and be able to actually understand the events coming inbound and make the right tangible decisions from those points of ingress or points of notification. That today, albeit, not horribly hard, as long as you have a trained professional that knows the product. It would be nice to be able to basically make that a one pane of glass, much like HPE's done with the virtualization concept. It would make that pain point a little less. It's not going to make it perfect, but it would be nice to see improvement in that area.

Stability Issues

My opinion from a stability's standpoint ... we don't have any issues. The product runs 24/7/365. Whenever HPE introduces a patch or an enhancement for security concerns, we've never had a problem being able to ingest that on the fly with little-to-no downtime outside of what's been expected from the release of the patch.

Scalability Issues

I've not had any problems with scaling into tens of thousands of nodes. I guess the biggest problem you're going to have with that would be actually the compute power to make the tangible decisions that's needed on large-scale environments where you have hundreds of firewalls coming in from different points of ingress. That would be a concern, but again that's not because of the ArcSight, it's just basically that's compute power.

Customer Service and Technical Support

It has improved substantially over the last two years. I'm going to rate them at 3/5 because when you call in the time to remediation is long right now. I'm not going to fault any one person on that. It's a complex security tool, so calling in and trying to get that omission, crystal ball appearance is difficult. I get that. Is there room for improvement? Of course there is.

Previous Solutions

Well we have different tools out there, but the most common ones everybody's going to know about is Splunk. Feature, function and price was why we switched When we're able to actually deliver the similar features and functions, add in additional intellectual property from HPE with respect to decision trees of ArcSight and being able to take tangible actions on the stuff that's coming inbound, that's great. Other tools can do that. Now you're just talking about price in the industry. We're able to deliver the same features and functionality at a lower cost to the client, typically we'll win with ArcSight.

Initial Setup

Straightforward for the most part but there are limitations. For example in the virtualization engine of the J80, the Instant On, which is a OneView Instant On product line. It does work great, as long as you have your infrastructure. Our clients give us all the necessary requirements, such as the AD and IP address, the DNS, the subnets and stuff. As long as all that works seamlessly, then we can usually bind that HP 380, the Instant On into the infrastructure seamlessly. Does it always work smooth? No. But that's not necessarily HPE's fault, it's because the infrastructure doesn't always lend itself to easy integration.

Other Advice

I'm going to rate it at a 9. There's always room for improvement, of course, and maybe I'll be fair and give it an 8.5. The only reason I would do that is because, again, coming up with that single pane of glass, easier management style, and more about deployment. You don't have to have that powerhouse technologist that knows every trick of the trade to go in and deploy it and get all the bells and whistles. Is that a perfect model that will ever be achieved? Of course not. Can there be improvement? Sure there can. What I'm shooting for is have an ArcSight solution that can get me 90 percent there, and then the customization of ArcSight will be reduced substantially, so that the customers' adoption of a new security style tool will be easier to swallow, and it will lend itself to a larger footprint over time as the customer builds comfort with the product.

With respect to the software on ArcSight, concept's the same on that. When we actually ask for improvements on the product, they've made those enhancements and made those fixes. Now with respect to me asking for a single pane of glass? I know they're working on it, I'm sure they are. It's a pain point that not only we have, but a lot of our customers have. If we're having the same conversation next year, I'll be disappointed. I'm hoping that the single pane of glass comes out soon.

Disclosure: My company has a business relationship with this vendor other than being a customer: We're a partner and reseller.
Add a Comment
Guest
Sign Up with Email