ArcSight Review

Correlation and flexibility are valuable. It helped meet compliance requirements for log collection.


What is most valuable?

Correlation and flexibility are the most valuable features.

How has it helped my organization?

ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.

What needs improvement?

I would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.

For how long have I used the solution?

We have used ArcSight for 6 years.

What do I think about the stability of the solution?

Initial deployment of ArcSight is pretty challenging. It takes at least 3-4 months to install, integrate, define content and fine tune before starting the security operation.

How is customer service and technical support?

Customer service is fast in response, but very standard in their approach, which takes lot of time for simple issues.

Which solutions did we use previously?

I have used RSA enVision, QRadar and Splunk. ArcSight is better than them all when it comes to filtering, normalization, aggregation, dashboards, reporting and correlation, multi-tenancy and custom devices support.

How was the initial setup?

Initial setup was complex as the integration of a custom application takes lot of time and effort. Then, fine tuning requires at least 6 weeks to analyze and tune each alert separately.

What about the implementation team?

We implemented through HPE itself and I would advise to go through a vendor as they would hand over the SIEM post-fine tuning which is a mammoth task.

What was our ROI?

ROI can be measured in terms of detected security incidents and compliance positive tests, which in turn boost the business. Our security incident count increased from 3 per month to 46 and all were real security threats. Had those gone undetected and realized, there would have been possible data theft, information stealing, damage of brand reputation, etc.

What other advice do I have?

An organization that has enough budget for SIEM and really cares about security and not only about compliance must go with ArcSight. SMB organizations who want to start a SOC or have just a log management solution for compliance requirements can go for cheaper options such as QRadar, LogRhythm, AlienVault, etc. For MSSP, ArcSight is indeed the best SIEM available in the market, as segregation of logs, access restriction, different log retention, customized view for dashboard and reports to clients are present with ease.

Lastly, ArcSight is like Apple. If you have money, go for iPhone and you will certainly not regret it. But if your budget is the primary constraint, then another SIEM must be explored.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email