What is most valuable?
- High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
- High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
- Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.
How has it helped my organization?
- Losses from security incidents have significantly decreased.
- Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
- Detailed reports allow for planning and informed decision making.
What needs improvement?
The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.
Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.
The GUI is outdated. Improvements on this are on the way, according to the vendor.
For how long have I used the solution?
I’ve been using ArcSight for five years.
What do I think about the stability of the solution?
We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.
What do I think about the scalability of the solution?
Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.
How is customer service and technical support?
Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.
Which solutions did we use previously?
We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.
How was the initial setup?
Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.
What's my experience with pricing, setup cost, and licensing?
The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.
Which other solutions did I evaluate?
What other advice do I have?
The keys to success with this solution are:
- Careful deployment planning
- Readiness to invest time and resources into training your IT security personnel
- Fine tuning the solution to your specific needs
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jan 25 2017