What is most valuable?
Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.
What needs improvement?
Ease of use, access and simplicity: HPW ArcSight makes it hard to capitalize on reports without the use of the console. Other SIEM tools have made it clear that event correlation results can be used not only to send out alerts, but also to provide easily accessible results to management.
ArcSight can be quite complicated to use for "non-IT" user. In terms of "ease of use", access and simplicity, HPE could do a better job, since customers acquiring the product should be spending more time on implementing use cases than on understanding the product and the console organization.
Also, in terms of installation, we are no longer in an era where installing a product should be a laborious process. Instead, it should be simple and fast.
Also, when it comes to data onboarding, managing ArcSight connectors in a multi-technology environment, there is no simple way to guarantee that data parsing is happening properly.
Finally, having simple-to-set-up, multi-site high availability, in contrast to single-site HA, would be very welcome.
For how long have I used the solution?
I’ve been using ArcSight for three years.
What do I think about the stability of the solution?
We have had some issues on the SmartConnector layer, since not all parsers provide perfect results (especially in the case of proxy data). Also, there have been some issues on the HA modules, since HA works sort of like a local r-sync (no remote HA).
What do I think about the scalability of the solution?
No scalability issues have been encountered so far. ArcSight's architecture is very scalable, especially when set up in a layered architecture.
How is customer service and technical support?
Support is slow and doesn't always have the required skill set to solve the issues.
Which solutions did we use previously?
We did not have a previous solution.
How was the initial setup?
Initial setup was very complex. Any modification to the OS prior to ESM installation may cause errors in installation. Most errors aren't explicit and require a lot of time, effort and sometimes PS help to solve.
What's my experience with pricing, setup cost, and licensing?
Price is fair compared to other SIEMs (Splunk, QRadar, etc.). It's not the go-to product if you are looking for something cheap. Go for ArcSight, if it provides specific features that your IS requires.
Which other solutions did I evaluate?
Before ArcSight, we looked at QRadar and Splunk.
What other advice do I have?
My first advice is "be patient". It takes a lot of time to deploy an ArcSight infrastructure, but the result is worth it. Technically, it’s a very powerful tool. It would be worth it to take the time to learn some of the hidden features.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jan 31 2017