What is most valuable?
- Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
- Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
- Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.
How has it helped my organization?
This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.
What needs improvement?
The web console should have all the features of the standard console.
In addition, the upgrade process should be simpler.
For how long have I used the solution?
I have used this solution for 10 years and 8 months.
What was my experience with deployment of the solution?
I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.
What do I think about the scalability of the solution?
Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.
How is customer service and technical support?
I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.
There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.
Which solutions did we use previously?
I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.
How was the initial setup?
In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.
The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.
What about the implementation team?
We carried out a pilot implementation based on the initial SOW, including several basic use cases. This allowed us to understand what is really happening in the environment and we learned that most of the default rules are not appropriate for us. After the pilot was successful, we bought the solution.
What was our ROI?
Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.
What's my experience with pricing, setup cost, and licensing?
In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.
What other advice do I have?
You must understand your environment and its dynamics.
Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jan 31 2017