ArcSight Review

It makes user behavior and problems on the network visible, which we can then solve


How has it helped my organization?

  • User behavior and problems on the network are visible, which we can then solve. 
  • We can align policies with how people actually behave. 
  • MSSP options are very good.

What is most valuable?

  • Large scale installations work well.
  • The new user interface is nice. 
  • The real-time analysis adds value. 
  • The default packages on the new HPE Marketplace are useful and give nice default dashboards and reports for most of the well-known products.

What needs improvement?

HPE ArcSight has a quite steep learning curve. If you get to know the product well, it is the most powerful product that I have worked with. It would be nice if new users could start using the product more easily.

What do I think about the stability of the solution?

I would prefer to roll out HPE ArcSight ESM on physical hardware. Without proper tuning, running ESM on VMware does not work well. Loggers and connectors work fine on virtual components.

10,000 events per second, including correlation, on pretty normal hardware work well.

What do I think about the scalability of the solution?

We encountered no issues with scalability. If needed, ESM can be setup in tiered form. Loggers can be scaled horizontally very efficiently. One box can handle a lot of events.

How is customer service and technical support?

Customer Service:

Seven out of 10. Basic questions get answered quickly. More in depth questions require more time, which can be a problem. It has improved over the last two years.

Technical Support:

Initially, the level of technical support was not so good. Once you get put through to the people in the US, you will get the better answers.

Which solutions did we use previously?

I have also used LogRhythm, which in my opinion has less features than ArcSight. 80% of use cases work well on both, for the most interesting 20%, I would use ArcSight.

How was the initial setup?

Initial setup was straightforward. From the manuals, it is clear what components need to be installed where. Not having to install agents on servers is a big advantage of ArcSight over other solutions that I have worked with.

What about the implementation team?

We did not use a vendor team to do the implementation. Our in-house teams could roll out ArcSight very well. Cooperation of a lot of teams is often needed to implement SIEM solutions: networking, OS, and compliancy. Depending on your company structure, cooperation between teams can cost the most time.

What was our ROI?

I have not been involved in the ROI calculations and considerations, thus I cannot give my thoughts on this point.

What's my experience with pricing, setup cost, and licensing?

Do not scale out (horizontally) too quickly. A good box can handle a lot of EPS. You will not need to buy more licenses if you use one box in a good way. Also, aggregation can help a lot in pushing down licensing costs.

Which other solutions did I evaluate?

We also looked at Splunk and LogRhythm for every installation. All three have their own benefits. For large scale installations with multiple users and (sub) companies, ArcSight is the best option.

What other advice do I have?

Get a training course and start working with it quickly after getting your course. It is easy to forget all the options ArcSight has.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 visitor found this review helpful
Add a Comment
Guest
Sign Up with Email