HPE ArcSight Review
With the console, I can move between analyzing events and creating content. SmartConnectors are not resilient and sometimes crash.

Valuable Features:

The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.

Improvements to My Organization:

The ability to correlate such a diverse range of information into a single location is invaluable.

Room for Improvement:

SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.

Use of Solution:

I have been using ArcSight for two years.

Stability Issues:

I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.

Scalability Issues:

The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).

Technical Support:

I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files. 

I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.

Previous Solutions:

I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.

Initial Setup:

Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.

Cost and Licensing Advice:

ArcSight is exclusively an enterprise product and it is priced accordingly.

Other Solutions Considered:

We evaluated QRadar and Splunk.

Other Advice:

Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.

Disclosure: I am a real user, and this review is based on my own experience and opinions.


