- Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
- Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
- Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.
Improvements to My Organization:
This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.
Room for Improvement:
The web console should have all the features of the standard console.
In addition, the upgrade process should be simpler.
Use of Solution:
I have used this solution for 10 years and 8 months.
I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.
Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.
I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.
There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.
I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.
In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.
The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.
We carried out a pilot implementation based on
the initial SOW, including several basic use cases.
us to understand what is really happening in the environment and we
learned that most of the default rules are not appropriate for us.
After the pilot was successful, we bought the solution.
Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.
Cost and Licensing Advice:
In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.
You must understand your environment and its dynamics.
Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.
Disclosure: I am a real user, and this review is based on my own experience and opinions.