- High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
- High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
- Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.
Improvements to My Organization:
- Losses from security incidents have significantly decreased.
- Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
- Detailed reports allow for planning and informed decision making.
Room for Improvement:
The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.
Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.
The GUI is outdated. Improvements on this are on the way, according to the vendor.
Use of Solution:
I’ve been using ArcSight for five years.
We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.
Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.
Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.
We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.
Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.
Cost and Licensing Advice:
The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.
Other Solutions Considered:
The keys to success with this solution are:
- Careful deployment planning
- Readiness to invest time and resources into training your IT security personnel
- Fine tuning the solution to your specific needs
Disclosure: I am a real user, and this review is based on my own experience and opinions.