We just raised a $30M Series A: Read our story

ArcSight Enterprise Security Manager (ESM) OverviewUNIXBusinessApplication

ArcSight Enterprise Security Manager (ESM) is the #8 ranked solution in our list of top Security Information and Event Management (SIEM) tools. It is most often compared to Splunk: ArcSight Enterprise Security Manager (ESM) vs Splunk

What is ArcSight Enterprise Security Manager (ESM)?

ArcSight is Micro Focus' leading Security Information and Event Management (SIEM) solution. ArcSight helps businesses protect their data through compliance solutions and security analytics.

There are a number of different products and solutions in the ArcSight family so you are able to pick and choose those that are best suited to your business requirements.

With ArcSight, IT can:

  • Monitor IT infrastructure.
  • Manage insider security with secure identity and access control.
  • Automate compliance.
  • Monitor applications.
  • Manage security risks.
  • Identify APTs.

ArcSight Enterprise Security Manager (ESM) is also known as Micro Focus ArcSight, HPE ArcSight, ArcSight .

ArcSight Enterprise Security Manager (ESM) Buyer's Guide

Download the ArcSight Enterprise Security Manager (ESM) Buyer's Guide including reviews and more. Updated: October 2021

ArcSight Enterprise Security Manager (ESM) Customers

Lake Health, U.S. Department of Health and Human Services, Bank AlJazira, Banca Intesa, and Obrela.

ArcSight Enterprise Security Manager (ESM) Video

Archived ArcSight Enterprise Security Manager (ESM) Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
LH
User at NOOSC Global
Real User
Helpful for detecting malware and intrusions, but needs support for devices that are absent of log files

Pros and Cons

  • "For the typical malware or intrusion, this solution assists us by identifying the symptoms based on network traffic from the application servers."
  • "The weakness in this system comes about because, with so many different logs, it is possible that the security analyst will lose information."

What is our primary use case?

We have a customer who is using this solution for information security monitoring.

How has it helped my organization?

For the typical malware or intrusion, this solution assists us by identifying the symptoms based on network traffic from the application servers. We are then able to prevent others from accessing critical information.

What is most valuable?

I really like the dashboard.

What needs improvement?

One of the problems for the security center is that there are many logs that need to be retrieved from a variety of network devices. The weakness in this system comes about because, with so many different logs, it is possible that the security analyst will lose information. I would like to have better support for wide-area data analytics.

Ideally, I would like to see ArcSight have the ability to consume raw information, or raw data, without being dependent on a log file.

For how long have I used the solution?

Between five and six years.

What do I think about the scalability of the solution?

There are more than six thousand users. However, because it is a log-based system, the scalability is limited. As such, our customer is looking for a solution that can scale better as the number of users and the number of devices in the infrastructure increases.

How are customer service and technical support?

There is not much in terms of support that is available for this solution. There are not many people with the competency for visualization and creating use cases.

How was the initial setup?

The initial setup of this solution is pretty complex. Once this installation is complete, we need to set up the use cases.

Deployment for this solution took between three and six months and was performed with four to five people.

What about the implementation team?

A reseller assisted our customer with the deployment.

What's my experience with pricing, setup cost, and licensing?

The cost of the solution is not very high, although hiring a qualified analyst to work with the product is expensive.

What other advice do I have?

In summary, this solution requires a dedicated person that has specific competency in this product. It is not a plug and play product that allows you to simply focus on the analytics. It is not easy for an amateur.

The suitability of this solution depends on the complexity of the system. If the organization is very large, for example nationwide, then a log-based approach such as this one will be very difficult to implement. 

Obviously, if the device does not generate a log then it is not supported by this solution. Our client has successfully deployed it for use with several devices, including firewalls and IPS, but they have no support for some in-house applications.

I would rate this solution a five out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
RR
Senior Officer IT at a financial services firm with 10,001+ employees
Real User
Interactive dashboards provide lots of detail, but tough to operate for new users

Pros and Cons

  • "I think that the overall experience with this solution is good, but in particular, I think that the dashboards are quite interactive."
  • "It would be nice if the interface were more user-friendly, with, for example, a minimal number of tabs to navigate."

What is most valuable?

I think that the overall experience with this solution is good, but in particular, I think that the dashboards are quite interactive.

What needs improvement?

For somebody who is new and just starting with this product, they find it really tough. The software is quite big. It would be nice if the interface were more user-friendly, with, for example, a minimal number of tabs to navigate.

A walkthrough that shows everything a normal user might do would be very helpful.

I would like to see improvements on the Active Channel side of this solution.

For how long have I used the solution?

Between one and two years.

What do I think about the stability of the solution?

The software itself seems to be stable, as we have not actually experienced any bugs. The connection depends on the network side, but overall it seems to be working fine.

What do I think about the scalability of the solution?

This solution would be more scalable if the interface were more user-friendly. There are rules and alerts, and the user has to have the proper knowledge of all of these things. With a walk-through, I think that it would be quite easy to scale.

We have two people using this solution, and we perform monitoring on a daily basis. In our environment, adding users is quite rare. 

How are customer service and technical support?

We did have a couple of problems recently where one of the modules was not communicating well. In terms of support, I think that they are quite good.

Which solution did I use previously and why did I switch?

This is the first solution that we have used for monitoring.

How was the initial setup?

I was not involved in the initial setup of this solution.

What other advice do I have?

This is a really good solution and I would recommend it. If you know how to work it, and how to configure it properly, then it can give you lots and lots of information. On the other hand, it provides so much detail that people can miss things. If the interface and reports were minimized and consolidated then it would be better.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
542,823 professionals have used our research since 2012.
HJ
Security Manager at shinhan DS
Real User
Ease of connectivity with third-party products adds to the flexibility of this solution

Pros and Cons

  • "This process has helped to improve our organization because we have centralized the intra-group security equipment logs."
  • "There are several improvements that we would like to see, including: Building a system based on a log collection (SOC), a scenario for external encroachment, and Operator training."

What is our primary use case?

Our primary use case is to prioritize internationally used references.

How has it helped my organization?

This process has helped to improve our organization because we have centralized the intra-group security equipment logs.

We've been working hard to implement Violation scenarios as a rule.

What is most valuable?

The features that we have found to be most valuable are:

  1. Connectivity with the SOC system
  2. Flexible connectivity with third-party solutions

What needs improvement?

There are several improvements that we would like to see, including:

  1. Building a system based on a log collection (SOC)
  2. A scenario for external encroachment
  3. Operator training
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Teguh Budyantara
IT Manager at Royal Cemerlang
Real User
Enables us to minimize the damages of WannaCry attacks

Pros and Cons

  • "When WannaCry attacks I can minimize the damage. My company had no protection at the time. We get alerts in ArcSight and then whenever a user got a copy of WannaCry and the WannaCry malware wants to connect to the mother ship, it alerts me in the ArcSight dashboard, and that helps us a lot. We then just go to the user and erase the malware."
  • "In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they use still scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop."

What is our primary use case?

Our primary use case if for analyzing cybersecurity. 

How has it helped my organization?

When WannaCry attacks I can minimize the damage. My company had no protection at the time. We get alerts in ArcSight and then whenever a user got a copy of WannaCry and the WannaCry malware wants to connect to the mother ship, it alerts me in the ArcSight dashboard, and that helps us a lot. We then just go to the user and erase the malware.

What needs improvement?

In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they still use scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop.

They should do something similar to what Splunk is doing. They have Enterprise Security and ArcSight should include some use cases that concentrate on Enterprise Security.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

It's quite stable. 

What do I think about the scalability of the solution?

Our initial sizing is enough for our needs. 

How was the initial setup?

The initial setup was straightforward. The correlation engine took us a lot of time. It took us three months to do the implementation. We required two staff for deployment. 

What about the implementation team?

We used a partner for the implementation. 

What's my experience with pricing, setup cost, and licensing?

The pricing is great compared to others.

Which other solutions did I evaluate?

At the time that we were looking into options, we did a PoC for Splunk. We found that ArcSight is more user-friendly than Splunk because Splunk uses more scripting in the configuration and initial setup.

What other advice do I have?

I would rate it an eight out of ten. Not a ten because of the drag and drop feature I'd like for them to include and because I think they should include more enterprise security use cases. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
AN
Analyst at a financial services firm with 10,001+ employees
Real User
Helps our clients with compliance and gives them real-time alerts and monitoring for their server data

What is our primary use case?

We use this solution for clients that want database consulting. They have a lot of general user's data in that demise so they want to have a robust SIEM solution that they trust. They have real-time alerts and monitoring for their data server.

How has it helped my organization?

We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR. 

What needs improvement?

They should make a user manual for the technical people. I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM.

What do I think about the stability of the solution?

I would…

What is our primary use case?

We use this solution for clients that want database consulting. They have a lot of general user's data in that demise so they want to have a robust SIEM solution that they trust. They have real-time alerts and monitoring for their data server.

How has it helped my organization?

We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR. 

What needs improvement?

They should make a user manual for the technical people.

I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM.

What do I think about the stability of the solution?

I would rate the stability as a four out of five. 

How was the initial setup?

The initial setup was easy. It was a two-month project plus one month setting up the best practices cost organization. In total, it was around a three month project.

What's my experience with pricing, setup cost, and licensing?

Pricing is average. 

What other advice do I have?

I would rate this solution a nine out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Filip Simeonov
Information Security and Business Data Protection Specialist at a comms service provider with 1,001-5,000 employees
Real User
The webpage algorithm is the most valuable feature because it is the fastest feature for searching logs, events, and correlation

Pros and Cons

  • "The webpage algorithm is the most valuable feature because it was the fastest feature for searching the logs, events, and correlation."
  • "The security area has room for improvement."

What is our primary use case?

It's the security analyst for incident response, forensic investigations, and security monitoring.

How has it helped my organization?

It has improved our organization because we had many investigations that it helped us with. 

What is most valuable?

The webpage algorithm is the most valuable feature because it was the fastest feature for searching the logs, events, and correlation.

What needs improvement?

The security area has room for improvement. 

For how long have I used the solution?

More than five years.

What other advice do I have?

I would rate this solution a seven out of ten. To make it a ten they should develop a design for the security operations. It's a SIEM solution and I can see that it has some segregation of the consoles and duties for the different parties when we want to monitor different components like the security operations center. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Teguh Budyantara
IT Manager at Royal Cemerlang
Real User
Can pinpoint the story behind every virus or network attack to the environment

What is our primary use case?

Our primary use case is SIEM. It is a data lake for logs from all of our servers and devices (routers, switches, firewalls, wireless controllers, etc.).

How has it helped my organization?

It prevented my users from getting infected by ransomware. It can also pinpoint the story behind every virus or network attack to our environment.

What is most valuable?

ArcSight ESM: The module has user-defined rules capabilities. This feature lets us define almost any threat.

What needs improvement?

The product should include a lot more predefined scenarios so the adopted company will have knowledge and a broader skill set in security and network.

For how long have I used the solution?

Three to five years.

What is our primary use case?

Our primary use case is SIEM. It is a data lake for logs from all of our servers and devices (routers, switches, firewalls, wireless controllers, etc.).

How has it helped my organization?

It prevented my users from getting infected by ransomware. It can also pinpoint the story behind every virus or network attack to our environment.

What is most valuable?

ArcSight ESM: The module has user-defined rules capabilities. This feature lets us define almost any threat.

What needs improvement?

The product should include a lot more predefined scenarios so the adopted company will have knowledge and a broader skill set in security and network.

For how long have I used the solution?

Three to five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Business Development Manager- Threat Management Services at Insight Enterprises, Inc.
MSP
Absolutely improved the efficiency of our security team

Pros and Cons

  • "It has absolutely improved the efficiency of our security team. We use it internally as well. It is such a powerful tool that our internal security team became a customer of our ArcSight managed service."
  • "The initial setup is very complex. We had to architect a deployment which allowed us to incorporate an ever growing number of customers into our hosted instance of ArcSight."
  • "Customer service during the transition from HPE to Micro Focus was abysmal where it became disruptive to our service delivery."

What is our primary use case?

It is our SIEM of choice in our managed SIEM services offering. Its multi-tenant capability, virtually universal connector framework, and licensing model made it the clear choice to deliver a value-add as an MSSP.

How has it helped my organization?

Without it, we would not have a managed SIEM offering to speak of. We spent over a year evaluating leading competitors and ArcSight was the clear winner. It opened up a completely new line of business for us.

What is most valuable?

  • Smart Connectors and Flex Wizard
  • Multi-tenant access
  • Customization for dashboards and reporting
  • Improvements made to the ADP platform

What needs improvement?

The marketplace is a bit of a joke; steps should be taken to improve participation. 

Micro Focus desperately needs to improve their core offering rather than adding more "solutions" to the greater ArcSight portfolio. In other words, instead of selling a separate, slick, intuitive add-on (i.e., ArcSight Investigate), just make the console GUI better! 

Customer engagement and support could be improved across the board. 

Efficiency of Security Team

It has absolutely improved the efficiency of our security team. We use it internally as well. It is such a powerful tool that our internal security team became a customer of our ArcSight managed service. 

Events per Day

Several thousand and growing.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We had one issue and customer service was very slow to resolve it.

What do I think about the scalability of the solution?

No scalability issues.

How are customer service and technical support?

Unfortunately, this may be the single biggest complaint I have. We have had a bad experience in several different stages of engagement with ArcSight support. 

Customer service during the transition from HPE to Micro Focus was abysmal where it became disruptive to our service delivery. Things have improved in the time since and gotten better lately, but there is still room for improvement.

Which solution did I use previously and why did I switch?

We have not use a previous solution past its initial evaluation period.

How was the initial setup?

The initial setup is very complex. We had to architect a deployment which allowed us to incorporate an ever growing number of customers into our hosted instance of ArcSight. At the time, ArcSight did not have much of an MSSP program, and we didn't get near the help that we needed. 

What about the implementation team?

We implemented it in-house.

What was our ROI?

Thanks to Micro Focus's licensing model, as an MSSP, we are able to see a complete return on our investment almost immediately.

What's my experience with pricing, setup cost, and licensing?

Customers without a ton of resources to dedicate to deployment may be better served by a managed ArcSight service. A lot of the complex setup and administration duties are more effectively offloaded to a provider who can operate within an economy of scale to mitigate them.

Which other solutions did I evaluate?

We evaluated Splunk, QRadar, and LogRhythm

What other advice do I have?

It has its quirks, but ultimately, it delivers capabilities that no other SIEM could provide. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Ex Senior Security Analyst and Onsite consultant at Paladion Networks
Consultant
Once the rules are defined, it becomes easy to detect changes and generate automated logs

Pros and Cons

  • "The tool sends an automated mail to all the operators, which makes it easy to share the information and reporting.​"
  • "Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.​"
  • "​It is a vital tool for live monitoring and helps us to understand the traffic alerts of any major issue on the network, thereby reducing hacking attempts."
  • "Once the rules are defined, it becomes easy to detect changes and generate automated logs."
  • "The analytics feature is not reliable and needs improvement for more detailed analysis.​"
  • "​In certain cases, this product does have false positives, which the company should work on."
  • "They should try to include business logic vulnerabilities in the SIEM tool."

What is our primary use case?

We use Micro Focus ArcSight SIEM version 6.3, 6.4, and 6.5 in multiple sites and customer ranges. The SIEM log monitoring tool is very efficient at providing us the details for any file system changes, logins, OSPF, and BGP as well as other router and server changes.

How has it helped my organization?

It is a vital tool for live monitoring and helps us to understand the traffic alerts of any major issue on the network, thereby reducing hacking attempts. Before our staff had to review raw logs directly to understand if there has been any attempt to the system, but with ArcSight, once the rules are defined, it becomes easy to detect changes and generate automated logs. 

Another benefit is this tool sends an automated mail to all the operators, which makes it easy to share the information and reporting.

What is most valuable?

Once the rules are defined, it is capable of detecting minute changes in the systems, which are effectively based on the entries in the log.

What needs improvement?

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the SIEM tool. The analytics feature is not reliable and needs improvement for more detailed analysis.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The product that we used in our office under different environments is highly stable. We have used certain specific versions unless required specifically by the client.

What do I think about the scalability of the solution?

This product is designed for easy scalability and can easily scale up without major challenges. However, we have a specific team which looks after the setup and maintenance of the tool.

How are customer service and technical support?

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve our issues. 

Which solution did I use previously and why did I switch?

Since I have been in the organisation, we have used Micro Focus ArcSight for 80% of the clients. We have also used Splunk for certain clients based on their requirements.

How was the initial setup?

We have a separate team for this functionality. I am not aware of the process. However, complete client cooperation is required in the setup or else there can be certain counterproductive alerts.

What's my experience with pricing, setup cost, and licensing?

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

Which other solutions did I evaluate?

We have used Micro Focus ArcSight from the beginning.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
ITCS user
Security Consultant at a tech services company with 5,001-10,000 employees
Consultant
It makes user behavior and problems on the network visible, which we can then solve

Pros and Cons

  • "The real-time analysis adds value."
  • "HPE ArcSight has a quite steep learning curve."

How has it helped my organization?

  • User behavior and problems on the network are visible, which we can then solve. 
  • We can align policies with how people actually behave. 
  • MSSP options are very good.

What is most valuable?

  • Large scale installations work well.
  • The new user interface is nice. 
  • The real-time analysis adds value. 
  • The default packages on the new HPE Marketplace are useful and give nice default dashboards and reports for most of the well-known products.

What needs improvement?

HPE ArcSight has a quite steep learning curve. If you get to know the product well, it is the most powerful product that I have worked with. It would be nice if new users could start using the product more easily.

What do I think about the stability of the solution?

I would prefer to roll out HPE ArcSight ESM on physical hardware. Without proper tuning, running ESM on VMware does not work well. Loggers and connectors work fine on virtual components.

10,000 events per second, including correlation, on pretty normal hardware work well.

What do I think about the scalability of the solution?

We encountered no issues with scalability. If needed, ESM can be setup in tiered form. Loggers can be scaled horizontally very efficiently. One box can handle a lot of events.

How are customer service and technical support?

Customer Service:

Seven out of 10. Basic questions get answered quickly. More in depth questions require more time, which can be a problem. It has improved over the last two years.

Technical Support:

Initially, the level of technical support was not so good. Once you get put through to the people in the US, you will get the better answers.

Which solution did I use previously and why did I switch?

I have also used LogRhythm, which in my opinion has less features than ArcSight. 80% of use cases work well on both, for the most interesting 20%, I would use ArcSight.

How was the initial setup?

Initial setup was straightforward. From the manuals, it is clear what components need to be installed where. Not having to install agents on servers is a big advantage of ArcSight over other solutions that I have worked with.

What about the implementation team?

We did not use a vendor team to do the implementation. Our in-house teams could roll out ArcSight very well. Cooperation of a lot of teams is often needed to implement SIEM solutions: networking, OS, and compliancy. Depending on your company structure, cooperation between teams can cost the most time.

What was our ROI?

I have not been involved in the ROI calculations and considerations, thus I cannot give my thoughts on this point.

What's my experience with pricing, setup cost, and licensing?

Do not scale out (horizontally) too quickly. A good box can handle a lot of EPS. You will not need to buy more licenses if you use one box in a good way. Also, aggregation can help a lot in pushing down licensing costs.

Which other solutions did I evaluate?

We also looked at Splunk and LogRhythm for every installation. All three have their own benefits. For large scale installations with multiple users and (sub) companies, ArcSight is the best option.

What other advice do I have?

Get a training course and start working with it quickly after getting your course. It is easy to forget all the options ArcSight has.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user730782
Delivery Consultant - Security Solutions with 1,001-5,000 employees
Vendor
By tweaking use case conditions one could identify potential security breaches, but admin is complex

Pros and Cons

  • "Customization. ArcSight gives you a platform to on-board out-of-the-box devices with a more accurate way of collecting desired logs/events."
  • "Administration of ArcSight is not an easy job. The admin needs to be well experienced in it to identify the root cause and fix it."

How has it helped my organization?

Recent attacks like Shamoon and WannaCry were under continuous monitoring by using this solution. It is understood that every SIEM is a detective technology and not a preventive, but by tweaking the use case conditions one could identify potential security breaches.

What is most valuable?

Customization. ArcSight gives you a platform to on-board out-of-the-box devices with a more accurate way of collecting desired logs/events. Competitors offer the something similar but ArcSight does gives you more detail.

What needs improvement?

Complexity, administration. Administration of ArcSight is not an easy job. The admin needs to be well experienced in it to identify the root cause and fix it.

What do I think about the stability of the solution?

Yes, quite a few times. But that depends on the admin, on how well the tool is maintained. Proper health checks are required on regular basis.

What do I think about the scalability of the solution?

Yes. Storage is an issue. Before deploying the product in the organization, proper scaling has to be done or else you end up losing the oldest data, hence failing to meet the audit.

How are customer service and technical support?

Eight out of 10.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

It was complex a few years. Lately it is all GUI and things are quite straightforward.

What's my experience with pricing, setup cost, and licensing?

ArcSight is pretty expensive compared with its competitors. I believe that is fine as it provides value.

Which other solutions did I evaluate?

No.

What other advice do I have?

On-boarding is easy but administration is challenging and more fun.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Hatem Metwally
Senior Security Consultant, CISSP, HPE ArcSight Specialist at a retailer with 5,001-10,000 employees
Consultant
Parses raw logs, converts them to common event format so you don't need expertise in all products

Pros and Cons

  • "SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product."
  • "They need to develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network."

How has it helped my organization?

This product is one of the best SIEM solutions, which helps SOC analysts to consolidate all security-relevant logs of many products into one place in a common format. It doesn’t require that you have expertise in each and every product. It facilitates pinpointing indicators of compromise and investigating security incidents more quickly than the legacy way of checking every product log separately. The old way required a huge effort (and the pain) of human correlation.

What is most valuable?

  • SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.
  • Filtration, Aggregation: Both features provide a good way to save EPS (events per second).
  • Logger: Long log retention, fast search, and reporting.
  • ESM/Express: Correlation via standard rules and data monitors, active list, session list, active channels, reports, trends, queries, dashboards (query viewers and data monitors), and lightweight rules.

What needs improvement?

Developing more products/modules that make it more independent from relying on other vendors’ products to get all the necessary logs. For example, develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network.

What do I think about the stability of the solution?

Overall, the product stability is very good. But without continuous tuning of the developed content and improper usage of the product, you can encounter performance issues with ESM/Express, and sometimes hangs, which requires a services restart.

What do I think about the scalability of the solution?

No.

How are customer service and technical support?

Sometimes very good and sometimes moderate.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

Straightforward for Logger and Express appliance; more considerations for ESM software version.

What's my experience with pricing, setup cost, and licensing?

HPE ArcSight pricing might be more expensive than other SIEM solutions, but in my opinion it has powerful features and great flexibility in developing complex use cases. So, in my opinion, it's worth trying first (via PoC, for example) before making any decision based on cost.

Which other solutions did I evaluate?

No.

What other advice do I have?

If you are implementing Express/ESM, I advise disabling all out-of-the-box content and building your own. Also, keep monitoring partial matches and your session/active list sizes as you develop your correlation rules, as it has a big performance hit on the system.

Disclosure: My company has a business relationship with this vendor other than being a customer: HPE implementation partner.
it_user587595
Dynamics Nav Expert at a tech services company with 51-200 employees
Consultant
Allows integration and log collection with different devices.

What is most valuable?

The valuable features are:

  • Integration and log collection with different devices.
  • Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
  • Correlations of logs from different device types.
  • Built-in content such as reports, dashboard, compliance, and standard packages.
  • Option to correlate logs with business data.
  • Option to adjust the product to different roles: operations, decision makers, and administrators.
  • You can adjust the web console interface to match the specific role.
  • Integration with other products, such as databases and IPSs.
  • Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
  • Correlations of logs from different device types.
  • Ready-made content that can be used immediately.
  • Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.

What needs improvement?

I would like to see the following improvements:

  • Less time to administer and track logs on separate devices.
  • Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
  • Reporting: I would like an easier way to find the root cause.
  • Simplicity: I would like to see an easier way to figure out which column has the mapped data.
  • Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
  • Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.
  • Better documentation or "how-to" videos: Usually documentation for devices, whose logs are going to be collected, is poor. Those guides are split in two parts: 1. To-do content for device administrator. 2. To-do content on the ArcSight side. When a customer uses these guides, it is not clear what he has to do. Sometimes the customer asks specific questions that the ArcSight implementer cannot answer. Some of these questions are about specific roles, privileges needed for a domain, or database use when the specific source is added.
  • Simplified licensing and license extension for console users: Console users are licensed separately. Those licenses are expensive. The web console is introduced with limited features.

What do I think about the stability of the solution?

There were some stability issues in the partner versions. The client versions were stable.

What do I think about the scalability of the solution?

There were no scalability issues.

How is customer service and technical support?

The technical support was not very good. They are slow and not very efficient. I rely on personal contacts to solve my issues.

How was the initial setup?

The installation was straightforward. It has some built-in connectors that are easy to set up.

What's my experience with pricing, setup cost, and licensing?

The product is not cheap. If you set it up and use it well, it is a worthwhile purchase.

Which other solutions did I evaluate?

We evaluated Splunk and McAfee Log Manager.

What other advice do I have?

Prior to implementation, do an internal assessment and analyze business, technical, and other requirements. Know your inventory and ask for a project methodology approach. Ask your partner for a referral visit to other customer sites.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a partner.
ITCS user
Security Manager at a tech services company with 10,001+ employees
Consultant
Allows me to view events in real time. The FlexConnector configuration is complex.

What is most valuable?

The web logger allows me to view and inquire about various events in real time. It is the most useful feature for me for the following reasons:

  • Allows me to look at the traffic in real time
  • Allows me to add filters that remove the traffic that is not interesting
  • Allows me to narrow down my research to only important traffic.
  • Helps me in my troubleshooting work. I need to know a bit of SQL query syntax, but that is straightforward.
  • Allows me to create reports, evaluate my findings, and send information to my customers.

How has it helped my organization?

I was able to provide intelligence reports to my customers. The organization relies on this information in order to sell services.

What needs improvement?

I would like to see the following:

  • An improvement in the connector/agent configuration.
    The connector configuration is CLI based. If the connectors are pre-defined and built by HPE, then the configuration/installation seems to be OK.
  • Making the FlexConnector configuration less complex.
    You need development skills in order to do your job in creating/configuring agents and connectors. I tried to learn the syntax in order to customize the software (connectors and agents) for a particular device, and it was a nightmare. The cost for this work, via HPE consultancy, is huge.

For how long have I used the solution?

I've been using this product for three and a half years. I am one of the supporters of the product.

What was my experience with deployment of the solution?

Some of the connectors need to be developed in-house. There were also issues with forwarding events. We noticed that some logs were lost between connectors and the central reporting unit.

How are customer service and technical support?

I would give technical support a rating of 4 or 5 out of 10.

Which solution did I use previously and why did I switch?

We also use Splunk to compare features. ArcSight is the favorite solution for my organization.

How was the initial setup?

The initial setup is straightforward, but the customization can become a nightmare very easily.

What about the implementation team?

We had an in-house implementation. I would recommend a dedicated team for implementation, support, and operation.

What other advice do I have?

This product requires a dedicate team to operate it from a to z. HPE support needs to be clearly defined and considered.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Lead Splunk Architect at a financial services firm with 10,001+ employees
Real User
CEF log formatting helps with combining events from different sources. It can be quite complicated for the "non-IT" user.

What is most valuable?

Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.

What needs improvement?

Ease of use, access and simplicity: HPW ArcSight makes it hard to capitalize on reports without the use of the console. Other SIEM tools have made it clear that event correlation results can be used not only to send out alerts, but also to provide easily accessible results to management.

ArcSight can be quite complicated to use for "non-IT" user. In terms of "ease of use", access and simplicity, HPE could do a better job, since customers acquiring the product should be spending more time on implementing use cases than on understanding the product and the console organization.

Also, in terms of installation, we are no longer in an era where installing a product should be a laborious process. Instead, it should be simple and fast.

Also, when it comes to data onboarding, managing ArcSight connectors in a multi-technology environment, there is no simple way to guarantee that data parsing is happening properly.

Finally, having simple-to-set-up, multi-site high availability, in contrast to single-site HA, would be very welcome.

For how long have I used the solution?

I’ve been using ArcSight for three years.

What do I think about the stability of the solution?

We have had some issues on the SmartConnector layer, since not all parsers provide perfect results (especially in the case of proxy data). Also, there have been some issues on the HA modules, since HA works sort of like a local r-sync (no remote HA).

What do I think about the scalability of the solution?

No scalability issues have been encountered so far. ArcSight's architecture is very scalable, especially when set up in a layered architecture.

How are customer service and technical support?

Support is slow and doesn't always have the required skill set to solve the issues.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

Initial setup was very complex. Any modification to the OS prior to ESM installation may cause errors in installation. Most errors aren't explicit and require a lot of time, effort and sometimes PS help to solve.

What's my experience with pricing, setup cost, and licensing?

Price is fair compared to other SIEMs (Splunk, QRadar, etc.). It's not the go-to product if you are looking for something cheap. Go for ArcSight, if it provides specific features that your IS requires.

Which other solutions did I evaluate?

Before ArcSight, we looked at QRadar and Splunk.

What other advice do I have?

My first advice is "be patient". It takes a lot of time to deploy an ArcSight infrastructure, but the result is worth it. Technically, it’s a very powerful tool. It would be worth it to take the time to learn some of the hidden features.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user597603
Manager at a financial services firm with 1,001-5,000 employees
Vendor
It provides event correlation across multiple device categories. The web console should have all the features of the standard console.

What is most valuable?

  • Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
  • Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
  • Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.

How has it helped my organization?

This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.

What needs improvement?

The web console should have all the features of the standard console.

In addition, the upgrade process should be simpler.

For how long have I used the solution?

I have used this solution for 10 years and 8 months.

What was my experience with deployment of the solution?

I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.

What do I think about the scalability of the solution?

Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.

How are customer service and technical support?

I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.

There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.

Which solution did I use previously and why did I switch?

I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.

How was the initial setup?

In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.

The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.

What about the implementation team?

We carried out a pilot implementation based on the initial SOW, including several basic use cases. This allowed us to understand what is really happening in the environment and we learned that most of the default rules are not appropriate for us. After the pilot was successful, we bought the solution.

What was our ROI?

Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.

What's my experience with pricing, setup cost, and licensing?

In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.

What other advice do I have?

You must understand your environment and its dynamics.

Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user597606
Associate Manager at a tech services company with 10,001+ employees
Real User
Dashboards and channels provide real-time alerts. Correlation becomes slow if we have more than a certain number of rules.

What is most valuable?

Creating dashboards and real-time channels for real-time monitoring: This feature gives real-time alerts for the monitoring team to act upon. In certain cases, we can also create real-time email alerts for relevant teams for faster actions and resolutions.

How has it helped my organization?

This product has helped us and our customer for monitoring the security of different applications as well as different hardware devices. It helps in keeping an eye on each activity logged into our internal environment. This also helped us and our customer to meet the local regulatory requirement.

What needs improvement?

The correlation and storage have to be improved. The correlation works fine, if we have less amount of rules being written, but it becomes slow if we have more than 200 rules written for any correlation. This created buffer-buckets for all events flowing into the system. There are other ways in which this can be improved.

For how long have I used the solution?

For the last one year, I have been using the current version, i.e., HPE ArcSight ESM, Hardware Appliance L5600, Software Version 6.8.

Before that, I have used the earlier versions, i.e., v4.5 and v5.0 for nearly three years.

What do I think about the stability of the solution?

I have not encountered any stability issues with HPE ESM. It was stable all the time.

What do I think about the scalability of the solution?

We didn't encounter any scalability issues. We were able to scale it as and when required.

How are customer service and technical support?

The technical support needs improvement, as sometimes it takes time to get the actual response on the issue. It takes more than two days to reach a resolution as the support team needs a lot of basic information.

Which solution did I use previously and why did I switch?

I was not using any other solution previously.

How was the initial setup?

The setup was straightforward but it still needs involvement from the support team as sometimes credentials do not work.

What's my experience with pricing, setup cost, and licensing?

This is based on the requirement and budget. I would not like to comment on the pricing or licensing.

Which other solutions did I evaluate?

We looked at other solutions such as Splunk and IBM QRadar.

Disclosure: My company has a business relationship with this vendor other than being a customer: We have an alliance with HPE for their security products.
ITCS user
Sales Engineer at a tech services company with 1,001-5,000 employees
Consultant
Enables you to create a dashboard for analytics and set alerts.

What is most valuable?

It is easy to use when we created some dashboards for analytics. ArcSight allows you to create a dashboard and provides an on-the-fly filter.

How has it helped my organization?

It makes things easy when I create a new alert.

What needs improvement?

They need to improve the Web UI, similar to how it is done with Splunk.

ArcSight is still using a Java app to do analytics.

ArcSight Express is using HTML5, which is good. However, the capabilities of ArcSight Express are not good when the data grows.

What do I think about the stability of the solution?

I did not have any issues with stability.

What do I think about the scalability of the solution?

I did not have any issues with scalability.

How are customer service and technical support?

Technical support responds quickly.

Which solution did I use previously and why did I switch?

We previously used RSA enVision. We had issues with the report generation.

How was the initial setup?

The installation is very easy.

What's my experience with pricing, setup cost, and licensing?

The licensing should come with EPS format, and not with EPD format.

What other advice do I have?

You need to first know the SIEM concept. SIEM can grow significantly, so you need to understand how to use a collector properly.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Security Expert at a tech services company
Consultant
Top 20
The correlation capabilities are valuable. It is too restrictive to suit the flexibility needs of the infrastructure.

What is most valuable?

Correlation capabilities: This product provides an advanced level of correlations, which is highly valued.

How has it helped my organization?

HPE ArcSight has helped us gain visibility of the solutions across the organization. We have been constantly identifying anomalous activities both internally as well as externally. These include malware proliferation, data loss, proxy bypass attempts, phishing and spear-phishing, port scans, etc

What needs improvement?

It can be more user-friendly. The product is too restrictive to suit the flexibility needs of the infrastructure. It is sometimes hard to implement the solution as recommended by HPE.

For how long have I used the solution?

I have used this solution for around four and a half years. Currently, we are using HPE ArcSight Express 5, ESM 6.8, Connector Appliances and SmartConnectors 7.4.

What do I think about the stability of the solution?

In version 5, I used to experience some issues as it was using Oracle DB. Although, I do not have any problems in version 6+.

What do I think about the scalability of the solution?

This product is not easily scalable. We particularly required skilled personnel to do this activity and it also took a significant amount of time.

How are customer service and technical support?

The technical support is poor.

Which solution did I use previously and why did I switch?

We were not using any other solution before. We started using HPE ArcSight straightaway.

How was the initial setup?

Setting up of the ArcSight solution is always complex compared to other solutions out there. There are a lot of parameters and dependencies involved. Adding infrastructure complexity will add more complications. Distributed deployment is also difficult to implement.

What's my experience with pricing, setup cost, and licensing?

It is very expensive for larger deployments.

Which other solutions did I evaluate?

We are now working with open-source systems and Splunk solutions. We are decommissioning HPE ArcSight as it is getting impractical to manage and maintain the solution.

What other advice do I have?

There are better products in the market for medium to large-scale deployments. It is recommend to use this product for small-scale deployments, i.e., 200-800 EPS.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Network Security Administrator at a government with 1,001-5,000 employees
Vendor
With the console, I can move between analyzing events and creating content. SmartConnectors are not resilient and sometimes crash.

What is most valuable?

The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.

How has it helped my organization?

The ability to correlate such a diverse range of information into a single location is invaluable.

What needs improvement?

SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.

For how long have I used the solution?

I have been using ArcSight for two years.

What do I think about the stability of the solution?

I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.

What do I think about the scalability of the solution?

The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).

How are customer service and technical support?

I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files.

I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.

Which solution did I use previously and why did I switch?

I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.

How was the initial setup?

Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.

What's my experience with pricing, setup cost, and licensing?

ArcSight is exclusively an enterprise product and it is priced accordingly.

Which other solutions did I evaluate?

We evaluated QRadar and Splunk.

What other advice do I have?

Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user571005
System Support Engineer at a tech services company with 501-1,000 employees
MSP
Parsers are easy to create and test.

What is most valuable?

It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.

How has it helped my organization?

It can collect logs from many unsupported log sources. Parsers are easy to create and test.

What needs improvement?

The solution needs quite a bit of initial customization.

It needs more product integration, like NBAD and VM solutions, etc. Although the solution currently supports log collection from NBAD and VM solutions, it would be good to add features for HPE to have their own NBAD and VM solution.

There is room to improve the storage requirement.

Most SIEM solutions now have their own Vulnerability Management, NBAD, File Integrity Monitoring etc solutions that can be bought as an add on module. HP does not seem to have any of those capabilities. The most important advantage of having such capabilities is that it allows users to view and analyse all the data on a single pane of glass. Regarding the initial customization, the solution needs some effort in terms of fine tuning to get the dashboards and reports to work. Once it is setup I think the way the data can be used with in the solution is the best as it allows high customization.

For how long have I used the solution?

I have been using ArcSight for over five years.

What do I think about the stability of the solution?

The hardware requirements are very high and the solution has poor stability when they are not met.

What do I think about the scalability of the solution?

HPE ArcSight scales very well at the connector level, Logger level and the ESM level.

How is customer service and technical support?

Technical support is poor. This is one area that needs improvement

How was the initial setup?

The initial setup is not complex, but is a little time consuming. Since the solution is highly customizable, the number of configurable options are high. HPE ArcSight allows distributed architecture.

What's my experience with pricing, setup cost, and licensing?

Pricing is high. There are multiple licensing options available. Hardware/software or hybrid licensing options are available. Some of the license upgrades are paper license upgrades.

Which other solutions did I evaluate?

We evaluated IBM QRadar, McAfee ESM, and AlienVault.

What other advice do I have?

Planning is very important. You need to know the security threats to your organisation to create the relevant rules. Look at other less-discussed modules of HPE ArcSight, like ArcSight Interactive Discovery and ArcSight ThreatDetector, for better results.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Ly Binh Lap
Network Security Engineer, Security Monitoring Center at a tech services company
Real User
FlexConnector collects logs from your own application.

What is most valuable?

The ArcSight solution supports your security team with many SIEM features:

  • Monitoring
  • Analysis
  • Alerts
  • Incident response

In my opinion, ArcSight is an open solution. It is easy to:

  • Customize components
  • Use FlexConnector to collect logs from your own application
  • Edit rules and the dashboard
  • Create work flows
  • Enrich information for events

How has it helped my organization?

I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.

For how long have I used the solution?

I have over two years of experience.

What do I think about the stability of the solution?

It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.

What do I think about the scalability of the solution?

ArcSight can be extended to meet the biggest customers (large enterprise) needs.

How is customer service and technical support?

ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.

How was the initial setup?

ArcSight configuration and deployment is complex, because it has many components.

Which other solutions did I evaluate?

I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.

What other advice do I have?

ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a partner of HPE ArcSight.
ITCS user
Security Expert at a tech services company with 501-1,000 employees
Consultant
With multi-tier hierarchical deployment, we are able to integrate and standardize security incident detection and response.

What is most valuable?

  • High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
  • High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
  • Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.

How has it helped my organization?

  • Losses from security incidents have significantly decreased.
  • Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
  • Detailed reports allow for planning and informed decision making.

What needs improvement?

The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.

The GUI is outdated. Improvements on this are on the way, according to the vendor.

For how long have I used the solution?

I’ve been using ArcSight for five years.

What do I think about the stability of the solution?

We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.

What do I think about the scalability of the solution?

Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.

How are customer service and technical support?

Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.

Which solution did I use previously and why did I switch?

We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.

How was the initial setup?

Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.

Which other solutions did I evaluate?

We evaluated McAfee ESM.

What other advice do I have?

The keys to success with this solution are:

  • Careful deployment planning
  • Readiness to invest time and resources into training your IT security personnel
  • Fine tuning the solution to your specific needs
Disclosure: I am a real user, and this review is based on my own experience and opinions.
GS
Product Specialist Security Solutions at a tech services company with 201-500 employees
Real User
The feature list allows us to input data dynamically to list it as a rule action.

How has it helped my organization?

Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.

What is most valuable?

One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.

What needs improvement?

The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.

What do I think about the stability of the solution?

In general, it is a very stable product. We did multiple implementations, and we never had any major issues.

As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do

What do I think about the scalability of the solution?

There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.

As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.

For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.

How are customer service and technical support?

We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.

Which solution did I use previously and why did I switch?

We worked with RSA enVision/RSA SA as a partner:

  • RSA enVision was very basic and was very hard to fine-tune.
  • RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.

How was the initial setup?

The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.

With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.

What's my experience with pricing, setup cost, and licensing?

In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.

Which other solutions did I evaluate?

As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.

We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.

What other advice do I have?

Do a live PoC to test all needed features.

Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.

Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are partners with HPE.
ITCS user
Solutions Architect- SIEM and Solutions with 1,001-5,000 employees
Vendor
Most devices are covered out-of-the-box. I would like to see high-end, predictive analytics.

What is most valuable?

The most valuable features are flexible setup of the architecture and large coverage of devices. Most devices deployed in enterprise environments are covered out-of-the-box by ArcSight. Unlike a few other solutions, the last-mile connectivity with ArcSight agent servers is free and flexible across all location deployments.

How has it helped my organization?

I have implemented it for a few organizations and they have benefited by early attack detection and usage of the right incident response mechanisms.

What needs improvement?

I would like to see high-end, predictive analytics. ArcSight ESM has some features that help in advanced correlation rules creation. However, intelligence around predictive analytics, understanding the current security posture and ability to map it with possible threats in the future is not something that is present in ArcSight at the moment.

For how long have I used the solution?

We’ve been using ArcSight for 3 years.

What do I think about the stability of the solution?

I have not had any issues with stability.

What do I think about the scalability of the solution?

I have not had any issues with scalability.

How is customer service and technical support?

I have never used technical support much, but will give it 3/5.

How was the initial setup?

The connectors are straightforward. The baselining is where the issues start.

What's my experience with pricing, setup cost, and licensing?

Licensing is straightforward, but the solution is fairly pricey.

Which other solutions did I evaluate?

We looked at QRadar and LogRhythm.

What other advice do I have?

Ensure your scope is very clear and so are the components.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Information Security Specialist at a tech services company with 501-1,000 employees
MSP
Correlation and flexibility are valuable. It helped meet compliance requirements for log collection.

What is most valuable?

Correlation and flexibility are the most valuable features.

How has it helped my organization?

ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.

What needs improvement?

I would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.

For how long have I used the solution?

We have used ArcSight for 6 years.

What do I think about the stability of the solution?

Initial deployment of ArcSight is pretty challenging. It takes at least 3-4 months to install, integrate, define content and fine tune before starting the security operation.

How are customer service and technical support?

Customer service is fast in response, but very standard in their approach, which takes lot of time for simple issues.

Which solution did I use previously and why did I switch?

I have used RSA enVision, QRadar and Splunk. ArcSight is better than them all when it comes to filtering, normalization, aggregation, dashboards, reporting and correlation, multi-tenancy and custom devices support.

How was the initial setup?

Initial setup was complex as the integration of a custom application takes lot of time and effort. Then, fine tuning requires at least 6 weeks to analyze and tune each alert separately.

What about the implementation team?

We implemented through HPE itself and I would advise to go through a vendor as they would hand over the SIEM post-fine tuning which is a mammoth task.

What was our ROI?

ROI can be measured in terms of detected security incidents and compliance positive tests, which in turn boost the business. Our security incident count increased from 3 per month to 46 and all were real security threats. Had those gone undetected and realized, there would have been possible data theft, information stealing, damage of brand reputation, etc.

What other advice do I have?

An organization that has enough budget for SIEM and really cares about security and not only about compliance must go with ArcSight. SMB organizations who want to start a SOC or have just a log management solution for compliance requirements can go for cheaper options such as QRadar, LogRhythm, AlienVault, etc. For MSSP, ArcSight is indeed the best SIEM available in the market, as segregation of logs, access restriction, different log retention, customized view for dashboard and reports to clients are present with ease.

Lastly, ArcSight is like Apple. If you have money, go for iPhone and you will certainly not regret it. But if your budget is the primary constraint, then another SIEM must be explored.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user415854
Senior Information Security Engineer at a tech services company with 501-1,000 employees
Consultant
The user has multiple levels of options to generate reports and get alerted based on conditions.

Valuable Features

  • Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.
  • Detection - Caliber to detect subtle attacks with a powerful correlation engine.
  • Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.

Improvements to My Organization

By using ArcSight ESM and its correlation technology, it thwarts multiple attacks from external sources before exploitations such as SQL injection, UNIX password file attempt, brute force to published servers, and more.

In addition, internal frauds have been prevented through preventing unauthorized login attempts to the firewall, database, critical servers, etc.

Room for Improvement

ArcSight Connector appliance needs some improvement, as it has some bugs which triggers issues most of the time. I believe that the Connector is going to hit end-of-service.

Deployment Issues

We experienced no issues with the deployment.

Stability Issues

We had the bugs in Connector as detailed in the Areas for Improvement section.

Scalability Issues

We've had no issues with scalability.

Customer Service and Technical Support

Customer Service:

3.5*

Technical Support:

Technical support should be improved. Many times, I've raised a case but none of them solved it and it took the guys from the Protect724 forum so solve my issue. The support team simply collects the logs from end users and makes you wait, and you carry on passing the same information which is available in the Admin guide.

Initial Setup

All you need is proper planning and pre-requisites information, and it's straightforward. Some newbies say that this product is hard to handle, but basically practice makes perfect.

Other Advice

HP are doing their job perfectly by bringing new features in every version, such as RepSM, HA capability, etc. It has never failed me.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user418164
Senior Security Consultant & Solution Architect at a financial services firm with 10,001+ employees
Vendor
It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.

Valuable Features:

  • Alert correlation
  • Reporting
  • Retention

These are the features we find most valuable for us and which we use the most.

Improvements to My Organization:

It's able to track down security incidents faster and make for a more efficient investigation of a user's network activity based on the log data available.

Due simply to the user features available out-of-the-box, the convenience it can bring to any organization (when deployed and configured correctly) can greatly assist any enterprise in many facets, from an increased and enhanced security posture, to auditory regulations and even data retention.

Room for Improvement:

It needs additional and better user customization for SmartConnectors. It has additional device support for more obscure log sources.  

Also needed is a configuration wizard for organizations lacking the in-depth knowledge required to integrate the solution successfully.

Deployment Issues:

We've had no issues with deployment.

Stability Issues:

We've had no issues with instability. It's been stable for us.

Scalability Issues:

We've been able to scale it for our needs. We've had no issues with scalability.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Security Solutions Architect at a comms service provider with 10,001+ employees
Real User
Scalable though it is not "plug-and-play".

Valuable Features:

- Scalable though it is not "plug-and-play". 
- Various deployment configurations, based on requirements, budget and the EPS/GB per day
- Stable, performance predictable based on used capacity
- Integration with alerting/ticketing systems such as Tivoli

Improvements to My Organization:

- We use this product for managed SIEM services and its stability and maturity helps with standard deployments (hardly any surprises)

Room for Improvement:

- A bit on the slow side for reports requiring query of old data

- High availability achievable through complicated configurations (i.e. load balancers)

- The user interface is a bit dated

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user468321
Chief Technology Officer (CTO) at a tech company with 501-1,000 employees
Vendor
It enables us to speed our time to resolution.

What is most valuable?

  • Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer.
  • Having a single solution that can actually manage the entire infrastructure, soup to nuts.
  • Ability to detect and then take action on it.

How has it helped my organization?

Reducing my OPEX cost by reducing the overhead and training costs of employees and staff. Before we would have to have a large number of staff to be able to go in and do consulting opportunities, to mitigate and remediate security intrusions on given clients. Now using ArcSight, albeit there maybe a capital upfront cost to buy the software product, it enables us to speed our time to resolution.

What needs improvement?

ArcSight needs to go the same route that HPE's doing with the virtualization engine of the HP 380. Basically making it more of a single pane of glass to be able to deploy and take a tangible action on a security event. Today it takes still a lot of consulting dollars to go into trying to deploy ArcSight. You have to have a very powerful technologist or technologist team to deploy ArcSight at scale and be able to actually understand the events coming inbound and make the right tangible decisions from those points of ingress or points of notification. That today, albeit, not horribly hard, as long as you have a trained professional that knows the product. It would be nice to be able to basically make that a one pane of glass, much like HPE's done with the virtualization concept. It would make that pain point a little less. It's not going to make it perfect, but it would be nice to see improvement in that area.

What do I think about the stability of the solution?

My opinion from a stability's standpoint ... we don't have any issues. The product runs 24/7/365. Whenever HPE introduces a patch or an enhancement for security concerns, we've never had a problem being able to ingest that on the fly with little-to-no downtime outside of what's been expected from the release of the patch.

What do I think about the scalability of the solution?

I've not had any problems with scaling into tens of thousands of nodes. I guess the biggest problem you're going to have with that would be actually the compute power to make the tangible decisions that's needed on large-scale environments where you have hundreds of firewalls coming in from different points of ingress. That would be a concern, but again that's not because of the ArcSight, it's just basically that's compute power.

How are customer service and technical support?

It has improved substantially over the last two years. I'm going to rate them at 3/5 because when you call in the time to remediation is long right now. I'm not going to fault any one person on that. It's a complex security tool, so calling in and trying to get that omission, crystal ball appearance is difficult. I get that. Is there room for improvement? Of course there is.

Which solution did I use previously and why did I switch?

Well we have different tools out there, but the most common ones everybody's going to know about is Splunk. Feature, function and price was why we switched When we're able to actually deliver the similar features and functions, add in additional intellectual property from HPE with respect to decision trees of ArcSight and being able to take tangible actions on the stuff that's coming inbound, that's great. Other tools can do that. Now you're just talking about price in the industry. We're able to deliver the same features and functionality at a lower cost to the client, typically we'll win with ArcSight.

How was the initial setup?

Straightforward for the most part but there are limitations. For example in the virtualization engine of the J80, the Instant On, which is a OneView Instant On product line. It does work great, as long as you have your infrastructure. Our clients give us all the necessary requirements, such as the AD and IP address, the DNS, the subnets and stuff. As long as all that works seamlessly, then we can usually bind that HP 380, the Instant On into the infrastructure seamlessly. Does it always work smooth? No. But that's not necessarily HPE's fault, it's because the infrastructure doesn't always lend itself to easy integration.

What other advice do I have?

I'm going to rate it at a 9. There's always room for improvement, of course, and maybe I'll be fair and give it an 8.5. The only reason I would do that is because, again, coming up with that single pane of glass, easier management style, and more about deployment. You don't have to have that powerhouse technologist that knows every trick of the trade to go in and deploy it and get all the bells and whistles. Is that a perfect model that will ever be achieved? Of course not. Can there be improvement? Sure there can. What I'm shooting for is have an ArcSight solution that can get me 90 percent there, and then the customization of ArcSight will be reduced substantially, so that the customers' adoption of a new security style tool will be easier to swallow, and it will lend itself to a larger footprint over time as the customer builds comfort with the product.

With respect to the software on ArcSight, concept's the same on that. When we actually ask for improvements on the product, they've made those enhancements and made those fixes. Now with respect to me asking for a single pane of glass? I know they're working on it, I'm sure they are. It's a pain point that not only we have, but a lot of our customers have. If we're having the same conversation next year, I'll be disappointed. I'm hoping that the single pane of glass comes out soon.

Disclosure: My company has a business relationship with this vendor other than being a customer: We're a partner and reseller.
Omar Sánchez (Mr.Tech)
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Top 20Leaderboard
Has helped us to gather, store, correlate and analyze security log data from many different information systems.

Valuable Features:

Intrusion Detection System (IDS)

Security Information and Event Management (SIEM)

Improvements to My Organization:

To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.

Room for Improvement:

For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
it_user427377
Senior ICT Security Officer at a financial services firm with 1,001-5,000 employees
Vendor
It provides us with event correlations that are automated and prioritized according to level of security risk and compliance violation.

Valuable Features:

  • Real-time rules for threat detection
  • Event correlations that are automated and prioritized according to level of security risk and compliance violation

Improvements to My Organization:

It allows us to be in better compliance with security protocols. It also gives us a better global vision of what is happening in the organization in terms of security threats and how best to analyze and mitigate them.

Room for Improvement:

I would like to have native cluster for connectors as a software version and not as an appliance. It also needs a better disaster recovery procedure.

Use of Solution:

We've been using ArcSight since 2007.

Deployment Issues:

We've deployed it without any issues.

Stability Issues:

We haven't had any issues with instability.

Scalability Issues:

It's scaled fine for our needs.

Other Solutions Considered:

We chose ArcSight when they had no real competitor and we stayed with them.

Other Advice:

I'm pleased with the current capabilities.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user417585
Information Security Architect at a tech services company with 51-200 employees
Consultant
Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors.

What is most valuable?

The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.

How has it helped my organization?

My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.

What needs improvement?

Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.

For how long have I used the solution?

I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.

What was my experience with deployment of the solution?

We have had no issues with the deployment.

What do I think about the stability of the solution?

If you encounter serious performance problems, you didn't size correctly prior to deployment.

What do I think about the scalability of the solution?

The scalability options are pretty good although costly.

How are customer service and technical support?

Customer Service:

Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.

Technical Support:

I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.

Which solution did I use previously and why did I switch?

As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.

What about the implementation team?

As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.

What's my experience with pricing, setup cost, and licensing?

We would like it to be cheaper, but the licensing model is pretty simple.

What other advice do I have?

You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.

Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.

Disclosure: My company has a business relationship with this vendor other than being a customer: We integrate ArcSight for our customers.
it_user417483
Senior IT Security Consultant, Cybersecurity Technology Services at a consultancy with 1,001-5,000 employees
Consultant
It has flexible and rich correlation capabilities. It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.

Valuable Features

  • It has flexible and rich correlation capabilities. This is the most mature product in this area.
  • It has the capability to manipulate every parameter - sub-strings, indexes, and custom functions.
  • Active Lists - This is the most powerful feature which supports correlation. It also has multi-column active lists, parameters manipulation, and correlation capabilities that provide great flexibility.
  • Full control of correlation flow - There are no black-box closed rules, unlike with McAfee Nitro, and no default aggregation which is hard to analyze, unlike Offenses in QRadar.

Improvements to My Organization

This is the best product to build and supports SOC operations and SOC use cases.

Room for Improvement

The layout of the analyst's console need improvement. It has had no significant changes in at least nine years. Also, the advanced statistics in visualizations simply don't work, and I've performed an analysis of these functions.

Use of Solution

We've been using it for nine years.

Deployment Issues

We have had no issues with the deployment.

Stability Issues

We have had no issues with the stability.

Scalability Issues

We have had no issues scaling it for our needs.

Customer Service and Technical Support

I have not had to use tech support for at least two years now. From what I recall, they were good.

Initial Setup

The initial setup was simple and the implementation was straightforward as the supporting documentation is pretty good. Help for setup, which is available from the analyst console, is really great and complex with diagrams and screens.

Implementation Team

ArcSight makes it easy to achieve ROI because of its great flexibility.

Other Solutions Considered

This is the best SIEM solution on the market comparing to its competitors. I'm also familiar with IBM QRadar, RSA Security Analytics, McAfee Nitro, and Splunk.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user428250
System Engineer at a tech services company with 51-200 employees
Consultant
When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation. They need to fix some bugs and increase the search speed.

Valuable Features

The dashboard is the most valuable feature for us as it can show a lot of information about real-time incidents.

Improvements to My Organization

When I am facing a problem such as transaction fraud, we can investigate using ArcSight by tracing the log through its correlation.

Room for Improvement

They need to fix some bugs and increase the search performance speed. Sometimes there are issues when I perform log correlations.

Deployment Issues

We have had no issues with the deployment.

Stability Issues

There have been no stability issues.

Scalability Issues

We have had no issues scaling it for our needs.

Customer Service and Technical Support

Customer Service:

5/10

Technical Support:

5/10

Initial Setup

The initial setup was quite easy and straightforward.

Implementation Team

I work for a reseller, and we set up ArcSight for our customers, and I am learning a lot about its architecture.

Other Solutions Considered

For SIEM, I think HP ArcSight is a leading competitor alongside Splunk.

Other Advice

You need to learn about architecture and practice more before implementation since this product is not easy to learn and takes time to master.


Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user410400
Senior Cyber Security Analyst at a tech services company with 10,001+ employees
Consultant
It allows for easy log analysis as well as correlation and alerting.

What is most valuable?

  • Logger
  • Command Center

How has it helped my organization?

The ArcSight ESM allows for easy log analysis as well as correlation and alerting. Logger is an indexed database which allows for faster, historical searching. The versatility to use SQL queries is helpful.

What needs improvement?

There are some limitations on the functionality of Rules that I would like to see expanded. I would like to see some better support options in the ArcSight community for HP Protect. Unless someone in your organization is an ArcSight SME, you are going to have a difficult time getting answers.

For how long have I used the solution?

I've used it for two years.

What was my experience with deployment of the solution?

There were no issues with the deployment.

What do I think about the stability of the solution?

We've not had any issues with the stability.

What do I think about the scalability of the solution?

We've had no issues scaling it for our needs.

How are customer service and technical support?

I would give it 3/10. A lot of the support is community based. That strategy can work, but the answers are sometimes incomplete, incorrect, and can take a long time to get.

Which solution did I use previously and why did I switch?

I have used QRadar and Splunk. Both have great functionality that make them easy to use, but ArcSight has a very consistent layout and their logic is easy to figure out.

How was the initial setup?

I was not involved in the setup.

What's my experience with pricing, setup cost, and licensing?

I'm not involved in pricing or licensing.

What other advice do I have?

It's a well rounded product especially with the addition of Logger and Command Center. I felt it was easy to understand and use right from the start. There are some companies that do not take advantage of everything ArcSight can offer. A problem I think ArcSight can fix with better support alternatives.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user409212
Cyber Security HP Arcsight Dev Ops Lead Developer with 10,001+ employees
MSP
The CORR engine and ability to build complex correlations from simple 'building blocks' are the most valuable features for us.

What is most valuable?

The real-time correlation (CORR) engine and ability to build complex correlations from simple 'building blocks', provided the base 'building blocks' are well throughout in the first place, are the most valuable features for us.

How has it helped my organization?

The ways in which it's improved our organization are too numerous to mention. But you have to have good, steady resources and well worked-out use cases. ArcSight can report on many things and save on repetitious daliy monitoring.

What needs improvement?

There's a lot of improvements that need to be made, too many to mention all of them, but some improvements with the Con App would be a good start.

For how long have I used the solution?

We've used it for over eight years.

What was my experience with deployment of the solution?

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

What do I think about the stability of the solution?

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

What do I think about the scalability of the solution?

We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.

How are customer service and technical support?

With HP themselves, they need a lot of pushing to get them to get seriously involved with issues, given that they are paid a lot of money to provide support and deliver top SLAs.

Which solution did I use previously and why did I switch?

We mainly use HP ArcSight, but also Splunk. I didn't have a say in making the choices.

How was the initial setup?

The initial setup was fairly straightforward, but the overall architecture planning needs seasoned professionals who understand what ArcSight is and how it needs to be deployed.

What about the implementation team?

The installation had already been implemented by an HP subsidiary who were fairly good when performing the installation. Despite that, they did a poor job of implementing the hardware.

What's my experience with pricing, setup cost, and licensing?

The HP products are expensive.

What other advice do I have?

It's a fantastic product and highly configurable, but it needs nothing less than a seasoned cyber security professional with serious engineering expertise and a real desire to provide meaningful use cases. Anyone that says ArcSight is 'fire and forget' should not be allowed to work in cyber security!

If you want Arcsight implemented correctly, start by sizing your organization, and looking at data flows and the available data streams. Be mindful of regulatory and compliance reporting, Risk and Legal as well, as you may need to factor in any and all of these when working with enterprise solutions.

Disclosure: My company has a business relationship with this vendor other than being a customer: We have a business relationship in place with HP.
it_user409203
Security Business Analyst at a tech services company with 10,001+ employees
Consultant
It has good options for shaping data and using them in very complex rules. Performance is the product's Achilles' heel.

What is most valuable?

I think the ability to create rules more flexible than in other products (i.e. IBM QRadar) is its most valuable feature. It has good options for shaping data and using them in very complex rules.

How has it helped my organization?

It has increased our detective capabilities in the cybersecurity landscape. We're able to build SOC around it, and make it a central tool for detecting network compromises.

What needs improvement?

Performance is the product's Achilles' heel. The aggregation can't be done for a long period of time, i.e. one week. On top of that, in comparison to the competition, ArcSight works very slowly and the WebUI is not very user-friendly.

For how long have I used the solution?

We've been using it for 10 months and the program is still in the development phase.

What was my experience with deployment of the solution?

There were no issues with the deployment.

What do I think about the stability of the solution?

There have been no stability issues.

What do I think about the scalability of the solution?

We have had no issues scaling it to our needs.

How are customer service and technical support?

The level of technical support is low. I think HP should invest money to train support people. Furthermore, sometimes I feel they are overworked because they used to sending notifications about cases without closing them.

Which solution did I use previously and why did I switch?

Previously, I worked with IBM QRadar.

How was the initial setup?

SIEM in general is not straightforward. I think the initial setup was simple, but to get value from this product, you have to do something more than the initial setup.

What about the implementation team?

We did it in-house with help from the vendor's professional services. My advice is to think first where you would like to put your collectors. Assess if your network will be able to lift extra loads, assess what logging level will be required, and if log sources are capable of delivering it.

Which other solutions did I evaluate?

ArcSight was chosen by my new company management without asking me for my opinion.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
IT Security Assistant Manager at a insurance company with 5,001-10,000 employees
Vendor
It allows us to traceback security threats, to generate usage trends and discover anomalies.

Valuable Features:

For us, there are several valuable features.

  • The ability to correctly parse the most number of products comparing to its competitors;
  • The ability to create very complex scenarios to detect security risks and anomalies;
  • Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
  • The ability to create parsers for all kinds of applications and systems is an important differentiator.

Improvements to My Organization:

It greatly changed our work habits in the organization allowing us to not only trace back security threats, but also to generate usage trends, discover anomalies and so many other usages. It quickly became an indispensable tool.

Room for Improvement:

They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.

There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.

Deployment Issues:

We've had no issues with deployment.

Stability Issues:

We've had no issues with stability.

Scalability Issues:

We've had no issues with scalability.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user406278
EVP & Global Head - Services at a tech company with 1,001-5,000 employees
Vendor
The live threat feed keeps us abreast of the latest threats. The initial setup required a lot of customization.

Valuable Features

From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.

Improvements to My Organization

From a daily perspective, ArcSight prevents attacks while it actively monitors our systems. It provides us analytics for these attacks and helps keep us abreast of the latest threats because of live threat feeds.

Room for Improvement

It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.

Deployment Issues

We've had no issues with deployment, although it's complicated.

Stability Issues

It's a pretty stable solution. We've had no issues with instability.

Scalability Issues

It's very scalable.

Customer Service and Technical Support

They're pretty good and responsive.

Initial Setup

The initial setup was complex and required a lot of customization and tinkering. There are other products on the market that are very light, and this is not one of them. To get all the functionalities and to exploit them, it takes a long time to deploy. It takes 3-4 months.

Pricing, Setup Cost and Licensing

It's very expensive in its licensing model.

Other Advice

Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user406062
Sr. Director, Corporate Information Security at a comms service provider with 1,001-5,000 employees
Vendor
It correlates security events and then allows us to take action to address those events.

What is most valuable?

The most valuable feature for us is its ability to correlate security events and then allowing us to take action to address those events.

How has it helped my organization?

We're able to customize it so that it suits our business needs.

What needs improvement?

Although we're able to customize it, it requires some level of subject-matter expertise for all the special adapters for collection.

We also had initial stability issues that were probably caused by our architecture and not the solution itself.

For how long have I used the solution?

We've been on the on-site platform for four years.

What was my experience with deployment of the solution?

We've had no issues with deployment.

What do I think about the stability of the solution?

We had some initial issues withs stability, but we worked through it. I think our architecture and design were initially flawed, so that was more of our problem and not HP's.

What do I think about the scalability of the solution?

We've had no issues scaling it in the last three years.

How are customer service and technical support?

We've used technical support several time and found them to be good.

Which solution did I use previously and why did I switch?

We moved from a managed outsource service, provided by a competitor. He wanted to in-source it, or in-house it, so we had the ability to be a little bit more effective and nimble.

How was the initial setup?

The initial setup was complex, but HP's professional services helped us out.

What other advice do I have?

Make sure you staff up internally, and have the right subject-matter expertise to take advantage of the platform. Otherwise, it's not going to help.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user402840
Senior Manager Fraud Services at a financial services firm with 1,001-5,000 employees
Vendor
It's a reliable service and provides our team members with a lot of knowledge.

Valuable Features:

It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.

Room for Improvement:

There are improvements that could be made to help us insure that we're in compliance with our monitoring requirements.

Use of Solution:

I've been in my group for over eight years and we've used it for the entire time. I'm not sure when the initial implementation was.

Deployment Issues:

We've had no issues with deployment.

Stability Issues:

It's consistently stable. I've not heard any complaints about instability.

Scalability Issues:

HP has delivered for our company and its size.

Initial Setup:

The initial setup was done more than eight years ago before I started with the company. …

Valuable Features:

It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.

Room for Improvement:

There are improvements that could be made to help us insure that we're in compliance with our monitoring requirements.

Use of Solution:

I've been in my group for over eight years and we've used it for the entire time. I'm not sure when the initial implementation was.

Deployment Issues:

We've had no issues with deployment.

Stability Issues:

It's consistently stable. I've not heard any complaints about instability.

Scalability Issues:

HP has delivered for our company and its size.

Initial Setup:

The initial setup was done more than eight years ago before I started with the company.

Implementation Team:

We bring in an HP consultant for development and implementation.

Other Advice:

It's a solid product supported by a solid company.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
FS
Senior Manager - Cyber Security at a comms service provider with 1,001-5,000 employees
Real User
Top 20Leaderboard
The two most valuable features for us are the deployment strategy and its operational ease.

What is most valuable?

The two most valuable features for us are the deployment strategy and its operational ease.

How has it helped my organization?

As it's an SIEM solution, it won't prove anything overnight. We're still in the implementation stage and filtering out all the noise. It's operationalized, but we're fine tuning it.

What needs improvement?

I'd like to see some threat intelligence out of the box rather than adding it in subscriptions. It also needs more straightforward and simplified correlation rules so that a SOC analyst can dive right in rather than undergo a separate induction program. Right now, the attrition rate is high.

For how long have I used the solution?

We've had it for about eight months now.

What was my experience with deployment of the solution?

We haven't had any issues with deployment.

What do I think about the stability of the solution?

It is a stable product. We've had no issues with instability.

What do I think about the scalability of the solution?

We haven't had a need to scale yet, and maybe not for another two or three years.

How are customer service and technical support?

System integrated support is there, but we haven't had any need to contact HP support. We will soon, though, because we don't really know how to fine tune the product.

Which solution did I use previously and why did I switch?

The threat landscape was the trigger for needing a SIEM product to correlate everything that is going on within the environment.

How was the initial setup?

We'restill in the implementation stage because it's complex. So the basic things are done, but not the full-scale deployment. It's a process.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user400656
Security Practice Director at Rolta AdvizeX
Consultant
Capable product that integrates with many different platforms.

Valuable Features

They're the leader of the SIEM market for fifteen years or so. ArcSight is a very capable product that integrates with many different platforms. It's huge with a lot of moving parts, but nothing can compete with it in terms of capability.

Room for Improvement

I'm a little concerned that the market is moving around ArcSight. It's a fantastic SIEM, but the recent metrics show that relying too heavily on a SIEM solution isn't protecting us. ArcSight addresses that by integrating with other solutions, but I'd like to see that to be a more central element of it.

Deployment Issues

We've had no issues with deployment.

Stability Issues

It is incredibly stable and road-tested, reasons why it's a market leader.

Scalability Issues

It's highly scalable. It works in small scenarios as well as the biggest that I can imagine.

Customer Service and Technical Support

Technical support from the vendor has been good. There's a particular challenge with ArcSight not in the technical support, but in the fact that it supports the platform and the integration.

Initial Setup

The initial setup is relatively complex because it's not a small solution. It's not only complex to set up, but the interface with business operations is even more complex around scoping, implementing, and running an implementation.

Other Advice

Make sure you tune it to your business and infrastructure, which isn't necessarily part of technical support. It requires some consulting, which is a market challenge of the product.

It's not a one-size-fits-all solution and it isn't sold with the appropriate professional services. So the number one thing with ArcSight is that you have to make sure that you get professional services to help size it for your particular use case, including integrations with your tools, operational model, and security operations.

Disclosure: My company has a business relationship with this vendor other than being a customer: We're partners.
it_user399357
Security Response Engineer at a media company with 10,001+ employees
Real User
It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events.

Valuable Features

It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.

Improvements to My Organization

We're a large organization, and the tool scales very well for us.

Room for Improvement

The technical support needs to be improved.

Deployment Issues

We've had no issues with deployment.

Stability Issues

Whether we've had issues with stability is a hard thing to say because we're on the cutting edge of virtualization. When we were on older hardware with physical servers, it was relatively stable. But we ran into issues with support, and we decided to virtualize a lot of the it -- everything from the loggers to the ESM. We…

Valuable Features

It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I've seen for our network, it's the best at ingestion of events.

Improvements to My Organization

We're a large organization, and the tool scales very well for us.

Room for Improvement

The technical support needs to be improved.

Deployment Issues

We've had no issues with deployment.

Stability Issues

Whether we've had issues with stability is a hard thing to say because we're on the cutting edge of virtualization. When we were on older hardware with physical servers, it was relatively stable. But we ran into issues with support, and we decided to virtualize a lot of the it -- everything from the loggers to the ESM. We see a lot of performance gains, but our biggest hangup is support. The tool itself is great, but when we run into a hiccup, it seems they don't have the expertise on the support side to get us quickly back to where we need to be.

Scalability Issues

We have well over 100,000 employees and we've virtualized a lot. Again, the problem is with getting support as we scale.

Customer Service and Technical Support

They don't listen when we report an event or issue. We tend to be on the bleeding edge, so we have to do our own troubleshooting and perform our own resolution of events. When we send information, they've often asked for logs. And sometimes we don't get responses at all. I often have to ask for a status update on our tickets, which oftentimes get sent to non-US support teams. They're then re-assigned back to the US and there's a lot of confusion.

Technical support has been so frustrating that we've brought in an intermediary, LiveQuest, to deal with HP support for us.

Initial Setup

I've set it up so many times now, it's really hard for me to describe it. It's pretty straightforward and has become second nature for me.

Other Advice

You have to really know your environment. Have a good SE, and be prepared to do a lot of your own homework.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Consultant
Network investigation is poor but it's highly customizable

Valuable Features:

Powerful Correlation Customization  Integration capabilities

Room for Improvement:

Very complex install and management Steep learning curve Poor Network Investigation Poor analytics.

Use of Solution:

Six years.

Stability Issues:

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

Scalability Issues:

No. ArcSight is very scalable.

Customer Service:

3 out of 5.

Implementation Team:

We implemented it in-house.

ROI:

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

Other Advice:

If you really want the power and flexibility of…

Valuable Features:

  • Powerful Correlation
  • Customization 
  • Integration capabilities

Room for Improvement:

  • Very complex install and management
  • Steep learning curve
  • Poor Network Investigation
  • Poor analytics.

Use of Solution:

Six years.

Stability Issues:

Yes, Logger, ESM and Connector ecosystem if not set up properly, lead to stability issues both in point operations as well as integrations.

Scalability Issues:

No. ArcSight is very scalable.

Customer Service:

3 out of 5.

Implementation Team:

We implemented it in-house.

ROI:

Poor as the product takes more effort to generate value. Its CAPEX cost is high too.

Other Advice:

If you really want the power and flexibility of customizing your Security monitoring and correlation, go with ArcSight, but beware of the effort involved in set up and maintenance.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user147210
Sr Security Engineer at a tech services company with 51-200 employees
Consultant
There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it.

What is most valuable?

Not really a feature, per se, but the ability to do multi-tenant SIEM.

How has it helped my organization?

We help our customers do more than 'check a box' for security and compliance and we are very proud of that. We tend to be more like partners to a lot of our customers, and they rely on us to deliver high-fidelity, relevant security alerts. 

What needs improvement?

There are SO MANY things you can do in AS, and there is a lack of really in-depth documentation on a lot of it. I am not sure why this is, but it is a little hard to be self-sufficient when this is the case. I am sure this is why real ArcSight experts are in demand! Being too feature-rich can be as bad as being oversimplified!

For how long have I used the solution?

I have been working as an analyst using AS for 9 months now. This work involves monitoring the multi-tenant implementation of AS, sending reports to customers, doing investigations on alerts that come in, and implementing new Connectors and content. Connectors are how AS gets events from the devices.

What was my experience with deployment of the solution?

Again, system complexity can be an issue, but not really.

What do I think about the stability of the solution?

None. ArcSight is very stable. Period.

What do I think about the scalability of the solution?

Again, none. It is a system that is more than capable of multi-tenant implementations.

How are customer service and technical support?

They try really, really hard.

Which solution did I use previously and why did I switch?

No, the folks I work for were at ArcSight before HP acquired it and have always been users and proponents of it. It's a powerful product for sure.

How was the initial setup?

Setup is fairly complex, and with so many features, it is difficult to just 'set it and forget it' with ArcSight. It requires a lot of care and feeding, as well as a pretty good amount of ongoing maintenance and configuration to really get good quality alerts out of it.

What about the implementation team?

In-house experts.

Which other solutions did I evaluate?

I've been looking at Open Source SIEM recently, and paying a lot of attention to the others in the commercial market, like IBM and MacAfee, but I don't have any practical experience. I have heard mixed reviews about all of them (including AS from some folks I know).

What other advice do I have?

Implementation advice: this is a big job, and unless you are able to hire and train a dedicated SIEM engineer, I would look at getting staff augmentation from HP or other consulting types. Be prepared to Read The Friendly Manual (RTFM), and do a lot of searches online. Take the entry-level certs that HP offers, and get classes if there is budget.
Disclosure: My company has a business relationship with this vendor other than being a customer: ArcSight partner
it_user142611
Information Security Professional at a financial services firm with 1,001-5,000 employees
Real User
The response is good for Read/Write functions but I've encountered other minor issues. Better than it's competitors.

Valuable Features

Correlation Rules, Dashboards, Active Channels, Active Lists and many more. All these features make this product better than it's competitors.

Improvements to My Organization

ArcSight functions to integrate all network & security logs. It's very easy to use and thus real time monitoring has become easy by implementing active channel with all correlated alerts. SOC can monitor these correlated alerts and take action on them.

Room for Improvement

ArcSight uses Oracle DB, which is a bit slow for read/write functions and the main downside to this product. Recently, HP came up with a custom DB for ArcSight 6.0 which they are calling CORR engine. With these Read/Write functions, response is good but unfortunately I've encountered many other minor issues which have room for improvement.

Use of Solution

I've been using it for the last 6 years.

Deployment Issues

Yes, minor issues were encountered and resolved in a timely manner by HP support.

Stability Issues

Yes, Read/Write functions to DB is the main concern and this slows down the events processing.

Scalability Issues

I don't think there are any issues with Scalability.

Customer Service and Technical Support

Customer Service: GoodTechnical Support: Pretty good and timely.

Initial Setup

Slightly complex, but manageable.

Implementation Team

With the help of a vendor team. They are really helpful and cooperative.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Senior Manager of System Security with 501-1,000 employees
Vendor
4 stars, not 5 due to the sheer magnitude of work and understanding to have a highly functioning implementation.

What is most valuable?

Custom data parsers and custom event / asset categorization.

How has it helped my organization?

Allowing for non conventional data feeds from HR into our overall security monitoring practice has allowed us to catch gaps in our exit checklist for employees among other things.

What needs improvement?

The network modeling and asset categorization needs to be simplified to facilitate wider adaptation amongst customers.

For how long have I used the solution?

I have been working with ArcSight for over 8 years.

What was my experience with deployment of the solution?

I have never deployed an ArcSight installation without encountering several issues, I have over 40 deployments to my credit.

What do I think about the stability of the solution?

Absolutely, the new CORR engine is a vast improvement but was pushed out to customers too quickly. Several key components of our analysis workflow broke due to the new event processing scheme.

What do I think about the scalability of the solution?

Not so much on the ESM level, but it gets expensive to scale at the logger level.

How are customer service and technical support?

Customer Service: Support can use vast improvements, but your technical account managers are great. No complaints there.Technical Support: Lacking.

Which solution did I use previously and why did I switch?

I am a Sr. Principal Architect and design and go with the best solution for the customer, currently deploying a solution around Logstash, elasticsearch and kibana.

How was the initial setup?

Lots of moving parts.

What was our ROI?

Hard to determine, ArcSight is a product that costs millions to implement and takes several months to years before the ROI is clear.

What's my experience with pricing, setup cost, and licensing?

For this particular project $2.4 million USD.

What other advice do I have?

Understanding of your environment and data sources is key before correlation can occur. You make sure your environment is at a point that augmentation of the existing analysis workflow is required and not using a SIEM to establish one.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user126918
Information Security Consultant with 1,001-5,000 employees
Vendor
ArcSight helps a lot in auditing system and network admins; Needs to improve in High Availability

What is most valuable?

The ArcSight log collection mechanism is simple and it supports a large number of devices. Rules, Report and Dashboard can be customized based on the user requirements and hence it helped a lot to impress our customers. Additionally, ArcSight has tight integration with incident response tools such as HP Threat Response Manager, CIRT and Encase. ArcSight provides platform to integrate third party dashboard tools such as idashboard and Tableau. Also HP ArcSight inbuild case management is very simple and can be exported to external HP service Manager.

How has it helped my organization?

ArcSight helps to track all configuration changes and correlates with corresponding service tickets. Hence, helps a lot in auditing system and network admins with minimal time and cost. ArcSight use cases which helps us to detect insider threats as well as external attacks. Before implementing SIEM, these were not detected by manual monitoring process. Lastly, ArcSight helps the human resource team and Fraud management team in incident analysis and provides forensic data as needed. This was always a challenge to the team previously.

What needs improvement?

As of now, HP doesn’t have healthy integration of flows, this could use significant improvement. High Availability is a major concern for all of our customers, HP needs to significantly improve in HA.

For how long have I used the solution?

I have been using this solution for the last 6 years.

What was my experience with deployment of the solution?

No. ArcSight implementation is simple and robust.

What do I think about the stability of the solution?

Yes. ArcSight Logger and Connector appliance RAID failed sometimes.

What do I think about the scalability of the solution?

No.

How are customer service and technical support?

Customer Service: Good.Technical Support: HP support needs to improve a lot. For solving one ticket HP support takes a lot of time and there is no proper problem management process.

Which solution did I use previously and why did I switch?

I have been working with ArcSight since I started my career.

How was the initial setup?

Straightforward. All the components are clubbed into single installable so installation is very simple and straight forward.

What about the implementation team?

Vendor. They had a good amount of ArcSight implementation experience.

Which other solutions did I evaluate?

We evaluated Alien Vault.

What other advice do I have?

I would recommend buying ArcSight.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user126648
Senior Security Analyst at a tech services company with 10,001+ employees
Real User
Great Scalability and Adaptability but it's Expensive

What is most valuable?

Scalability and Adaptability. By Scalability, I mean, the number of supported devices by ArcSight. You can make changes to the current deployment if required or add a new region in the scope by adding components of ArcSight. By Adaptability I mean, once the analysts see what can be achieved by utilizing the various resources of ArcSight, it motivates them to come up with new ideas and how to implement them. The interface is quite user friendly compared to other Vendors.

How has it helped my organization?

We could extract meaningful data of the billions of Security Events and relate it with the extra information we had for our assets.

What needs improvement?

Support from the vendor and pricing.

For how long have I used the solution?

3 Years.

What was my experience with deployment of the solution?

No

What do I think about the stability of the solution?

Yes, Oracle bugs mostly.

What do I think about the scalability of the solution?

No.

How are customer service and technical support?

Good.

Which solution did I use previously and why did I switch?

I have worked on multiple SIEM products. I work as a Senior Security Analyst and have a minimal role in deciding the solution. I only work where it is explicitly an HP ArcSight environment or deployment.

How was the initial setup?

Straightforward.

What about the implementation team?

Through an in-house team.

What other advice do I have?

Best SIEM product but it's high on pricing and licensing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user126642
IT Security Consultant at a tech services company with 51-200 employees
Consultant
The ESM and logger are powerful tools but log support needs improvement

What is most valuable?

Too many to name, but here are a few:
  1. Its versatility when it comes to vendor support.
  2. The ESM and logger are powerful tools. If used properly, we can achieve much more than we previously could. The Alert and Case Tracking mechanism contribute to the work of ESM and Logger.
  3. Express, all-in-one component is best for small businesses.
  4. NTP is efficient in blocking identified threats.
  5. ArcSight Flex Connector Development module is an excellent feature if you want to get the logs from unsupported vendor products.

How has it helped my organization?

I am a service provider for this product, so I provide value to the customer based on their requirements. The requirements are generally based on the lines of compliance and better security vision of what is going on in the organization, and who is doing what etc. and to mitigate external threats like port scans, DOS, malware ingestion, phishing etc.

What needs improvement?

Better reporting with the nice look and feel available in the wider market; also more vendor log support. HP should improve their Tech Support status.

For how long have I used the solution?

3+ years

What was my experience with deployment of the solution?

A few, depending on the specific organization's structure and policies.

What do I think about the stability of the solution?

No

What do I think about the scalability of the solution?

The solution itself is very scalable, but it is also a lot more expensive than other players.

How are customer service and technical support?

Customer Service: PoorTechnical Support: Poor

Which solution did I use previously and why did I switch?

No

Which other solutions did I evaluate?

Splunk, RSA Envision, McAfee Nitro and IBM QRadar

What other advice do I have?

Consider the complexity of this solution and choose the right people to deploy it.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros sharing their opinions.