This enterprise security management software combines event correlation and security analytics to identify and prioritize threats in real time and remediate incidents early.
HPE ArcSight ESM - license is rated 3.8 out of 5 by 12.
Rated 4 out of 5 by Hatem Metwally from Parses raw logs, converts them to common event format so you don't need expertise in all productsImprovements to My OrganizationThis product is one of the best SIEM solutions, which helps SOC analysts to consolidate all security-relevant logs of many products into one place in a common format. It doesn’t require that you have expertise in each and every product. It facilitates pinpointing indicators of compromise and investigating security incidents more quickly than the legacy way of checking every product log separately. The old way required a huge effort (and the pain) of human correlation.Valuable Features* SmartConnector: Normalization parses raw logs and converts them into CEF (common event format). This is the core of the product.* Filtration, Aggregation: Both features provide a good way to save EPS (events per second).* Logger: Long log retention, fast search, and reporting.* ESM/Express: Correlation via standard rules and data monitors, active list, session list, active channels, reports, trends, queries, dashboards (query viewers and data monitors), and lightweight rules.Room for ImprovementDeveloping more products/modules that make it more independent from relying on other vendors’ products to get all the necessary logs. For example, develop NetFlow appliances that can be installed in the customer network on span ports, collect NetFlow, and send it to ArcSight without relying on the devices' NetFlow capability and their position in the network.Stability IssuesOverall, the product stability is very good. But without continuous tuning of the developed content and improper usage of the product, you can encounter performance issues with ESM/Express, and sometimes hangs, which requires a services restart.Scalability IssuesNo.Customer Service and Technical SupportSometimes very good and sometimes moderate.Previous SolutionsNo.Initial SetupStraightforward for Logger and Express appliance; more considerations for ESM software version.Pricing, Setup Cost and LicensingHPE ArcSight pricing might be more expensive than other SIEM solutions, but in my opinion it has powerful features and great flexibility in developing complex use cases. So, in my opinion, it's worth trying first (via PoC, for example) before making any decision based on cost.Other Solutions ConsideredNo.Other AdviceIf you are implementing Express/ESM, I advise disabling all out-of-the-box content and building your own. Also, keep monitoring partial matches and your session/active list sizes as you develop your correlation rules, as it has a big performance hit on the system.Disclaimer: My company has a business relationship with this vendor other than being a customer:HPE implementation partner.
Date published: 2018-09-24
Rated 4 out of 5 by Ly Binh Lap from FlexConnector collects logs from your own application.Valuable Features:The ArcSight solution supports your security team with many SIEM features:* Monitoring* Analysis* Alerts* Incident responseIn my opinion, ArcSight is an open solution. It is easy to:* Customize components* Use FlexConnector to collect logs from your own application* Edit rules and the dashboard* Create work flows* Enrich information for eventsImprovements to My Organization:I work at an ArcSight distributor in Vietnam. I have deployed the ArcSight solution for many customers. Some organizations are using it for SOC’s core and others for monitoring their information systems, critical assets, and regulatory and policy compliance.Use of Solution:I have over two years of experience.Stability Issues:It can be overloaded when rules and data monitoring are not optimized and the system receives too many events.Scalability Issues:ArcSight can be extended to meet the biggest customers (large enterprise) needs.Technical Support:ArcSight technical support is enthusiastic. They have a lot of experience and many case studies.Initial Setup:ArcSight configuration and deployment is complex, because it has many components.Other Solutions Considered:I researched Splunk, QRadar and AlienVault, and I appreciate Splunk and ArcSight.Other Advice:ArcSight provides many documents and guides for configuration and operation. Also, you can refer to its community at https://www.protect724.hpe.com ( https://www.protect724.hpe.com/community/arcsight ).Disclaimer: My company has a business relationship with this vendor other than being a customer:My company is a partner of HPE ArcSight.
Date published: 2017-04-05
Rated 4 out of 5 by Alexander Kuzmin from With multi-tier hierarchical deployment, we are able to integrate and standardize security incident detection and response.Valuable Features:* High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.* High performance: The amount of data fed to the solution is huge (100s of millions of events per day).* Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.Improvements to My Organization:* Losses from security incidents have significantly decreased.* Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.* Detailed reports allow for planning and informed decision making.Room for Improvement:The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.The GUI is outdated. Improvements on this are on the way, according to the vendor.Use of Solution:I’ve been using ArcSight for five years.Stability Issues:We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.Scalability Issues:Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.Technical Support:Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.Previous Solutions:We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.Initial Setup:Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.Cost and Licensing Advice:The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.Other Solutions Considered:We evaluated McAfee ESM.Other Advice:The keys to success with this solution are:* Careful deployment planning* Readiness to invest time and resources into training your IT security personnel* Fine tuning the solution to your specific needsDisclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2017-02-01
Rated 3 out of 5 by Shane Lawrence from With the console, I can move between analyzing events and creating content. SmartConnectors are not resilient and sometimes crash.Valuable Features:The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.Improvements to My Organization:The ability to correlate such a diverse range of information into a single location is invaluable.Room for Improvement:SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.Use of Solution:I have been using ArcSight for two years.Stability Issues:I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.Scalability Issues:The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).Technical Support:I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files.I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.Previous Solutions:I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.Initial Setup:Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.Cost and Licensing Advice:ArcSight is exclusively an enterprise product and it is priced accordingly.Other Solutions Considered:We evaluated QRadar and Splunk.Other Advice:Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2017-02-01
Rated 4 out of 5 by Omar S nchez Mr Tech from Has helped us to gather, store, correlate and analyze security log data from many different information systems.Valuable Features:Intrusion Detection System (IDS)Security Information and Event Management (SIEM)Improvements to My Organization:To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.Room for Improvement:For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.Disclaimer: My company has a business relationship with this vendor other than being a customer:Partners
Date published: 2017-01-20
Rated 3 out of 5 by Adrian Grigorof from Scalable though it is not "plug-and-play".Valuable Features:- Scalable though it is not "plug-and-play".- Various deployment configurations, based on requirements, budget and the EPS/GB per day- Stable, performance predictable based on used capacity- Integration with alerting/ticketing systems such as TivoliImprovements to My Organization:- We use it for managed SIEM services and its stability and maturity helps with standard deployments (hardly any surprises)Room for Improvement:- A bit on the slow side for reports requiring query of old data- High availability achievable through complicated configurations (i.e. load balancers)- The user interface is a bit datedDisclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2016-08-02
Rated 4 out of 5 by Omar Sánchez (Mr.Tech) from Has helped us to gather, store, correlate and analyze security log data from many different information systems.Valuable Features:Intrusion Detection System (IDS)Security Information and Event Management (SIEM)Improvements to My Organization:To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.Room for Improvement:For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.Disclaimer: My company has a business relationship with this vendor other than being a customer:Partners
Date published: 2016-06-09
Rated 5 out of 5 by SrInfoSecEng854 from The user has multiple levels of options to generate reports and get alerted based on conditions.Valuable Features:* Collection - Collects logs from a wide range of products, even those not supported by default and the users can develop a connector for log collection.* Detection - Caliber to detect subtle attacks with a powerful correlation engine.* Report/Alert - The user has multiple levels of options to generate reports and get alerted based on conditions.Improvements to My Organization:By using ArcSight ESM and its correlation technology, it thwarts multiple attacks from external sources before exploitations such as SQL injection, UNIX password file attempt, brute force to published servers, and more.In addition, internal frauds have been prevented through preventing unauthorized login attempts to the firewall, database, critical servers, etc.Room for Improvement:ArcSight Connector appliance needs some improvement, as it has some bugs which triggers issues most of the time. I believe that the Connector is going to hit end-of-service.Deployment Issues:We experienced no issues with the deployment.Stability Issues:We had the bugs in Connector as detailed in the Areas for Improvement section.Scalability Issues:We've had no issues with scalability.Technical Support:Technical support should be improved. Many times, I've raised a case but none of them solved it and it took the guys from the Protect724 forum so solve my issue. The support team simply collects the logs from end users and makes you wait, and you carry on passing the same information which is available in the Admin guide.Initial Setup:All you need is proper planning and pre-requisites information, and it's straightforward. Some newbies say that this product is hard to handle, but basically practice makes perfect.Other Advice:HP are doing their job perfectly by bringing new features in every version, such as RepSM, HA capability, etc. It has never failed me.Disclaimer: I am a real user, and this review is based on my own experience and opinions.