ArcSight ESM SIEM Platform Review

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A Brief History of ArcSight

ArcSight was founded in 2000 and filed for its IPO in 2008. HP acquired it in 2012 for $1.5 billion, and in September 2017, Hewlett Packard Enterprise (HPE) spun out its software business, including ArcSight, which merged with 40-year-old Micro Focus to become a $4.4 billion software company.

ArcSight’s Product Description

ArcSight Enterprise Security Manager (ESM) includes ingestion and interpretation of logs, connection to threat intelligence feeds, real-time correlation and analytics, security alerting, data presentation through user interface dashboards and reporting, compliance reporting and support. ESM can also perform baselining and outlier mechanism notification. This is achieved through its integration with other analytics products, such as ArcSight User Behavior Analytics (UBA). In addition, data enrichment features include asset and network modelling, prioritization, geo-location, vulnerability modeling, and user modeling.

Recent enhancements to ESM include:

  • Support of Hadoop as optional backend storage for collected events and performing analysis on events
  • Use of machine learning to assist in the event escalation process
  • Full support of NetFlow, including the ability to use NetFlow in correlation rules to detect security alerts
  • Easy integration with third-party and external user threat risk score services such as Webroot
  • GDPR support

See our complete list of The Top SIEM Tools.

Arcsight ESM SIEM Features Rated

Threats blocked: Good. ArcSight blocks a wide range of threats. It includes access to the ArcSight Activate threat framework and ArcSight Marketplace content for the most current security correlation rules, dashboards, reports and use cases.

Sources ingested: Very good. ESM can analyze data from more than 500 device types and can incorporate cyber threat intelligence via STIX or CIF standard feeds. ArcSight’s ADP SmartConnectors support every common event format, from native Windows events, APIs, firewall logs, syslog, flat file, Netflow, XML/JSON and direct database connectivity.

Performance: Very good. Up to 100,000 events per second (EPS).

Value: Good. Some customers converting from legacy licensing models to new licenses and the ADP architecture have reported issues with license conversion complexity and costs. To address these concerns, Micro Focus has implemented changes to its licensing model that include a pricing option that is free of data restrictions.

Implementation: Very good. Users generally report easy implementation. Gartner said ArcSight can be extensively customized to support threat management and compliance-focused use cases. ArcSight’s API also enables extensive integrations in SOC environments.

Management: Best in class. Modular packages allow custom rules, dashboards and other content to be exported and shared across systems or customers. It includes centralized management, analysis, and reporting of all enterprise security events.

Support: Good. Users generally note solid support, but a few say it can be pricey.

Scalability: Very good. Scalable up to 100,000 EPS with distributed correlation.

ArcSight SIEM

Other ArcSight ESM Details

Security Qualifications

Federal Information Processing Standard (FIPS) 140-2 compliant, including suite B authorized. Common Criteria for Information Technology Security Evaluation (CC) certified.

Intelligence

ArcSight ESM provides integration capabilities with several machine learning and intelligence platforms.

Delivery

ArcSight ESM is available via appliance, software, Amazon Web Services (AWS) and Microsoft Azure.

Agents

ArcSight ESM utilizes agents, otherwise known as ArcSight Connectors. Connectors are either software applications, or an appliance, that collect data from a source and feed this into ArcSight ESM. ArcSight ESM currently supports more than 300 connectors for various types of sources and data models.

How Much Does Arcsight Cost?

Based on amount of data ingested and security events correlated per second. An evaluation by an ArcSight sales executive must be completed prior to pricing quote. While pricing specific are hard to come by, users note that it tends to be pretty pricey – you’re paying for enterprise-class features and scalability.

For more analysis of ArcSight, see our SIEM product comparisons, ArcSight vs Splunk and ArcSight vs IBM QRadar.

Top ArcSight SIEM Alternatives

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis