Table of Contents
A Brief History of ArcSight
ArcSight was founded in 2000 and filed for its IPO in 2008. HP acquired it in 2012 for $1.5 billion, and in September 2017, Hewlett Packard Enterprise (HPE) spun out its software business, including ArcSight, which merged with 40-year-old Micro Focus to become a $4.4 billion software company.
ArcSight’s Product Description
ArcSight Enterprise Security Manager (ESM) includes ingestion and interpretation of logs, connection to threat intelligence feeds, real-time correlation and analytics, security alerting, data presentation through user interface dashboards and reporting, compliance reporting and support. ESM can also perform baselining and outlier mechanism notification. This is achieved through its integration with other analytics products, such as ArcSight User Behavior Analytics (UBA). In addition, data enrichment features include asset and network modelling, prioritization, geo-location, vulnerability modeling, and user modeling.
Recent enhancements to ESM include:
- Support of Hadoop as optional backend storage for collected events and performing analysis on events
- Use of machine learning to assist in the event escalation process
- Full support of NetFlow, including the ability to use NetFlow in correlation rules to detect security alerts
- Easy integration with third-party and external user threat risk score services such as Webroot
- GDPR support
See our complete list of The Top SIEM Tools.
Arcsight ESM SIEM Features Rated
Threats blocked: Good. ArcSight blocks a wide range of threats. It includes access to the ArcSight Activate threat framework and ArcSight Marketplace content for the most current security correlation rules, dashboards, reports and use cases.
Sources ingested: Very good. ESM can analyze data from more than 500 device types and can incorporate cyber threat intelligence via STIX or CIF standard feeds. ArcSight’s ADP SmartConnectors support every common event format, from native Windows events, APIs, firewall logs, syslog, flat file, Netflow, XML/JSON and direct database connectivity.
Performance: Very good. Up to 100,000 events per second (EPS).
Value: Good. Some customers converting from legacy licensing models to new licenses and the ADP architecture have reported issues with license conversion complexity and costs. To address these concerns, Micro Focus has implemented changes to its licensing model that include a pricing option that is free of data restrictions.
Implementation: Very good. Users generally report easy implementation. Gartner said ArcSight can be extensively customized to support threat management and compliance-focused use cases. ArcSight’s API also enables extensive integrations in SOC environments.
Management: Best in class. Modular packages allow custom rules, dashboards and other content to be exported and shared across systems or customers. It includes centralized management, analysis, and reporting of all enterprise security events.
Support: Good. Users generally note solid support, but a few say it can be pricey.
Scalability: Very good. Scalable up to 100,000 EPS with distributed correlation.
Other ArcSight ESM Details
Security Qualifications
Federal Information Processing Standard (FIPS) 140-2 compliant, including suite B authorized. Common Criteria for Information Technology Security Evaluation (CC) certified.
Intelligence
ArcSight ESM provides integration capabilities with several machine learning and intelligence platforms.
Delivery
ArcSight ESM is available via appliance, software, Amazon Web Services (AWS) and Microsoft Azure.
Agents
How Much Does Arcsight Cost?
Based on amount of data ingested and security events correlated per second. An evaluation by an ArcSight sales executive must be completed prior to pricing quote. While pricing specific are hard to come by, users note that it tends to be pretty pricey – you’re paying for enterprise-class features and scalability.
For more analysis of ArcSight, see our SIEM product comparisons, ArcSight vs Splunk and ArcSight vs IBM QRadar.
