based on nearly 300 real user experiences.
Micro Focus ArcSight fell from the Leaders to the Challengers section of the most recent Gartner Magic Quadrant (MQ) for SIEM, based on Gartner’s concerns about how Micro Focus is integrating the former HPE product with its existing products, and licensing complexity. That said, the company has a large installed base of customers using the SIEM product for large, complex SOC environments and for more basic log collection use cases. It is also used by many managed security service providers (MSSPs).
ArcSight was founded in 2000 and filed for its IPO in 2008. HP acquired it in 2012 for $1.5 billion, and in September 2017, Hewlett Packard Enterprise (HPE) spun out its software business, including ArcSight, which merged with 40-year-old Micro Focus to become a $4.4 billion software company.
ArcSight Enterprise Security Manager (ESM) includes ingestion and interpretation of logs, connection to threat intelligence feeds, real-time correlation and analytics, security alerting, data presentation through user interface dashboards and reporting, compliance reporting and support. ESM can also perform baselining and outlier mechanism notification. This is achieved through its integration with other analytics products, such as ArcSight User Behavior Analytics (UBA). In addition, data enrichment features include asset and network modelling, prioritization, geo-location, vulnerability modeling, and user modeling.
Recent enhancements to ESM include:
- Support of Hadoop as optional backend storage for collected events and performing analysis on events
- Use of machine learning to assist in the event escalation process
- Full support of NetFlow, including the ability to use NetFlow in correlation rules to detect security alerts
- Easy integration with third-party and external user threat risk score services such as Webroot
- GDPR support
See our complete list of Top 10 SIEM Products.
SIEM Features Rated
Threats blocked: Good. ArcSight blocks a wide range of threats. It includes access to the ArcSight Activate threat framework and ArcSight Marketplace content for the most current security correlation rules, dashboards, reports and use cases.
Sources ingested: Very good. ESM can analyze data from more than 500 device types and can incorporate cyber threat intelligence via STIX or CIF standard feeds. ArcSight’s ADP SmartConnectors support every common event format, from native Windows events, APIs, firewall logs, syslog, flat file, Netflow, XML/JSON and direct database connectivity.
Performance: Very good. Up to 100,000 events per second (EPS).
Value: Good. Some customers converting from legacy licensing models to new licenses and the ADP architecture have reported issues with license conversion complexity and costs. To address these concerns, Micro Focus has implemented changes to its licensing model that include a pricing option that is free of data restrictions.
Implementation: Very good. Users generally report easy implementation. Gartner said ArcSight can be extensively customized to support threat management and compliance-focused use cases. ArcSight’s API also enables extensive integrations in SOC environments.
Management: Best in class. Modular packages allow custom rules, dashboards and other content to be exported and shared across systems or customers. It includes centralized management, analysis, and reporting of all enterprise security events.
Support: Good. Users generally note solid support, but a few say it can be pricey.
Scalability: Very good. Scalable up to 100,000 EPS with distributed correlation.
Federal Information Processing Standard (FIPS) 140-2 compliant, including suite B authorized. Common Criteria for Information Technology Security Evaluation (CC) certified.
ArcSight ESM provides integration capabilities with several machine learning and intelligence platforms.
ArcSight ESM is available via appliance, software, Amazon Web Services (AWS) and Microsoft Azure.
ArcSight ESM utilizes agents, otherwise known as ArcSight Connectors. Connectors are either software applications, or an appliance, that collect data from a source and feed this into ArcSight ESM. ArcSight ESM currently supports more than 300 connectors for various types of sources and data models.
Based on amount of data ingested and security events correlated per second. An evaluation by an ArcSight sales executive must be completed prior to pricing quote. While pricing specific are hard to come by, users note that it tends to be pretty pricey – you’re paying for enterprise-class features and scalability.