Micro Focus ArcSight fell from the Leaders to the Challengers section of the most recent Gartner Magic Quadrant (MQ) for SIEM, based on Gartner’s concerns about how Micro Focus is integrating the former HPE product with its existing products, and licensing complexity. That said, the company has a large installed base of customers using the SIEM product for large, complex SOC environments and for more basic log collection use cases. It is also used by many managed security service providers (MSSPs).
ArcSight: Company Description
ArcSight was founded in 2000 and filed for its IPO in 2008. HP acquired it in 2012 for $1.5 billion, and in September 2017, Hewlett Packard Enterprise (HPE) spun out its software business, including ArcSight, which merged with 40-year-old Micro Focus to become a $4.4 billion software company.
ArcSight: Product Description
ArcSight Enterprise Security Manager (ESM) includes ingestion and interpretation of logs, connection to threat intelligence feeds, real-time correlation and analytics, security alerting, data presentation through user interface dashboards and reporting, compliance reporting and support. ESM can also perform baselining and outlier mechanism notification. This is achieved through its integration with other analytics products, such as ArcSight User Behavior Analytics (UBA). In addition, data enrichment features include asset and network modelling, prioritization, geo-location, vulnerability modeling, and user modeling.
Recent enhancements to ESM include:
- Support of Hadoop as optional backend storage for collected events and performing analysis on events
- Use of machine learning to assist in the event escalation process
- Full support of NetFlow, including the ability to use NetFlow in correlation rules to detect security alerts
- Easy integration with third-party and external user threat risk score services such as Webroot
- GDPR support
See our complete list of The Top SIEM Tools.
SIEM Features Rated
Threats blocked: Good. ArcSight blocks a wide range of threats. It includes access to the ArcSight Activate threat framework and ArcSight Marketplace content for the most current security correlation rules, dashboards, reports and use cases.
Sources ingested: Very good. ESM can analyze data from more than 500 device types and can incorporate cyber threat intelligence via STIX or CIF standard feeds. ArcSight’s ADP SmartConnectors support every common event format, from native Windows events, APIs, firewall logs, syslog, flat file, Netflow, XML/JSON and direct database connectivity.
Performance: Very good. Up to 100,000 events per second (EPS).
Value: Good. Some customers converting from legacy licensing models to new licenses and the ADP architecture have reported issues with license conversion complexity and costs. To address these concerns, Micro Focus has implemented changes to its licensing model that include a pricing option that is free of data restrictions.
Implementation: Very good. Users generally report easy implementation. Gartner said ArcSight can be extensively customized to support threat management and compliance-focused use cases. ArcSight’s API also enables extensive integrations in SOC environments.
Management: Best in class. Modular packages allow custom rules, dashboards and other content to be exported and shared across systems or customers. It includes centralized management, analysis, and reporting of all enterprise security events.
Support: Good. Users generally note solid support, but a few say it can be pricey.
Scalability: Very good. Scalable up to 100,000 EPS with distributed correlation.
Federal Information Processing Standard (FIPS) 140-2 compliant, including suite B authorized. Common Criteria for Information Technology Security Evaluation (CC) certified.
ArcSight ESM provides integration capabilities with several machine learning and intelligence platforms.
ArcSight ESM is available via appliance, software, Amazon Web Services (AWS) and Microsoft Azure.
ArcSight ESM utilizes agents, otherwise known as ArcSight Connectors. Connectors are either software applications, or an appliance, that collect data from a source and feed this into ArcSight ESM. ArcSight ESM currently supports more than 300 connectors for various types of sources and data models.
Based on amount of data ingested and security events correlated per second. An evaluation by an ArcSight sales executive must be completed prior to pricing quote. While pricing specific are hard to come by, users note that it tends to be pretty pricey – you’re paying for enterprise-class features and scalability.
Top ArcSight SIEM Alternatives
Wazuh is a free and open-source security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. Our platform has one of the fastest-growing open source communities, and it offers high-quality support at no cost to its users. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments. In addition, Wazuh also offers Wazuh Cloud, a flexible infrastructure that allows high scalability.
Graylog is a log management and SIEM that is easier, faster, more affordable than most solutions. It is a scalable, flexible cybersecurity platform that combines SIEM, security analytics, industry-leading anomaly detection capabilities with machine learning that adapts to your environment and grows with your business. Built by practitioners for practitioners, Graylog Security flips the traditional SIEM application on its head by stripping out the complexity, alert noise, and high costs.
ThreatInsight: This security monitoring assessment tool collects logs and gives you insight into your organization’s threats. MSPs use it as a sales tool to demonstrate the value of SIEM & SOC and help them decide which security monitoring solution is right for them. With ThreatInsight MSPs can onboard all their clients and their devices unto Vijilan’s SIEM for $99/month. Spots available while seats last.