HP ArcSight Express
Strengths: Highly configurable with many reporting functions
Weaknesses: Very expensive
Verdict: HP ArcSight is one of the heavy hitters in this market, but its products come with a heavy cost. Albeit, it's a good fit for large enterprises
HP ArcSight Express features a full set of SIEM capabilities, including security event correlation, log management, IT search, NetFlow monitoring and compliance reporting. Using this tool, security professionals and system administrators can identify and investigate many security events and rule violations all from a single interface.
Along with the usual monitoring and reporting functions of a SIEM, this offering also features user activity and role monitoring, which provides a more complete picture of certain security events and how they occurred.
Overall, we had a fairly easy time of configuring and managing this appliance. To get it deployed in the network takes just a few minutes, but getting it set up and configured is a slightly different story. It is designed to be quite flexible and to provide a multitude of deployment and monitoring configurations, so setting everything up can be quite a process. However, we found that once it is up and running, it features many powerful analysis and reporting functions that more than balance out the initial deployment difficulty.
This solution has a connector or receiver for almost any type of log or device. It can take all log data, pass it through its powerful correlation engine and, in one interface, provide dozens of reports and alerts. The management console can be a little overwhelming at first due to the many panes of information, but once we became familiar with how to navigate the console we found it to be quite manageable and not as complicated as it looked initially. We found this appliance to have a slight learning curve when it came to managing and configuration, but it also provides a lot of options and flexibility. For compliance reporting, it features reporting packs that can be loaded into the management console for specific compliance report types.
Documentation consisted of a number of PDF manuals, including administrator, configuration and user guides. There was also a short getting-started guide, but it basically detailed a couple of steps to turn on the appliance for the first time and then referenced the configuration manual for further instructions. Also included was an ESM 101 guide, which offered excellent detail on how to use the product and its various features and functions.
HP ArcSight offers standard and premium support plans to customers as part of an annual cost. These programs include various levels of phone and email-based technical aid, along with other help features. Customers can access a large support area on the website that features a user community, knowledgebase and a download centre.
At a price of c£29,536, this product carries a heavy price tag. HP ArcSight Express is definitely a better fit for large-scale enterprise versus smaller environments. While the price may be high, it does offer a lot of configurability and functionality for more complex environments. Overall, we find it to be average value for the money, but it does have some great features and functionality.