HP's ArcSight ESM is a mature product that collects events from virtually any source. It collects raw data and then searches, stores and reports on the converted data. ArcSight converts the data into structured event schema optimized for security correlation. For raw data, the tool collects syslog or file-based feeds directly. When addressing structured data, it uses either its proprietary SmartConnectors or its FlexConnector toolkit. ArcSight takes a unique two-step approach when converting data into correlated information. First, the event data is parsed into approximately 500 fields. For perspective, most other products only parse data into 10 percent of what ArcSight is doing. This translates into tremendous flexibility when it comes to analyzing information. Next, with the ArcSight FlexConnectors, customers are empowered to create their own connectors. This significantly increases data elements that can be monitored and stored in their environment. The ArcSight SmartConnectors brings flexibility into the product. The HP ArcSight library of more than 350 HP-certified, out-of-the-box SmartConnectors provides an impressive pool of commercial products integrated into ArcSight. These include hardware, software, systems and services. Other features, like case notes for the Case Management System, are used to document the activity during a case and includes attachable reports.
HP provided a USB adapter for the setup that included 17 documents, software executables, licenses and a virtual appliance. The documents provided were easy to follow and covered everything from concepts to installation, administration, user instructions and use cases. The documents included diagrams and simple how-to instructions.
The product was a Red Hat Enterprise Linux v6.4, 64-bit and included 4G memory, one virtual disk, CD/DVD, network adapter, USB controller and floppy drive. The system was set up in default mode as opposed to selecting FIPS mode. Foundation packages were selected, including the required packages - ArcSight Core, ArcSight Groups, ArcSight Administration, ArcSightcore, ArcSightSecurity, Conditional Variable Filters, Global Variables and Network Filters).
The ArcSight Command Center dashboard was cleanly designed with a great graphic dashboard. Navigation was mainly done through a Tree Navigator. Everything expected in an enterprise-class SIEM was there. There was no clutter or hard-to-read pages. Case management allowed classification levels of events that included a Reputation Security Monitor. Simulated attack data was provided to see the effects of events. Also impressive were the feeds to current global threats. Data from a large number of threat watchdog communities are integrated into the product in near real time.
HP offers basic no-cost support that includes a community-supported website, as well as a FAQ list. The company website offers a 24/7 knowledge base (requires login), and there also is a premium support option. Fee-based options are available at 15 or 18 percent of product cost. The services include phone and email aid, with access provided based on fee level with eight-hours-a-day/five-days-a-week or 24/7 options, respectively. The value for the money spent for this product is good.