Hewlett Packard Enterprise's ArcSight ESM: SIEM product overview
Expert Karen Scarfone analyzes HPE's ArcSight Enterprise Security Management (ESM), a security information and event management (SIEM) tool used for collecting security log data.
Hewlett Packard Enterprise's ArcSight ESM is a product designed for security information and event management (SIEM). HPE's ArcSight ESM collects security log data from an enterprise's security technologies, operating systems, applications and other log sources, and analyzes that data for signs of compromise, attacks or other malicious activity. If something malicious is detected, the product acts accordingly by generating alerts to security administrators or initiating an automated response to stop the malicious activity.
The HPE ArcSight ESM suite is available in five server-based software models that are named after the total gigabytes per day (GB/d) of security log data they can process:
- ESM 20 GB/d, 1000 events per second on average, up to 100 network devices
- ESM 50 GB/d, 2500 events per second on average, up to 250 network devices
- ESM 100 GB/d, 5000 events per second on average, up to 500 network devices
- ESM 150 GB/d, 7500 events per second on average, up to 500 network devices
- ESM 250 GB/d, 12,500 events per second on average, up to 500 network devices
Additional security capabilities
HPE's ArcSight ESM offers all the basic SIEM security capabilities. In addition, it supports the use of third-party threat intelligence feeds from vendors such as Norse to improve the accuracy of threat detection. Other additional security capabilities, such as network forensics features and the supplementation of existing host logging features, are not available through HPE's ArcSight ESM.
Most SIEM products offer robust reporting capabilities, and HPE's ArcSight ESM is no exception. It offers built-in support for many security compliance initiatives, including the following:
- Federal Information Security Management Act of 2014
- Health Insurance Portability and Accountability Act
- International Organization for Standardization/International Electrotechnical Commission 27001/27002, Information Security Management
- North American Electric Reliability Corporation Critical Infrastructure Protection
- Payment Card Industry Data Security Standard
- Sarbanes-Oxley Act
Although HPE provides a link to a 30-day free trial of HPE's ArcSight ESM, following the link actually leads to free trials of HPE's ArcSight Logger and ArcSight Application View, also known as AppView. A free trial of the HPE ArcSight ESM product itself could not be located, and additional licensing information was also unavailable.
HPE's ArcSight ESM overview
HPE's ArcSight ESM offers solid server-based SIEM capabilities for a variety of organizations. The lowest-end model, the ESM 20 GB/d, should be suitable for small organizations, and the other models would work well for medium and/or large organizations -- although, perhaps not the largest enterprises when compared to more modular and scalable competing products. HPE's ArcSight ESM offers typical security capabilities, including threat intelligence feed support and strong compliance reporting support, but it lacks other advanced security capabilities, such as network forensics and host logging supplementation. Still, HPE's ArcSight ESM is a mature product that should be evaluated by most organizations seeking a SIEM product.
In part one of this series, learn about the basics of SIEM products in the enterprise
In part two of this series, find out about the enterprise benefits of SIEM products
In part three of this series, read about the seven questions to ask before buying a SIEM product
In part four of this series, compare the best SIEM systems in the industry
Analyze the AppPulse suite of APM software from HPE