This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM versus ArcSight

I have been doing some research on SIEM and and SOC, specifically managed SOC's or MSSP's.  I see that many of them use ArcSight as their SIEM/Log Management solution.

I personally don't have any experience with ArcSight and am curious how LEM compares against it on a capabilities/features side-by-side.  I did read the thread HERE but am looking for less of a description of LEM but more of a direct comparison matrix.  I know that back in the day HP OpenView reigned king in the monitoring world, is ArcSight in that same boat?  I haven't been able to see many screenshots or videos of it but what I have seen makes it look like somewhat of a legacy product; at least from a UI perspective.

I a asking about this because we are looking at developing even more security services with LEM as our SIEM/Log Management solution of choice and I need to know how to answer questions when we go up against solutions such as ArcSight.

I am interested in any feedback that anybody may have on this, thanks in advance!

  • ArcSight provides three different log management products, so part of this question is dependent upon which ArcSight product is being compared. Those three products are Express, Logger, and ESM. Logger is a log-management tool only, and does not include the full suite of functionality one would expect in a SIEM product. Express is a price-scaled version of ESM. Presumably the product of interest is ESM.


    As such, one of the first challenges out-of-the-box with both ESM and Express is the UI. The UI is designed for experienced security analysts, whereas LEM is built with an easy-to-use interface suitable for the IT generalist.

    The second challenge is the pricing itself. ArcSight products are priced based on Events per Second (EPS) activity. The problem here is determining an appropriate licensing target. Do you overlicense for the days when you get slammed by extra activity, or do you license based on a normal activity. Furthermore, licensing based on EPS may or may not result in linear licensing costs as more nodes are added into the network, and adding a single node may actually result in an increase in EPS-based licensing costs.

    Now, extend that into the MSSP environment. Here are some questions to further consider:

    • What if the customer wants some form of console access to monitor their own network's events? (Even though it's a "managed service" does not necessarily mean the customer wants to remain oblivious to ongoing activity.)
    • What resources would be required to train the customer to use the console?
    • What are the implications of managing a collection of deployed appliances in the customers' environments and the licensing models appropriate for each customer. Is it easier to sell the service by event load (which may be volatile even in a small organization), or by the number of managed nodes (which will remain fairly static in almost any customer of a managed provider).
    • How complicated will it be to account for and bill for EPS to a customer's network, if that's the chosen licensing model? And even if you don't bill the customer by EPS, or service volume of some type, how difficult will it be to reconcile the licensing costs against the service fees, and determine whether a customer is profitable, or not?

    I, also, look forward to the thoughts of any others who have hands-on experience with both and how they view the actual user experience.

  • Thanks Lawrence, that is great information to have in my back pocket as we move forward with LEM as our platform!

    Hopefully others chime in with more details as the more information myself and the rest of the SolarWinds community has the easier it will make it when needing to make a good case for LEM.

  • FormerMember
    0 FormerMember

    You're pretty close in the analogy of ESM to OpenView. ArcSight has become to many people the de-facto choice for SIEM in the enterprise. Express is the attempt to push that down-market, but that doesn't make it appropriate. Logger is more focused on the log management use cases, less on the SIEM side.

  • Thanks Nicole!  Your take on it is consistent with what I had suspected from what I have been able to read and see with a bit of web surfing.

    Thus far I am very happy we have made the choice to go with LEM as our service platform for log management and SIEM.  I just found out today we are beginning work on a new PCI environment which will be another LEM appliance that I get to deploy.  That will make 6 in production so far!