Trellix ESM Reviews

• To gain transparency into potential vulnerabilities within the network. 
• To monitor problems, e.g., failure to update packages within the back-end security environment.

It is a good central viewpoint for issues. These can then be investigated in more detail on the subnet server(s)/endpoints.

Ability to create own views. Statistical (normalised) views help to highlight inconsistencies, which may need further investigation

• Product currently requires Flash. 
• Update to user interface from version 9 is cosmetic in some aspects, and after a few clicks you are back on the old interface.
• Some filters are still very low level "magic numbers", which do not make sense on the high level user interface. 
• We would welcome integrations with some of the new McAfee acquisitions, e.g., behavioral analytics.

By having access protection in the policies on the machine, it helps in real-time behavior scenarios, where the policy captures stuff, quite a lot.

VirusScan Enterprise provides protection against real-time malware attacks. 

We use it for logging the network traffic, when required.

It blocks the things which are not to be allowed. It has an adaptive mode where it learns for itself.

There are always multiple bugs in the product. For example, the console page was hanging multiple times. Afterwards, they released multiple upgrades for the same, multiple patches from McAfee.

Also, there's no software support from McAfee.

It seems McAfee does not test its product before releasing. When we - not only us, other companies also - deploy McAfee, we face multiple issues from the customer side, after which, McAfee reacts and fixes the bugs.

After the upgrade, it is stable now. 

It has good scalability.

Tech support is not good. They don't respond to issues in a timely manner. We need to call up the account managers, and then the engineers will work on it.

We have to wait fairly long. Until we escalate the issue, the call will be still in the pending state, or the hold state.

We switched to them because of the pricing.

It is complex, not straightforward. 

For examples, concerning an upgrade, the pre-installer check provided to us before the upgrade was showing the result was "all requirements met." But when we ran the actual installation, it was different.

I would advise others, before upgrading, to make sure they know the product that they're upgrading to.

I would rate this product at six out of 10. To bring it to a 10, the most important thing is - given there are lot of bugs, and I understand that - there should be proper support from the vendor site.

It's SIEM. Obviously, normalization of data is the biggest factor.

We perform security event monitoring for over 700 individual servers, firewalls, and applications. It's not possible to monitor over 500 million events per day with SIEM.

McAfee is working on a newer ELS product for a faster search which will change everything about how a SIEM can perform.

I have been using this product for the past eight years.

Just like any other software/hardware platform, once in awhile we have issues with software bugs, but McAfee's support is good in helping to fix these issues in a timely manner.

Biggest benefit of McAfee SIEM is its easy scalability. It doesn't restrict you to a particular hardware or storage solution.

Mcafee's SIEM support team is very good.

I used ArcSight at a different job, but when we bought SIEM at my current job, it was NitroView. Later, McAfee acquired them.

It had a few hurdles initially, but in its current versions and offerings McAfee SIEM is sort of plug and play. It has so many offerings out-of-the-box.

McAfee's pricing is competitive in the industry and their licensing model is for hardware only.

We checked ArcSight, but their pricing was expensive.

McAfee ESM is the perfect SIEM tool, and it provides best results based on data intake and rule based configuration.

I would suggest users identify the data sources they want to interject into SIEM for monitoring, correlation, and work with the sales team to understand the total EPS and choose the right set of hardware, especially the ESM which will perform majority of work for your organization. With the right specs for hardware, it will help you achieve your goal.

The easy interface is the most valuable feature.

Through correlation rules, it finds malware that compromised the computer that anti-virus and other security solutions do not find.

I had a couple of problems collecting Windows events. The local plugin should be easier to use, because when ESM is collecting through the manager, many performance issues occur.

I have been using McAfee for over three years.

We did have stability issues, but they were resolved by McAfee support.

We have not had scalability issues.

I would give technical support a rating of 8/10.

I used different solutions, but for different clients.

This was the easiest initial setup that I have made.

The product is worth the price. There are other cheaper tools in the market, but it is harder to work with them.

We looked at HPE ArcSight, Splunk, RSA Analytics, and IBM QRadar.

Stay focused, read the documentation, plan it well, and the project will be a success.

The most valuable feature for us is that it comes with many correlations, reports, and dashboards already available. It's also very easy to use.

It's easy to create reports for compliance and for detecting different kinds of attacks and breaches through correlations. This makes the client devices to be more secure.

The disk space needed for events is not clear. In all clients, we had at least more than 100GB free that we could not use.

I've used it for two-and-a-half years.

The disk space sizing is very hard and when the version was updated to 9.4 the space needed to store events was cut by half, making it harder to explain to clients who now needed twice as much disk space, with no explanation from the vendor what happened. This was not even in the release notes.

I suggest that you configure the data archive prior to deployment because once the partition is detached, it will be deleted and you can lose a weeks-worth of events. You don't know when it will be deleted because even with a lot of space disk the partition is detached.

There have been no issues with the stability.

There have been no issues scaling.

I give customer service a 7 out of 10.

I give technical support a 7 out of 10.

We used HP ArcSight, IBM Q1 Labs, Splunk, and we chose McAfee Enterprise Security Manager because it’s very easy to deploy.

The initial setup is simple and descriptive. It was very straightforward.

We implemented it with our in-house team.

The in-house sales team said McAfee has the best ROI on the market.

You should buy the distributed option instead of the all-in-one for environments with more than 1000 end points.

Dashboards, which can be customized to display alerts and queries, and rules, which trigger alerts, are the most valuable features for us.

We now have a better view of our security posture from an external and internal point of view. We are able to do forensic investigations and stop attacks before they occur.

The reporting could use some improvement. Also, while the dashboard can be customized to an extent, I'd like to have the ability to do even more customization.

We've used it for two years.

We've had no deployment issues.

There have been no issues with the stability.

Scaling it has been fine. We've had no issues with an inability to scale.

In our experience, technical support has been good.

• QRadar
• RSA enVision

Deployment of any of these products is easy. What becomes a daunting task is the creation of use cases and also ensuring that alerts are accurate.

We used an in-house team with a vendor in-office assistant.

Executives don’t see ROI on this solution as the reports are not meant for C-levels.

Make sure you know exactly why you are implementing it and what you are going to monitor. Also, ensure that you have all your use cases way before venturing into buying a solution of this nature.

The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.

I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.

The best way to describe the improvement is within the following areas:

1. Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
2. Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.

A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.

The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.

I've been using it for three years as a managed security services provider.

We have had no issues with the deployment.

There have been no issues with the stability.

We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.

Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.

I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.

I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.

The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.

We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.

You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.

There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.

This is the first SIEM product that I have used. My impressions so far are that I like the vendor support from McAfee and the overall architecture looks simple.

I helped a client of ours implement and deploy it.

The product documentation is good, but could be better. Also a bug-free version would be nice as the version I worked on had a bug in the alarm system.

I've used it for five months.

We had bug alarm issues during deployment. The bug, I think, was part of the product.

We had no issues with the stability.

We have had no issues scaling it for our needs.

Customer service is very good.

Technical support is very good.

The initial setup was straightforward.

You will have a better implementation if you get support from the vendor.

Overall, it was expensive, as it has split components.

We have now started using ArcSigh as well. I don't have much experienced with it, but the overall architecture looks similar to McAfee.