Trellix ESM Reviews

Trellix ESM is very user-friendly.

Trellix's resource consumption is too high, and it could be lower. It would be nice if Trellix could reduce the requirements for RAM and storage.

Product-wise, adding accounts on a single data source by batch would be a really great help. Then for the support, it would be a lot better if customer support from Trellix would reach out to us as partners.

I have been testing Trellix ESM for a few months.

Trellix ESM is easy to implement. In addition, it would be better if I had enough hardware resources to run or implement it.

I am working with the free trial version of Trellix ESM. I am very satisfied with Trellix ESM. There are minor additional features that we need to add to it, but for now, I'm very satisfied with it.

I would advise users to learn NQL so that they can understand how the data goes from raw data to normalized data and how to create their custom rules.

Overall, I rate Trellix ESM an eight out of ten.

We are using this solution primarily for SIEM logs.

The ease of use is the most valuable feature. Over the years I have always been using this solution and have become comfortable with it.

I have been using this solution for approximately six years.

The stability of this solution has been good.

We have never had an issue with the scalability of this solution.

The technical support could improve from McAfee.

The initial setup is difficult and could improve. 

We have four engineers that do the maintenance for this solution.

My advice to those wanting to implement this solution is to do a lot of training. I think every solution is complex until you are trained in it. It is best to have some sort of previous training before you start using it.

I rate McAfee ESM a five out of ten.

We implement it in our hospital applications.

It has been very helpful to our company. It enables us to detect malicious threats, issues, or vulnerabilities in our network.

We acquired the IBM product because McAfee is slightly confusing to use, and it's broader.

I have used McAfee ESM for three years.

We are using Version 11.

It's scalable, and we can implement our network use cases.

We have five users in our organization.

The technical support is fast and they have been helpful in resolving our issues.

Previously, I did not use another solution. McAfee ESM is the only solution I know.

I was not a part of the installation. It was installed before I joined the company.

We had help from the McAfee teams in Singapore and India. We also had some help from Trend Micro and one colleague from our company.

We renew our license annually.

We have just acquired IBM QRadar. It is still in the implementation process. We have not used it.

Last January, our Adobe has come to its end of life, and we can not use it anymore.

I can recommend this solution. 

I would rate McAfee ESM a seven out of ten.

We are a service provider and we implement it for our customers, as well as use it internally.

This is a SIEM product that makes up part of our overall security solution.

Compared to other solutions, the user interface is good.

The correlations that it discovers are helpful.

The reporting is good.

The only drawback is that they don't have any packet capturing or network behavior analysis. Including network behavior analysis in the future would be a good addition.

The speed of technical support can be improved.

We have been using McAfee ESM for between five and six years.

We have had no issues with stability.

If we want to increase or expand then we just have to add devices, so it should not be a problem.

I would say that the technical support is not very prompt, but the end result is good. 

We also work with Splunk and we have experience with similar solutions such as IBM QRadar.

The initial setup is pretty much straightforward. We haven't had any problem.

The pricing is good, and they are competitive compared to providers such as RSA and IBM QRadar.

The suitability of McAfee ESM is based on the requirements. If a customer is specifically looking for log and event analysis, with the correlations, then this solution is a good choice. If instead, they are looking for network behavior analytics then they should consider IBM QRader or something else.

I would rate this solution an eight out of ten.

We use this solution to monitor everything in our hybrid-cloud environment. This includes IoT devices and a couple of data centers.

We are now able to completely monitor our environment so we can review what is there, which is a big win for us. This solution helps with the maturity of our environment.

Using the out-of-the-box rules has made our work more relaxing.

There are more than two hundred out-of-the-box rules.

We have been using the advanced correlation agent.

Technical support for this product could be improved.

I would like to see improvements to the user interface.

It would be helpful to have a diagram in the interface that shows the actions.

This is a very stable solution, although there are some bugs in the GUI.

This solution is very scalable from my perspective. We have around twenty-five users. We have level one users, which are operation analysts. We also have level two users, who take care of daily operations. Level two includes, for example, handling the rules on the creation of users. Everything is segregated. We also have a second engineer.  

We have had issues where we had to contact technical support. While they answered ok, the timing may have been a little slow.

We used another solution prior to this one.

The initial setup of this solution was very clear. We followed the instructions on the web page, and there were no problems. The deployment was really quick and completed within a couple of hours.

We performed the implementation ourselves.

We pay for our licensing fees on a yearly basis, and there are no costs in addition to the standard licensing fees.

We evaluated several other options before choosing this one, including Elasticsearch.

I recommend trying this product. This is a quality solution at a fair price.

I would rate this solution an eight out of ten.

I work with an integration company and implement tools such as McAfee ESM.

We are an MSSP for a lot of clients. We gather their logs, correlate them, create rules, and assume the role of their SOC. We have skilled operators 24/7 who take care of these clients.

The most valuable feature is the correlation rules.

This product is easy to use.

There should be support for multitenancy in the product. Because they don't have it, I think it is the biggest improvement that the vendor could make.

I have been working with McAfee ESM for approximately eight years.

This is a very scalable product.

In the on-premises deployment, we have large enterprise clients. For cloud-based deployment, our clients are small to medium-sized companies.

Although I am satisified with the technical support, there is room for improvement. The support is not as good as it could be because McAfee has moved so many times.

The initial setup is straightforward and easy to do. The deployment is very fast.

In summary, this is a good product. We have all of the functionality but it needs support for multitenancy and better support.

I would rate this solution an eight out of ten.

The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.

I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.

The best way to describe the improvement is within the following areas:

1. Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
2. Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.

A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.

The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.

I've been using it for three years as a managed security services provider.

We have had no issues with the deployment.

There have been no issues with the stability.

We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.

Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.

I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.

I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.

The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.

We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.

You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.

There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.

Dashboards, which can be customized to display alerts and queries, and rules, which trigger alerts, are the most valuable features for us.

We now have a better view of our security posture from an external and internal point of view. We are able to do forensic investigations and stop attacks before they occur.

The reporting could use some improvement. Also, while the dashboard can be customized to an extent, I'd like to have the ability to do even more customization.

We've used it for two years.

We've had no deployment issues.

There have been no issues with the stability.

Scaling it has been fine. We've had no issues with an inability to scale.

In our experience, technical support has been good.

• QRadar
• RSA enVision

Deployment of any of these products is easy. What becomes a daunting task is the creation of use cases and also ensuring that alerts are accurate.

We used an in-house team with a vendor in-office assistant.

Executives don’t see ROI on this solution as the reports are not meant for C-levels.

Make sure you know exactly why you are implementing it and what you are going to monitor. Also, ensure that you have all your use cases way before venturing into buying a solution of this nature.