We are using this solution primarily for SIEM logs.
Technical Support Engineer at a comms service provider with 10,001+ employees
Poor technical support, difficult to install, but easy to use
Pros and Cons
- "The ease of use is the most valuable feature. Over the years I have always been using this solution and have become comfortable with it."
- "The initial setup is difficult and could improve."
What is our primary use case?
What is most valuable?
The ease of use is the most valuable feature. Over the years I have always been using this solution and have become comfortable with it.
For how long have I used the solution?
I have been using this solution for approximately six years.
What do I think about the stability of the solution?
The stability of this solution has been good.
Buyer's Guide
Trellix ESM
November 2024
Learn what your peers think about Trellix ESM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
What do I think about the scalability of the solution?
We have never had an issue with the scalability of this solution.
How are customer service and support?
The technical support could improve from McAfee.
How was the initial setup?
The initial setup is difficult and could improve.
We have four engineers that do the maintenance for this solution.
What other advice do I have?
My advice to those wanting to implement this solution is to do a lot of training. I think every solution is complex until you are trained in it. It is best to have some sort of previous training before you start using it.
I rate McAfee ESM a five out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Officer at a healthcare company with 1,001-5,000 employees
Good threat protection and fast support, but it's complex to use
Pros and Cons
- "It enables us to detect malicious threats, issues, or vulnerabilities in our network."
- "We acquired the IBM product because McAfee is slightly confusing to use, and it's broader."
What is our primary use case?
We implement it in our hospital applications.
How has it helped my organization?
It has been very helpful to our company. It enables us to detect malicious threats, issues, or vulnerabilities in our network.
What needs improvement?
We acquired the IBM product because McAfee is slightly confusing to use, and it's broader.
For how long have I used the solution?
I have used McAfee ESM for three years.
We are using Version 11.
What do I think about the scalability of the solution?
It's scalable, and we can implement our network use cases.
We have five users in our organization.
How are customer service and technical support?
The technical support is fast and they have been helpful in resolving our issues.
Which solution did I use previously and why did I switch?
Previously, I did not use another solution. McAfee ESM is the only solution I know.
How was the initial setup?
I was not a part of the installation. It was installed before I joined the company.
What about the implementation team?
We had help from the McAfee teams in Singapore and India. We also had some help from Trend Micro and one colleague from our company.
What's my experience with pricing, setup cost, and licensing?
We renew our license annually.
What other advice do I have?
We have just acquired IBM QRadar. It is still in the implementation process. We have not used it.
Last January, our Adobe has come to its end of life, and we can not use it anymore.
I can recommend this solution.
I would rate McAfee ESM a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Trellix ESM
November 2024
Learn what your peers think about Trellix ESM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Information Security Engineer at a financial services firm with 51-200 employees
Good reporting, correlation capability, and user interface
Pros and Cons
- "Compared to other solutions, the user interface is good."
- "The only drawback is that they don't have any packet capturing or network behavior analysis."
What is our primary use case?
We are a service provider and we implement it for our customers, as well as use it internally.
This is a SIEM product that makes up part of our overall security solution.
What is most valuable?
Compared to other solutions, the user interface is good.
The correlations that it discovers are helpful.
The reporting is good.
What needs improvement?
The only drawback is that they don't have any packet capturing or network behavior analysis. Including network behavior analysis in the future would be a good addition.
The speed of technical support can be improved.
For how long have I used the solution?
We have been using McAfee ESM for between five and six years.
What do I think about the stability of the solution?
We have had no issues with stability.
What do I think about the scalability of the solution?
If we want to increase or expand then we just have to add devices, so it should not be a problem.
How are customer service and technical support?
I would say that the technical support is not very prompt, but the end result is good.
Which solution did I use previously and why did I switch?
We also work with Splunk and we have experience with similar solutions such as IBM QRadar.
How was the initial setup?
The initial setup is pretty much straightforward. We haven't had any problem.
What's my experience with pricing, setup cost, and licensing?
The pricing is good, and they are competitive compared to providers such as RSA and IBM QRadar.
What other advice do I have?
The suitability of McAfee ESM is based on the requirements. If a customer is specifically looking for log and event analysis, with the correlations, then this solution is a good choice. If instead, they are looking for network behavior analytics then they should consider IBM QRader or something else.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
IT Consultant and Project Manager at a government with 1-10 employees
Out-of-the-box rules are helpful in monitoring our hybrid-cloud environment
Pros and Cons
- "We are now able to completely monitor our environment so we can review what is there, which is a big win for us."
- "I would like to see improvements to the user interface."
What is our primary use case?
We use this solution to monitor everything in our hybrid-cloud environment. This includes IoT devices and a couple of data centers.
How has it helped my organization?
We are now able to completely monitor our environment so we can review what is there, which is a big win for us. This solution helps with the maturity of our environment.
Using the out-of-the-box rules has made our work more relaxing.
What is most valuable?
There are more than two hundred out-of-the-box rules.
We have been using the advanced correlation agent.
What needs improvement?
Technical support for this product could be improved.
I would like to see improvements to the user interface.
It would be helpful to have a diagram in the interface that shows the actions.
For how long have I used the solution?
We have been using this solution for two years.
What do I think about the stability of the solution?
This is a very stable solution, although there are some bugs in the GUI.
What do I think about the scalability of the solution?
This solution is very scalable from my perspective. We have around twenty-five users. We have level one users, which are operation analysts. We also have level two users, who take care of daily operations. Level two includes, for example, handling the rules on the creation of users. Everything is segregated. We also have a second engineer.
How are customer service and technical support?
We have had issues where we had to contact technical support. While they answered ok, the timing may have been a little slow.
Which solution did I use previously and why did I switch?
We used another solution prior to this one.
How was the initial setup?
The initial setup of this solution was very clear. We followed the instructions on the web page, and there were no problems. The deployment was really quick and completed within a couple of hours.
What about the implementation team?
We performed the implementation ourselves.
What's my experience with pricing, setup cost, and licensing?
We pay for our licensing fees on a yearly basis, and there are no costs in addition to the standard licensing fees.
Which other solutions did I evaluate?
We evaluated several other options before choosing this one, including Elasticsearch.
What other advice do I have?
I recommend trying this product. This is a quality solution at a fair price.
I would rate this solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
VP Cyber Security & IT at a computer software company with 1,001-5,000 employees
Easy and fast to deploy, good correlation rules, and scales well
Pros and Cons
- "The most valuable feature is the correlation rules."
- "There should be support for multitenancy in the product."
What is our primary use case?
I work with an integration company and implement tools such as McAfee ESM.
We are an MSSP for a lot of clients. We gather their logs, correlate them, create rules, and assume the role of their SOC. We have skilled operators 24/7 who take care of these clients.
What is most valuable?
The most valuable feature is the correlation rules.
This product is easy to use.
What needs improvement?
There should be support for multitenancy in the product. Because they don't have it, I think it is the biggest improvement that the vendor could make.
For how long have I used the solution?
I have been working with McAfee ESM for approximately eight years.
What do I think about the scalability of the solution?
This is a very scalable product.
In the on-premises deployment, we have large enterprise clients. For cloud-based deployment, our clients are small to medium-sized companies.
How are customer service and technical support?
Although I am satisified with the technical support, there is room for improvement. The support is not as good as it could be because McAfee has moved so many times.
What's my experience with pricing, setup cost, and licensing?
The initial setup is straightforward and easy to do. The deployment is very fast.
What other advice do I have?
In summary, this is a good product. We have all of the functionality but it needs support for multitenancy and better support.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
Manager of System Security at a tech services company with 10,001+ employees
The visualization clearly articulates the current and past state of network traffic and correlation rule hits. The API still needs to develop some maturity.
What is most valuable?
The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.
I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.
How has it helped my organization?
The best way to describe the improvement is within the following areas:
- Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
- Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.
A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.
What needs improvement?
The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.
For how long have I used the solution?
I've been using it for three years as a managed security services provider.
What was my experience with deployment of the solution?
We have had no issues with the deployment.
What do I think about the stability of the solution?
There have been no issues with the stability.
What do I think about the scalability of the solution?
We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.
How are customer service and technical support?
Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.
Which solution did I use previously and why did I switch?
I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.
How was the initial setup?
I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.
The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.
What about the implementation team?
We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.
What was our ROI?
You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.
What other advice do I have?
There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a preferred global partner of Intel Security.
ICT Security Officer at a healthcare company with 1,001-5,000 employees
We now have a better view of our security posture from an external and internal point of view. The reporting could use some improvement.
What is most valuable?
Dashboards, which can be customized to display alerts and queries, and rules, which trigger alerts, are the most valuable features for us.
How has it helped my organization?
We now have a better view of our security posture from an external and internal point of view. We are able to do forensic investigations and stop attacks before they occur.
What needs improvement?
The reporting could use some improvement. Also, while the dashboard can be customized to an extent, I'd like to have the ability to do even more customization.
For how long have I used the solution?
We've used it for two years.
What was my experience with deployment of the solution?
We've had no deployment issues.
What do I think about the stability of the solution?
There have been no issues with the stability.
What do I think about the scalability of the solution?
Scaling it has been fine. We've had no issues with an inability to scale.
How are customer service and technical support?
In our experience, technical support has been good.
Which solution did I use previously and why did I switch?
- QRadar
- RSA enVision
How was the initial setup?
Deployment of any of these products is easy. What becomes a daunting task is the creation of use cases and also ensuring that alerts are accurate.
What about the implementation team?
We used an in-house team with a vendor in-office assistant.
What was our ROI?
Executives don’t see ROI on this solution as the reports are not meant for C-levels.
What other advice do I have?
Make sure you know exactly why you are implementing it and what you are going to monitor. Also, ensure that you have all your use cases way before venturing into buying a solution of this nature.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Systems-Engineer at a tech services company with 10,001+ employees
I like the vendor support from McAfee and the overall architecture looks simple. The version I worked on had a bug in the alarm system.
Valuable Features
This is the first SIEM product that I have used. My impressions so far are that I like the vendor support from McAfee and the overall architecture looks simple.
Improvements to My Organization
I helped a client of ours implement and deploy it.
Room for Improvement
The product documentation is good, but could be better. Also a bug-free version would be nice as the version I worked on had a bug in the alarm system.
Use of Solution
I've used it for five months.
Deployment Issues
We had bug alarm issues during deployment. The bug, I think, was part of the product.
Stability Issues
We had no issues with the stability.
Scalability Issues
We have had no issues scaling it for our needs.
Customer Service and Technical Support
Customer Service:
Customer service is very good.
Technical Support:Technical support is very good.
Initial Setup
The initial setup was straightforward.
Implementation Team
You will have a better implementation if you get support from the vendor.
Pricing, Setup Cost and Licensing
Overall, it was expensive, as it has split components.
Other Solutions Considered
We have now started using ArcSigh as well. I don't have much experienced with it, but the overall architecture looks similar to McAfee.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Trellix ESM Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Splunk Enterprise Security
Microsoft Sentinel
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Rapid7 InsightIDR
Fortinet FortiSIEM
Securonix Next-Gen SIEM
Exabeam
USM Anywhere
ManageEngine EventLog Analyzer
ArcSight Enterprise Security Manager (ESM)
SolarWinds Security Event Manager
Trellix Helix
RSA enVision
Buyer's Guide
Download our free Trellix ESM Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Has anyone got experience in deployment of a SIEM solution?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- What Questions Should I Ask Before Buying SIEM?
- RSA-EMC vs. other SIEM products?