Trellix ESM Reviews, Competitors and Pricing

Steve Wiles

Technical Support Engineer at a comms service provider with 10,001+ employees

Jun 13, 2021

Download

Poor technical support, difficult to install, but easy to use

Pros and Cons

"The ease of use is the most valuable feature. Over the years I have always been using this solution and have become comfortable with it."

"The initial setup is difficult and could improve."

What is our primary use case?

We are using this solution primarily for SIEM logs.

What is most valuable?

The ease of use is the most valuable feature. Over the years I have always been using this solution and have become comfortable with it.

For how long have I used the solution?

I have been using this solution for approximately six years.

What do I think about the stability of the solution?

The stability of this solution has been good.

Buyer's Guide

Trellix ESM

December 2024

Free Report: Trellix ESM Reviews and More

Learn what your peers think about Trellix ESM. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.

DOWNLOAD NOW

831,265 professionals have used our research since 2012.

What do I think about the scalability of the solution?

We have never had an issue with the scalability of this solution.

How are customer service and support?

The technical support could improve from McAfee.

How was the initial setup?

The initial setup is difficult and could improve.

We have four engineers that do the maintenance for this solution.

What other advice do I have?

My advice to those wanting to implement this solution is to do a lot of training. I think every solution is complex until you are trained in it. It is best to have some sort of previous training before you start using it.

I rate McAfee ESM a five out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Selina Aldefolla

Information Security Officer at a healthcare company with 1,001-5,000 employees

Mar 31, 2021

Download

Good threat protection and fast support, but it's complex to use

Pros and Cons

"It enables us to detect malicious threats, issues, or vulnerabilities in our network."

"We acquired the IBM product because McAfee is slightly confusing to use, and it's broader."

What is our primary use case?

We implement it in our hospital applications.

How has it helped my organization?

It has been very helpful to our company. It enables us to detect malicious threats, issues, or vulnerabilities in our network.

What needs improvement?

We acquired the IBM product because McAfee is slightly confusing to use, and it's broader.

For how long have I used the solution?

I have used McAfee ESM for three years.

We are using Version 11.

What do I think about the scalability of the solution?

It's scalable, and we can implement our network use cases.

We have five users in our organization.

How are customer service and technical support?

The technical support is fast and they have been helpful in resolving our issues.

Which solution did I use previously and why did I switch?

Previously, I did not use another solution. McAfee ESM is the only solution I know.

How was the initial setup?

I was not a part of the installation. It was installed before I joined the company.

What about the implementation team?

We had help from the McAfee teams in Singapore and India. We also had some help from Trend Micro and one colleague from our company.

What's my experience with pricing, setup cost, and licensing?

We renew our license annually.

What other advice do I have?

We have just acquired IBM QRadar. It is still in the implementation process. We have not used it.

Last January, our Adobe has come to its end of life, and we can not use it anymore.

I can recommend this solution.

I would rate McAfee ESM a seven out of ten.

Which deployment model are you using for this solution?

On-premises

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide

Trellix ESM

December 2024

Free Report: Trellix ESM Reviews and More

Learn what your peers think about Trellix ESM. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.

DOWNLOAD NOW

831,265 professionals have used our research since 2012.

Vinod Shankar

Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees

Feb 27, 2015

One of the biggest strengths of Nitro is the underlying database but stability has been a problem.

At Infosecnirvana, we have quite a number of posts dedicated to SIEM. We have done a detailed comparison of SIEM products in a post titled – SIEM Comparison along with providing a detailed check list for SIEM evaluation. We have also posted about SIEM products from time to time as reflected by our post on IBM QRadar and ArcSight. Following up with those posts, this blog is our take on McAfee Nitro SIEM. So let’s get started

Introduction:

McAfee in 2011 purchased Nitro Security to enter into the SIEM space and subsequently were taken up by Intel. This period of 2011 actually saw a few things happen in the SIEM market space. This included HP buying ArcSight, IBM buying QRadar and McAfee buying Nitro etc. etc. Each of those SIEM products have taken a different route over the last 3 years. Nitro security was one of those niche players in the market which had an IPS portfolio as well a SIEM portfolio, remnants of which still linger in the overall McAfee ESM product suite. The McAfee ESM product suite is basically a combination of a few components like:

ESM - Enterprise Security Management, which serves as the Management Interface for all SIEM components, Reporting engine capable of generating compliance and policy reports.
ACE - Advanced Correlation Engine which is interesting a dedicated engine to perform Risk Based (rules based) Correlation, Historical Correlation, Asset Based Risk Scoring and Custom risk scoring based on combinations of fields.
DBM - Database Monitor. One of the products McAfee has as standalone for Database Log Generation, Session Auditing etc, is called the DBM. This is a Database IPS kinda product that monitors network traffic via SPAN, port mirror or taps and does not create any impact on database. So for all the legacy databases that don’t have Audit trail enabled or the auditing is not detailed enough, DBM is the perfect fit. Apart from the monitoring audit trail of all transactions from login to log-off including all session queries and commands, it also provides Auto discovery of database instances including unauthorized or rouge databases. The DBM comes in both a network sensor as well as a host agent footprint.
ADM - Application Data Monitor. This is again a Application IPS kinda product capable of performing Layer 7 Protocol detection, Full meta-data collection, traffic monitoring via SPAN, port mirror or taps. Full session data capture and visibility into all application traffic is also provided by this sensor along with Advanced Threat detection capabilities. Again, it can be deployed as a sensor or a host agent.
ELM - Enterprise Log Manager. This is akin to any log management solution in SIEM and provides Log storage both Local and Network based.
Receivers - These are nothing but Parsers, Netflow Collectors, VMWare Collectors and anything that is able to parse and normalize logs.

Strong points for Nitro SIEM:

After careful evaluation of Nitro SIEM, we would like to highlight these few points as the core Strength of Nitro SIEM:

Architecture: One of the reasons for Nitro SIEM’s popularity is the Architectural flexibility. As a Security administrator, you can pick and chose how you want to architect your solution. If you want to be as modular as possible, then all the above mentioned components can be deployed standalone and integrated using the ESM (Remember EPO architecture for McAfee Endpoint solutions!!!). Say you prefer a smaller footprint, then you can build something called “Combo Boxes” which as the name mentions combines several components in a single box. This helps administrators starved of resources or budget to effectively deploy Nitro SIEM.
Powerful Data Management: One of the biggest strengths of Nitro is the underlying Database – The SAGE DB aka NitroEDB (Nitro Embedded Database) developed by Idaho National labs (the founder of Nitro was a researcher there). NitroEDB is a relational database that supports huge volume, VLDB applications as well as extremely fast in-memory processing. This is the core reason why Nitro SIEM is able to have a High Ingest Rates and extremely fast query speed. This is a killer benefit compared to the other products like ArcSight with its below par implementation of MySQL and PostgreSQL and IBM QRadar with its proprietary EDB (updated based on comments from JC). Splunk is the closest in competition to Nitro with its GFS like implementation.
High Ingest Rates: As mentioned above, NitroEDB enables SIEM to have a high event ingestion rates @ 300K EPS. We don’t think any SIEM in the market today scales up to this number. ArcSight SIEM is the closest with a 100K maximum with its Logger platform and a pure play Syslog-NG server can do 300K EPS.
Network Based Threat Detection: As with QRadar Intelligence Platform, the Nitro platform also uses Network Packet Analysis for DBM and ADM (as mentioned in the components) to perform Database monitoring and Application monitoring. Both QRadar and Nitro are comparable in the Application monitoring space but when it comes to Database Monitoring, Nitro wins it hands down. ArcSight and the others are poor in this space, something they will have to start looking at.
Database Monitoring: As mentioned above, the DBM is the stand out as it provides excellent auditing capabilities for DB auditing and log collection. This is irrespective of DB version, OS, Auditing capability etc. The monitoring can be done off-box using a sensor in the network or using an agent. Again, this is one of the differentiators compared to ArcSight or QRadar as both of them rely only on JDBC connectivity to pull audit logs (provided Auditing is enabled on DB)
Historical Correlation: Nitro has the ability to perform historical correlation better than the others in the market. One of the reasons for that is the capability to run complex queries and computations (for risk score correlation) against a large data set. This is primarily attributed to the NitroEDB as mentioned above which is really powerful in terms of query performance. QRadar and ArcSight are not as good at historical correlation and pale in comparison with NitroEDB performance for historical queries. Splunk is better at historical queries, but correlation is not as mature in Splunk as the others.
SCADA Device Support: Apart from ArcSight, arguably the only other product in today’s market that has extensive support for SCADA is Nitro SIEM. This is definitely useful in penetrating the Utilities industry, Manufacturing industry etc. and is one of the key differentiators compared to the others.

Weak points for Nitro SIEM:

Stability: In our testing and real-life deployments, one of the recurring problems we have faced with Nitro SIEM is stability. It is rare to have all the components working without issues at any given point in time. One of the reasons for this we think is the integration tier that has to interact with the various components to perform Security monitoring. There are just too many points of failure and troubleshooting is a nightmare. This is essential in organizations where in-house monitoring is performed. In case of outsourcing, even though this is still an issue, the risk is transferred to the outsourced vendor. Hopefully, McAfee realizes this and fixes these teething issues of stability in future releases.
Correlation: Even though Risk based correlation is a great value add in Nitro, the overall capabilities fall short when compared with the others in the market. We might be a bit biased with this piece as we always compare Correlation capabilities of any SIEM tools we evaluate against HP ArcSight. In our opinion, ArcSight Correlation is by far the best in the industry and no product can match it in terms of flexibility, power of customization and advanced computing. That said, Nitro does compete hard and we would definitely be keen to see them take the Risk/Rules based correlation to the next level.
Event Parsing & Custom Event Support: Even though the support for Events generated by Third Party vendors is excellent, we feel that more devices and vendors can be supported as does ArcSight. However, custom parsers or receivers are not intuitive to create in Nitro SIEM as with QRadar. Nitro is not as good as the Super-Easy QRadar Custom Mapping feature or Splunk with its Field Extraction where it’s a breeze to develop any custom connector. Nitro, thus has some room for improvement in this area.
User Interface: Although the UI reminds you of all things McAfee (EPO, NSM etc), we feel that a flash driven UI is not the best for SIEM. This is not to take away anything from the capabilities of the product in terms of data presentation, but Flash driven UI proves to be a dampener on the overall experience. As a general opinion, we are keen to see anything other than a Java or Flash UI because we feel that both of them are the most vulnerable software out there and both are clunky when it comes to event analysis, visualization etc. This is where we feel QRadar has a refreshing interface. It does use Java for some parts of the console, but otherwise, the Browser console is so light and so simple that working with QRadar is a delight. Even Splunk has a wonderful UI and is really easy to use compared to ArcSight and Nitro which feel clunky and heavy.

Conclusion:

Overall, McAfee Nitro SIEM is a very good product that scales up against the Industry leaders – ArcSight and QRadar toe to toe. However, as with all acquisitions, they have a few chinks to work out before they truly are ready to lead the pack. Gartner ratings, if anything to go by, consistently rate McAfee in the leaders quadrant but they have been in the 3rd position for quite some time now. With HP ArcSight not doing anything new in the last two releases, QRadar is the only competitor to look forth and emulate. Hope McAfee rises above the competition with a more stable and mature SIEM product thereby shaking the Industry up.

So that’s it folks. Feel free to comment on what you feel about McAfee Nitro SIEM and what its benefits and weakness are.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user1369827

Information Security Engineer at a financial services firm with 51-200 employees

Jun 25, 2020

Download

Good reporting, correlation capability, and user interface

Pros and Cons

"Compared to other solutions, the user interface is good."

"The only drawback is that they don't have any packet capturing or network behavior analysis."

What is our primary use case?

We are a service provider and we implement it for our customers, as well as use it internally.

This is a SIEM product that makes up part of our overall security solution.

What is most valuable?

Compared to other solutions, the user interface is good.

The correlations that it discovers are helpful.

The reporting is good.

What needs improvement?

The only drawback is that they don't have any packet capturing or network behavior analysis. Including network behavior analysis in the future would be a good addition.

The speed of technical support can be improved.

For how long have I used the solution?

We have been using McAfee ESM for between five and six years.

What do I think about the stability of the solution?

We have had no issues with stability.

What do I think about the scalability of the solution?

If we want to increase or expand then we just have to add devices, so it should not be a problem.

How are customer service and technical support?

I would say that the technical support is not very prompt, but the end result is good.

Which solution did I use previously and why did I switch?

We also work with Splunk and we have experience with similar solutions such as IBM QRadar.

How was the initial setup?

The initial setup is pretty much straightforward. We haven't had any problem.

What's my experience with pricing, setup cost, and licensing?

The pricing is good, and they are competitive compared to providers such as RSA and IBM QRadar.

What other advice do I have?

The suitability of McAfee ESM is based on the requirements. If a customer is specifically looking for log and event analysis, with the correlations, then this solution is a good choice. If instead, they are looking for network behavior analytics then they should consider IBM QRader or something else.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud

Disclosure: My company has a business relationship with this vendor other than being a customer: partner

Victor Alexandrescu

IT Consultant and Project Manager at a government with 1-10 employees

Aug 9, 2019

Download

Out-of-the-box rules are helpful in monitoring our hybrid-cloud environment

Pros and Cons

"We are now able to completely monitor our environment so we can review what is there, which is a big win for us."

"I would like to see improvements to the user interface."

What is our primary use case?

We use this solution to monitor everything in our hybrid-cloud environment. This includes IoT devices and a couple of data centers.

How has it helped my organization?

We are now able to completely monitor our environment so we can review what is there, which is a big win for us. This solution helps with the maturity of our environment.

Using the out-of-the-box rules has made our work more relaxing.

What is most valuable?

There are more than two hundred out-of-the-box rules.

We have been using the advanced correlation agent.

What needs improvement?

Technical support for this product could be improved.

I would like to see improvements to the user interface.

It would be helpful to have a diagram in the interface that shows the actions.

For how long have I used the solution?

We have been using this solution for two years.

What do I think about the stability of the solution?

This is a very stable solution, although there are some bugs in the GUI.

What do I think about the scalability of the solution?

This solution is very scalable from my perspective. We have around twenty-five users. We have level one users, which are operation analysts. We also have level two users, who take care of daily operations. Level two includes, for example, handling the rules on the creation of users. Everything is segregated. We also have a second engineer.

How are customer service and technical support?

We have had issues where we had to contact technical support. While they answered ok, the timing may have been a little slow.

Which solution did I use previously and why did I switch?

We used another solution prior to this one.

How was the initial setup?

The initial setup of this solution was very clear. We followed the instructions on the web page, and there were no problems. The deployment was really quick and completed within a couple of hours.

What about the implementation team?

We performed the implementation ourselves.

What's my experience with pricing, setup cost, and licensing?

We pay for our licensing fees on a yearly basis, and there are no costs in addition to the standard licensing fees.

Which other solutions did I evaluate?

We evaluated several other options before choosing this one, including Elasticsearch.

What other advice do I have?

I recommend trying this product. This is a quality solution at a fair price.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Nebojsa Antic

Information Technology Security Engineer at a tech consulting company with 1-10 employees

Sep 25, 2023

Download

Comes with a confusing UI and pricing is expensive

Pros and Cons

"I rate the tool's deployment an eight out of ten. The deployment is completed in two days."

"The solution needs to improve case management. The UI is confusing."

What needs improvement?

The solution needs to improve case management. The UI is confusing.

What do I think about the stability of the solution?

I rate the product's stability a five out of ten. It gets worse each year.

What do I think about the scalability of the solution?

I rate Trellix ESM's scalability a seven out of ten.

How was the initial setup?

I rate the tool's deployment an eight out of ten. The deployment is completed in two days.

What's my experience with pricing, setup cost, and licensing?

Trellix ESM's price is high.

What other advice do I have?

I rate the product a seven out of ten.

Which deployment model are you using for this solution?

On-premises

Disclosure: My company has a business relationship with this vendor other than being a customer:

reviewer1514295

VP Cyber Security & IT at a computer software company with 1,001-5,000 employees

Feb 21, 2021

Download

Easy and fast to deploy, good correlation rules, and scales well

Pros and Cons

"The most valuable feature is the correlation rules."

"There should be support for multitenancy in the product."

What is our primary use case?

I work with an integration company and implement tools such as McAfee ESM.

We are an MSSP for a lot of clients. We gather their logs, correlate them, create rules, and assume the role of their SOC. We have skilled operators 24/7 who take care of these clients.

What is most valuable?

The most valuable feature is the correlation rules.

This product is easy to use.

What needs improvement?

There should be support for multitenancy in the product. Because they don't have it, I think it is the biggest improvement that the vendor could make.

For how long have I used the solution?

I have been working with McAfee ESM for approximately eight years.

What do I think about the scalability of the solution?

This is a very scalable product.

In the on-premises deployment, we have large enterprise clients. For cloud-based deployment, our clients are small to medium-sized companies.

How are customer service and technical support?

Although I am satisified with the technical support, there is room for improvement. The support is not as good as it could be because McAfee has moved so many times.

What's my experience with pricing, setup cost, and licensing?

The initial setup is straightforward and easy to do. The deployment is very fast.

What other advice do I have?

In summary, this is a good product. We have all of the functionality but it needs support for multitenancy and better support.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator

it_user128397

Manager of System Security at a tech services company with 10,001+ employees

May 9, 2016

Download

The visualization clearly articulates the current and past state of network traffic and correlation rule hits. The API still needs to develop some maturity.

What is most valuable?

The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.

I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.

How has it helped my organization?

The best way to describe the improvement is within the following areas:

Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.

A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.

What needs improvement?

The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.

For how long have I used the solution?

I've been using it for three years as a managed security services provider.

What was my experience with deployment of the solution?

We have had no issues with the deployment.

What do I think about the stability of the solution?

There have been no issues with the stability.

What do I think about the scalability of the solution?

We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.

How are customer service and technical support?

Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.

Which solution did I use previously and why did I switch?

I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.

How was the initial setup?

I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.

The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.

What about the implementation team?

We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.

What was our ROI?

You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.

What other advice do I have?

There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a preferred global partner of Intel Security.