Trellix ESM Reviews

We use this solution to provide managed security services. We use loggers at the client site to generate logs for monitoring their devices. We handle the monitoring, administration, and troubleshooting of their endpoints.

For some customers, we manage everything, while for other customers we only monitor their critical devices.

We are using an on-premises deployment model.

This solution helps us to provide services for our clients and integrates well with their other technologies.

The most valuable features of this solution are the logging and the dashboards.

This solution integrates easily and very well with other technologies. We are creating custom connectors for some of the technologies that our customers are using.

We are having trouble migrating our data sources from version 10 to version 11.2. We cannot add new data sources to the most recent version.

I would like to see the Active Response function enhanced.

The stability of this solution is good. So far, we have not faced much downtime. The issues that we are currently experiencing, moving versions, did not happen the last time we upgraded. This is really the first trouble that we have had.

This solution is very scalable.

We have four or five customers that we are performing monitoring for. Their user-base varies, with some having fifty users and some having more than one thousand users.

We do plan to increase our usage and have had meetings with McAfee as a partner. We would be offering this solution exclusively to our clients. 

Technical support, as well as their online knowledge base, has helped us a lot. However, our current issue with respect to not being able to add new data sources was reported two weeks ago and it has not yet been resolved.

I think that technical support can be improved in terms of providing quicker resolutions to problems.

We did not previously offer a different solution to our customers. We are currently onboarding Splunk to work concurrently with this solution, but it depends on the customer. Splunk is a little bit expensive.

The initial setup of this solution is easy. There is no problem with it.

Our deployment took about one week. It involved upgrading to the new version and adding the data sources. Integration of the new devices was not complex.

Two people are required for the deployment, with one being from our side and one from the client's side.

We hired consultants to assist with our deployment. We have had a good experience with them and they are still supporting us to deal with any issues or errors.

The cost is dependent on the customer's environment and requirements.

We have experience using ArcSight, but it is very difficult when it comes to creating the connector to integrate with different technologies.

We spend time evaluating each customer's business model and offer them the appropriate solution.

From my perspective, for anyone with a small or medium-sized business, this is the best solution. It is easy to deploy and it is less, from a cost point of view, than others.

I would rate this solution a nine out of ten.

Trellix ESM is very user-friendly.

Trellix's resource consumption is too high, and it could be lower. It would be nice if Trellix could reduce the requirements for RAM and storage.

Product-wise, adding accounts on a single data source by batch would be a really great help. Then for the support, it would be a lot better if customer support from Trellix would reach out to us as partners.

I have been testing Trellix ESM for a few months.

Trellix ESM is easy to implement. In addition, it would be better if I had enough hardware resources to run or implement it.

I am working with the free trial version of Trellix ESM. I am very satisfied with Trellix ESM. There are minor additional features that we need to add to it, but for now, I'm very satisfied with it.

I would advise users to learn NQL so that they can understand how the data goes from raw data to normalized data and how to create their custom rules.

Overall, I rate Trellix ESM an eight out of ten.

We are a service provider and we implement it for our customers, as well as use it internally.

This is a SIEM product that makes up part of our overall security solution.

Compared to other solutions, the user interface is good.

The correlations that it discovers are helpful.

The reporting is good.

The only drawback is that they don't have any packet capturing or network behavior analysis. Including network behavior analysis in the future would be a good addition.

The speed of technical support can be improved.

We have been using McAfee ESM for between five and six years.

We have had no issues with stability.

If we want to increase or expand then we just have to add devices, so it should not be a problem.

I would say that the technical support is not very prompt, but the end result is good. 

We also work with Splunk and we have experience with similar solutions such as IBM QRadar.

The initial setup is pretty much straightforward. We haven't had any problem.

The pricing is good, and they are competitive compared to providers such as RSA and IBM QRadar.

The suitability of McAfee ESM is based on the requirements. If a customer is specifically looking for log and event analysis, with the correlations, then this solution is a good choice. If instead, they are looking for network behavior analytics then they should consider IBM QRader or something else.

I would rate this solution an eight out of ten.

We use this solution to monitor everything in our hybrid-cloud environment. This includes IoT devices and a couple of data centers.

We are now able to completely monitor our environment so we can review what is there, which is a big win for us. This solution helps with the maturity of our environment.

Using the out-of-the-box rules has made our work more relaxing.

There are more than two hundred out-of-the-box rules.

We have been using the advanced correlation agent.

Technical support for this product could be improved.

I would like to see improvements to the user interface.

It would be helpful to have a diagram in the interface that shows the actions.

This is a very stable solution, although there are some bugs in the GUI.

This solution is very scalable from my perspective. We have around twenty-five users. We have level one users, which are operation analysts. We also have level two users, who take care of daily operations. Level two includes, for example, handling the rules on the creation of users. Everything is segregated. We also have a second engineer.  

We have had issues where we had to contact technical support. While they answered ok, the timing may have been a little slow.

We used another solution prior to this one.

The initial setup of this solution was very clear. We followed the instructions on the web page, and there were no problems. The deployment was really quick and completed within a couple of hours.

We performed the implementation ourselves.

We pay for our licensing fees on a yearly basis, and there are no costs in addition to the standard licensing fees.

We evaluated several other options before choosing this one, including Elasticsearch.

I recommend trying this product. This is a quality solution at a fair price.

I would rate this solution an eight out of ten.

The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.

I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.

The best way to describe the improvement is within the following areas:

1. Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
2. Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.

A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.

The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.

I've been using it for three years as a managed security services provider.

We have had no issues with the deployment.

There have been no issues with the stability.

We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.

Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.

I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.

I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.

The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.

We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.

You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.

There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.

Dashboards, which can be customized to display alerts and queries, and rules, which trigger alerts, are the most valuable features for us.

We now have a better view of our security posture from an external and internal point of view. We are able to do forensic investigations and stop attacks before they occur.

The reporting could use some improvement. Also, while the dashboard can be customized to an extent, I'd like to have the ability to do even more customization.

We've used it for two years.

We've had no deployment issues.

There have been no issues with the stability.

Scaling it has been fine. We've had no issues with an inability to scale.

In our experience, technical support has been good.

• QRadar
• RSA enVision

Deployment of any of these products is easy. What becomes a daunting task is the creation of use cases and also ensuring that alerts are accurate.

We used an in-house team with a vendor in-office assistant.

Executives don’t see ROI on this solution as the reports are not meant for C-levels.

Make sure you know exactly why you are implementing it and what you are going to monitor. Also, ensure that you have all your use cases way before venturing into buying a solution of this nature.

The solution needs to improve case management. The UI is confusing. 

I rate the product's stability a five out of ten. It gets worse each year. 

I rate Trellix ESM's scalability a seven out of ten. 

I rate the tool's deployment an eight out of ten. The deployment is completed in two days. 

Trellix ESM's price is high. 

I rate the product a seven out of ten. 

It's SIEM. Obviously, normalization of data is the biggest factor.

We perform security event monitoring for over 700 individual servers, firewalls, and applications. It's not possible to monitor over 500 million events per day with SIEM.

McAfee is working on a newer ELS product for a faster search which will change everything about how a SIEM can perform.

I have been using this product for the past eight years.

Just like any other software/hardware platform, once in awhile we have issues with software bugs, but McAfee's support is good in helping to fix these issues in a timely manner.

Biggest benefit of McAfee SIEM is its easy scalability. It doesn't restrict you to a particular hardware or storage solution.

Mcafee's SIEM support team is very good.

I used ArcSight at a different job, but when we bought SIEM at my current job, it was NitroView. Later, McAfee acquired them.

It had a few hurdles initially, but in its current versions and offerings McAfee SIEM is sort of plug and play. It has so many offerings out-of-the-box.

McAfee's pricing is competitive in the industry and their licensing model is for hardware only.

We checked ArcSight, but their pricing was expensive.

McAfee ESM is the perfect SIEM tool, and it provides best results based on data intake and rule based configuration.

I would suggest users identify the data sources they want to interject into SIEM for monitoring, correlation, and work with the sales team to understand the total EPS and choose the right set of hardware, especially the ESM which will perform majority of work for your organization. With the right specs for hardware, it will help you achieve your goal.