We changed our name from IT Central Station: Here's why

McAfee ESM OverviewUNIXBusinessApplication

McAfee ESM is #14 ranked solution in top Security Information and Event Management (SIEM) tools. PeerSpot users give McAfee ESM an average rating of 6 out of 10. McAfee ESM is most commonly compared to IBM QRadar: McAfee ESM vs IBM QRadar. The top industry researching this solution are professionals from a computer software company, accounting for 31% of all views.
What is McAfee ESM?

McAfee Enterprise Security Manager - the foundation of the security information and event management (SIEM) solution family from McAfee delivers the performance, actionable intelligence, and real-time situational awareness at the speed and scale required for security organizations to identify, understand, and respond to stealthy threats, while the embedded compliance framework simplifies compliance.

McAfee ESM was previously known as NitroSecurity, McAfee Enterprise Security Manager.

Buyer's Guide

Download the Security Information and Event Management (SIEM) Buyer's Guide including reviews and more. Updated: January 2022

McAfee ESM Customers

San Francisco Police Credit Union, Wªstenrot Gruppe, Volusion, California Department of Corrections & Rehabilitation, Government of New Brunswick, State of Colorado, Macquarie Telecom, Texas Tech University Health Sciences Center, Cologne Bonn Airport

McAfee ESM Video

Archived McAfee ESM Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Cyber Security Consultant at a tech services company with 51-200 employees
Consultant
Helpful dashboards for log monitoring, and integrates well with other technologies
Pros and Cons
  • "This solution integrates easily and very well with other technologies."
  • "We cannot add new data sources to the most recent version."

What is our primary use case?

We use this solution to provide managed security services. We use loggers at the client site to generate logs for monitoring their devices. We handle the monitoring, administration, and troubleshooting of their endpoints.

For some customers, we manage everything, while for other customers we only monitor their critical devices.

We are using an on-premises deployment model.

How has it helped my organization?

This solution helps us to provide services for our clients and integrates well with their other technologies.

What is most valuable?

The most valuable features of this solution are the logging and the dashboards.

This solution integrates easily and very well with other technologies. We are creating custom connectors for some of the technologies that our customers are using.

What needs improvement?

We are having trouble migrating our data sources from version 10 to version 11.2. We cannot add new data sources to the most recent version.

I would like to see the Active Response function enhanced.

For how long have I used the solution?

I have been using this solution for about eighteen months.

What do I think about the stability of the solution?

The stability of this solution is good. So far, we have not faced much downtime. The issues that we are currently experiencing, moving versions, did not happen the last time we upgraded. This is really the first trouble that we have had.

What do I think about the scalability of the solution?

This solution is very scalable.

We have four or five customers that we are performing monitoring for. Their user-base varies, with some having fifty users and some having more than one thousand users.

We do plan to increase our usage and have had meetings with McAfee as a partner. We would be offering this solution exclusively to our clients. 

How are customer service and technical support?

Technical support, as well as their online knowledge base, has helped us a lot. However, our current issue with respect to not being able to add new data sources was reported two weeks ago and it has not yet been resolved.

I think that technical support can be improved in terms of providing quicker resolutions to problems.

Which solution did I use previously and why did I switch?

We did not previously offer a different solution to our customers. We are currently onboarding Splunk to work concurrently with this solution, but it depends on the customer. Splunk is a little bit expensive.

How was the initial setup?

The initial setup of this solution is easy. There is no problem with it.

Our deployment took about one week. It involved upgrading to the new version and adding the data sources. Integration of the new devices was not complex.

Two people are required for the deployment, with one being from our side and one from the client's side.

What about the implementation team?

We hired consultants to assist with our deployment. We have had a good experience with them and they are still supporting us to deal with any issues or errors.

What's my experience with pricing, setup cost, and licensing?

The cost is dependent on the customer's environment and requirements.

Which other solutions did I evaluate?

We have experience using ArcSight, but it is very difficult when it comes to creating the connector to integrate with different technologies.

We spend time evaluating each customer's business model and offer them the appropriate solution.

What other advice do I have?

From my perspective, for anyone with a small or medium-sized business, this is the best solution. It is easy to deploy and it is less, from a cost point of view, than others.

I would rate this solution a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Victor Alexandrescu
IT Consultant and Project Manager at a government with 1-10 employees
Consultant
Out-of-the-box rules are helpful in monitoring our hybrid-cloud environment
Pros and Cons
  • "We are now able to completely monitor our environment so we can review what is there, which is a big win for us."
  • "I would like to see improvements to the user interface."

What is our primary use case?

We use this solution to monitor everything in our hybrid-cloud environment. This includes IoT devices and a couple of data centers.

How has it helped my organization?

We are now able to completely monitor our environment so we can review what is there, which is a big win for us. This solution helps with the maturity of our environment.

Using the out-of-the-box rules has made our work more relaxing.

What is most valuable?

There are more than two hundred out-of-the-box rules.

We have been using the advanced correlation agent.

What needs improvement?

Technical support for this product could be improved.

I would like to see improvements to the user interface.

It would be helpful to have a diagram in the interface that shows the actions.

For how long have I used the solution?

We have been using this solution for two years.

What do I think about the stability of the solution?

This is a very stable solution, although there are some bugs in the GUI.

What do I think about the scalability of the solution?

This solution is very scalable from my perspective. We have around twenty-five users. We have level one users, which are operation analysts. We also have level two users, who take care of daily operations. Level two includes, for example, handling the rules on the creation of users. Everything is segregated. We also have a second engineer.  

How are customer service and technical support?

We have had issues where we had to contact technical support. While they answered ok, the timing may have been a little slow.

Which solution did I use previously and why did I switch?

We used another solution prior to this one.

How was the initial setup?

The initial setup of this solution was very clear. We followed the instructions on the web page, and there were no problems. The deployment was really quick and completed within a couple of hours.

What about the implementation team?

We performed the implementation ourselves.

What's my experience with pricing, setup cost, and licensing?

We pay for our licensing fees on a yearly basis, and there are no costs in addition to the standard licensing fees.

Which other solutions did I evaluate?

We evaluated several other options before choosing this one, including Elasticsearch.

What other advice do I have?

I recommend trying this product. This is a quality solution at a fair price.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about McAfee, Splunk, IBM and others in Security Information and Event Management (SIEM). Updated: January 2022.
564,143 professionals have used our research since 2012.
Business System Analyst at a consultancy with 5,001-10,000 employees
Real User
An easy way to protect my privacy if I lose my computer
Pros and Cons
  • "It is easy to use."
  • "I would like to see fingerprint recognition included in the next release of this solution."

What is our primary use case?

My primary use case for this solution is to secure the data on my laptop.

How has it helped my organization?

If I lost my computer somewhere then hopefully the software will protect my data from anyone.

What is most valuable?

The ability to secure my data is the most important feature.

It is easy to use. I just need to enter the username and the password and it protects my data.

What needs improvement?

I would like to see fingerprint recognition included in the next release of this solution.

How are customer service and technical support?

I have not used technical support for the product.

Which solution did I use previously and why did I switch?

My company did use another product previous to this one but I do not know why they switched.

How was the initial setup?

The installation and setup of this solution is straightforward.

What about the implementation team?

I handled the deployment myself.

What other advice do I have?

This is a product that I would recommend to a colleague at another company.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Carmen Marsh
CEO at Inteligencia
Real User
Quarantines suspect files without stopping everything else
Pros and Cons
  • "The most valuable feature is that if the scanning does find something, it quarantines it. Then you can decide what you are going to do with it."
  • "The only issue I have with McAfee is the amount of computer resources that it takes... it's definitely impacting some of the other applications that are running on a computer at the same time."

What is most valuable?

The most valuable feature is that if the scanning does find something, it quarantines it. Then you can decide what you are going to do with it. It doesn't just stop everything but actually tells you there's a quarantine, that these files are in quarantine. You have to deal with them. That's good.

If you don't keep up with updates, they pop up until you actually do something. That's a good thing because we want protection.

What needs improvement?

There are a lot of things that could be part of future editions. One would be to speed up the scanning of email. As emails come in, it takes a lot of time to scan through them, whether you're on your computer or on your phone. If it were a little quicker doing that, that would be helpful. That's not a new feature but speed always counts.

The only issue I have with McAfee is the amount of computer resources that it takes. When you're running the program it really is heavy on the computer resources. It only impacts staff productivity when it's running the updates. However, it's definitely impacting some of the other applications that are running on a computer at the same time.

What do I think about the stability of the solution?

McAfee has been around for so long. It's a stable product. They've worked out a lot of glitches, a lot of bugs. There are always new bugs introduced with any product, but it's a stable product.

What do I think about the scalability of the solution?

They do pretty well with scalability because McAfee has so many different solutions. There's a personal edition, then you have a small business edition, and there's an enterprise edition. It can be scaled, and I think they've done a good job.

How was the initial setup?

The setup is pretty good. The only problem is when you're trying to remove a certain version It takes a long time because McAfee keeps a lot of files in the source, on the computer, so you really have to make sure that you delete everything when you're removing the software. When you install a different version of McAfee you need to make sure that you grab all the files and clean the computer out.

What other advice do I have?

Using it, I haven't noticed any difference in the mean time it takes us to detect and respond to threats.

We've been happy with it so far. McAfee is a company whose products we've used quite a bit in the last 20 years so I'm familiar with them. McAfee is a very strong company; it's used around the world.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
it_user1033191
Security Product Manager at a financial services firm with 5,001-10,000 employees
Real User
Correlates events from various platforms and reduces our response time in case of attack
Pros and Cons
  • "The most valuable feature is the capability to correlate different events from different platforms that we feed into it."
  • "There are some banking and transactional cases that are local, South America transactions. I would like to see them add features that can be used locally, to make those transactions more reliable."

What is our primary use case?

As a bank, we have different cases use cases that are typical for the industry.

How has it helped my organization?

On the security side, it reduces the time needed to make changes in case of an attack. We have to work on it in real time. If we didn't have the tool, the amount of time would be double or triple. The main reason we have it is that it makes it easier for the engineer who works on the site to realize what is happening. It helps with productivity.

McAfee has always been there for us and it helps with the maturity of our security program.

What is most valuable?

The most valuable feature is the capability to correlate different events from different platforms that we feed into it. It makes it easier to engineer the box on our side so that we can realize what is happening and do something about it. It gives us the tools to know what's happening and make a change in one of the downstream platforms to reject a connection or the like.

What needs improvement?

Although we're a South American bank, our products are pretty much the same as North American banks. The types of things they would install in North America are what we have here.

But there are some banking and transactional cases that are local, South American transactions. I would like to see them add features that can be used locally, to make those transactions more reliable.

What do I think about the stability of the solution?

The stability is really good.

What do I think about the scalability of the solution?

The scalability depends on how much you want to pay for it. If I need a bigger solution, the vendor is going to be able to add more features to the machine, or even change it. It all depends on how much are you willing to spend.

How are customer service and technical support?

For technical support, we work in two ways. We have a partner that is looking after the platform, and we have the vendor as well. If we have a problem with the partner, we can call McAfee. So overall, support is good.

They should double check what they are doing with customers. I have had some trouble trying improve the use case. I was hoping that they help me with that, show me the way.

What about the implementation team?

The vendor, McAfee, works with a partner and the partner sells to us. We use a partner.

Which other solutions did I evaluate?

Our company looked at Splunk three years ago. Every couple of years we look around at what's in the market. For us, it's quite difficult to try other ones, because of the time and costs involved. That's why I'm not sure if McAfee is the best solution, but it's good enough for me.

We're always looking to make improvements and if the products we have are not good enough, or we see that another brand is making something better, we will migrate.

What other advice do I have?

To make a decision you have to really know what your budget is, how much money you have to buy a solution, and what the main reason is that you are looking for a tool like this. You can always find something cheaper for a small company. Everyone has pretty much the same tools. But if you're going to play with the big ones, like McAfee, you have to be willing to spend a lot of money and, obviously, you'll get the service you need. You have to know your company, what your needs are, and then go shopping. Look around. It's important to look at the tools, how they are deployed in your architecture.

I would rate the solution at eight out of ten. It's good enough to do the things that we need done, but I'm not sure if it's the best in the market.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Manager at a tech services company with 10,001+ employees
Real User
It has good technical support, but I can't scale it

What is our primary use case?

It has performed well and delivered the results that I have been looking for.

How has it helped my organization?

It does a good job for us.

What is most valuable?

Ease of use. Quick training period.

What needs improvement?

I can't scale it. I would like to see AI play a major role going forward.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is a stable product.

What do I think about the scalability of the solution?

I have to purchase a new box now. Its existing box is not scalable and I can't use it anymore.

How is customer service and technical support?

It has good technical support, which is available around the clock. You can call up anytime and get whatever…

What is our primary use case?

It has performed well and delivered the results that I have been looking for.

How has it helped my organization?

It does a good job for us.

What is most valuable?

  • Ease of use.
  • Quick training period.

What needs improvement?

I can't scale it.

I would like to see AI play a major role going forward.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is a stable product.

What do I think about the scalability of the solution?

I have to purchase a new box now. Its existing box is not scalable and I can't use it anymore.

How is customer service and technical support?

It has good technical support, which is available around the clock. You can call up anytime and get whatever you want. My queues are resolved.

How was the initial setup?

I was not involved in the initial setup, but it was straightforward.

Which other solutions did I evaluate?

We are currently evaluating ArcSight and LogRhythm.

At the time we previously purchased McAfee, I had fewer requirements and it catered to my needs.

What other advice do I have?

Most important criteria when selecting a vendor: support.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Security Analyst at Ingenium Group
Real User
A good central viewpoint for issues, but it requires Flash
Pros and Cons
  • "It is a good central viewpoint for issues. These can then be investigated in more detail on the subnet server(s)/endpoints."
  • "Product currently requires Flash."
  • "Update to user interface from version 9 is cosmetic in some aspects, and after a few clicks you are back on the old interface."
  • "We would welcome integrations with some of the new McAfee acquisitions, e.g., behavioural analytics."

What is our primary use case?

  • To gain transparency into potential vulnerabilities within the network. 
  • To monitor problems, e.g., failure to update packages within the back-end security environment.

How has it helped my organization?

It is a good central viewpoint for issues. These can then be investigated in more detail on the subnet server(s)/endpoints.

What is most valuable?

Ability to create own views. Statistical (normalised) views help to highlight inconsistencies, which may need further investigation

What needs improvement?

  • Product currently requires Flash. 
  • Update to user interface from version 9 is cosmetic in some aspects, and after a few clicks you are back on the old interface.
  • Some filters are still very low level "magic numbers", which do not make sense on the high level user interface. 
  • We would welcome integrations with some of the new McAfee acquisitions, e.g., behavioral analytics.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Laeeq Ahmed
IT Security Lead at a tech services company with 10,001+ employees
Consultant
Leaderboard
Adaptive protection learns for itself, but it seems McAfee does not test its product before releasing
Pros and Cons
  • "It blocks the things which are not to be allowed. It has an adaptive mode where it learns for itself."
  • "There are always multiple bugs in the product. For example, the console page was hanging multiple times. Afterwards, they released multiple upgrades for the same, multiple patches from McAfee."
  • "It seems McAfee does test its product before releasing. When we - not only us, other companies also - deploy McAfee, we face multiple issues from the customer side, after which, McAfee reacts and fixes the bugs."
  • "There's no software support from McAfee."

How has it helped my organization?

By having access protection in the policies on the machine, it helps in real-time behavior scenarios, where the policy captures stuff, quite a lot.

What is most valuable?

VirusScan Enterprise provides protection against real-time malware attacks. 

We use it for logging the network traffic, when required.

It blocks the things which are not to be allowed. It has an adaptive mode where it learns for itself.

What needs improvement?

There are always multiple bugs in the product. For example, the console page was hanging multiple times. Afterwards, they released multiple upgrades for the same, multiple patches from McAfee.

Also, there's no software support from McAfee.

It seems McAfee does not test its product before releasing. When we - not only us, other companies also - deploy McAfee, we face multiple issues from the customer side, after which, McAfee reacts and fixes the bugs.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

After the upgrade, it is stable now. 

What do I think about the scalability of the solution?

It has good scalability.

How are customer service and technical support?

Tech support is not good. They don't respond to issues in a timely manner. We need to call up the account managers, and then the engineers will work on it.

We have to wait fairly long. Until we escalate the issue, the call will be still in the pending state, or the hold state.

Which solution did I use previously and why did I switch?

We switched to them because of the pricing.

How was the initial setup?

It is complex, not straightforward. 

For examples, concerning an upgrade, the pre-installer check provided to us before the upgrade was showing the result was "all requirements met." But when we ran the actual installation, it was different.

What other advice do I have?

I would advise others, before upgrading, to make sure they know the product that they're upgrading to.

I would rate this product at six out of 10. To bring it to a 10, the most important thing is - given there are lot of bugs, and I understand that - there should be proper support from the vendor site.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user732735
Threat Intelligence Engineer (Security Engineering Team) at a government with 10,001+ employees
Vendor
Biggest benefit is its easy scalability. It doesn't restrict you to a particular hardware or storage solution​.

What is most valuable?

It's SIEM. Obviously, normalization of data is the biggest factor.

How has it helped my organization?

We perform security event monitoring for over 700 individual servers, firewalls, and applications. It's not possible to monitor over 500 million events per day with SIEM.

What needs improvement?

McAfee is working on a newer ELS product for a faster search which will change everything about how a SIEM can perform.

For how long have I used the solution?

I have been using this product for the past eight years.

What do I think about the stability of the solution?

Just like any other software/hardware platform, once in awhile we have issues with software bugs, but McAfee's support is good in helping to fix these issues in a timely manner.

What do I think about the scalability of the solution?

Biggest benefit of McAfee SIEM is its easy scalability. It doesn't restrict you to a particular hardware or storage solution.

How are customer service and technical support?

Mcafee's SIEM support team is very good.

Which solution did I use previously and why did I switch?

I used ArcSight at a different job, but when we bought SIEM at my current job, it was NitroView. Later, McAfee acquired them.

How was the initial setup?

It had a few hurdles initially, but in its current versions and offerings McAfee SIEM is sort of plug and play. It has so many offerings out-of-the-box.

What's my experience with pricing, setup cost, and licensing?

McAfee's pricing is competitive in the industry and their licensing model is for hardware only.

Which other solutions did I evaluate?

We checked ArcSight, but their pricing was expensive.

What other advice do I have?

McAfee ESM is the perfect SIEM tool, and it provides best results based on data intake and rule based configuration.

I would suggest users identify the data sources they want to interject into SIEM for monitoring, correlation, and work with the sales team to understand the total EPS and choose the right set of hardware, especially the ESM which will perform majority of work for your organization. With the right specs for hardware, it will help you achieve your goal.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user380976
Information Security Analyst at a tech services company with 501-1,000 employees
Consultant
Through correlation rules, it finds malware that anti-virus and other security solutions do not find.

What is most valuable?

The easy interface is the most valuable feature.

How has it helped my organization?

Through correlation rules, it finds malware that compromised the computer that anti-virus and other security solutions do not find.

What needs improvement?

I had a couple of problems collecting Windows events. The local plugin should be easier to use, because when ESM is collecting through the manager, many performance issues occur.

For how long have I used the solution?

I have been using McAfee for over three years.

What do I think about the stability of the solution?

We did have stability issues, but they were resolved by McAfee support.

What do I think about the scalability of the solution?

We have not had scalability issues.

How are customer service and technical support?

I would give technical support a rating of 8/10.

Which solution did I use previously and why did I switch?

I used different solutions, but for different clients.

How was the initial setup?

This was the easiest initial setup that I have made.

What's my experience with pricing, setup cost, and licensing?

The product is worth the price. There are other cheaper tools in the market, but it is harder to work with them.

Which other solutions did I evaluate?

We looked at HPE ArcSight, Splunk, RSA Analytics, and IBM QRadar.

What other advice do I have?

Stay focused, read the documentation, plan it well, and the project will be a success.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user380976
Information Security Analyst at a tech services company with 501-1,000 employees
Consultant
The most valuable feature for us is that it comes with many correlations, reports, and dashboards already available.
Pros and Cons
  • "The most valuable feature for us is that it comes with many correlations, reports, and dashboards already available. It's also very easy to use."
  • "The disk space needed for events is not clear. In all clients, we had at least more than 100GB free that we could not use."

What is most valuable?

The most valuable feature for us is that it comes with many correlations, reports, and dashboards already available. It's also very easy to use.

How has it helped my organization?

It's easy to create reports for compliance and for detecting different kinds of attacks and breaches through correlations. This makes the client devices to be more secure.

What needs improvement?

The disk space needed for events is not clear. In all clients, we had at least more than 100GB free that we could not use.

For how long have I used the solution?

I've used it for two-and-a-half years.

What was my experience with deployment of the solution?

The disk space sizing is very hard and when the version was updated to 9.4 the space needed to store events was cut by half, making it harder to explain to clients who now needed twice as much disk space, with no explanation from the vendor what happened. This was not even in the release notes.

I suggest that you configure the data archive prior to deployment because once the partition is detached, it will be deleted and you can lose a weeks-worth of events. You don't know when it will be deleted because even with a lot of space disk the partition is detached.

What do I think about the stability of the solution?

There have been no issues with the stability.

What do I think about the scalability of the solution?

There have been no issues scaling.

How are customer service and technical support?

Customer Service:

I give customer service a 7 out of 10.

Technical Support:

I give technical support a 7 out of 10.

Which solution did I use previously and why did I switch?

We used HP ArcSight, IBM Q1 Labs, Splunk, and we chose McAfee Enterprise Security Manager because it’s very easy to deploy.

How was the initial setup?

The initial setup is simple and descriptive. It was very straightforward.

What about the implementation team?

We implemented it with our in-house team.

What was our ROI?

The in-house sales team said McAfee has the best ROI on the market.

What's my experience with pricing, setup cost, and licensing?

You should buy the distributed option instead of the all-in-one for environments with more than 1000 end points.

What other advice do I have?

Multiple dashboards already created
More than 200 correlation rules created and available to use on the Correlation Engine
Multiple reports already created, ready to use or you can edit them
Disclosure: My company has a business relationship with this vendor other than being a customer: We're partners.
it_user182445
ICT Security Officer at a healthcare company with 1,001-5,000 employees
Vendor
We now have a better view of our security posture from an external and internal point of view. The reporting could use some improvement.

What is most valuable?

Dashboards, which can be customized to display alerts and queries, and rules, which trigger alerts, are the most valuable features for us.

How has it helped my organization?

We now have a better view of our security posture from an external and internal point of view. We are able to do forensic investigations and stop attacks before they occur.

What needs improvement?

The reporting could use some improvement. Also, while the dashboard can be customized to an extent, I'd like to have the ability to do even more customization.

For how long have I used the solution?

We've used it for two years.

What was my experience with deployment of the solution?

We've had no deployment issues.

What do I think about the stability of the solution?

There have been no issues with the stability.

What do I think about the scalability of the solution?

Scaling it has been fine. We've had no issues with an inability to scale.

How are customer service and technical support?

In our experience, technical support has been good.

Which solution did I use previously and why did I switch?

  • QRadar
  • RSA enVision

How was the initial setup?

Deployment of any of these products is easy. What becomes a daunting task is the creation of use cases and also ensuring that alerts are accurate.

What about the implementation team?

We used an in-house team with a vendor in-office assistant.

What was our ROI?

Executives don’t see ROI on this solution as the reports are not meant for C-levels.

What other advice do I have?

Make sure you know exactly why you are implementing it and what you are going to monitor. Also, ensure that you have all your use cases way before venturing into buying a solution of this nature.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Manager of System Security at a tech services company with 10,001+ employees
Consultant
The visualization clearly articulates the current and past state of network traffic and correlation rule hits. The API still needs to develop some maturity.

What is most valuable?

The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.

I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.

How has it helped my organization?

The best way to describe the improvement is within the following areas:

  1. Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
  2. Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.

A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.

What needs improvement?

The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.

For how long have I used the solution?

I've been using it for three years as a managed security services provider.

What was my experience with deployment of the solution?

We have had no issues with the deployment.

What do I think about the stability of the solution?

There have been no issues with the stability.

What do I think about the scalability of the solution?

We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.

How are customer service and technical support?

Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.

Which solution did I use previously and why did I switch?

I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.

How was the initial setup?

I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.

The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.

What about the implementation team?

We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.

What was our ROI?

You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.

What other advice do I have?

There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a preferred global partner of Intel Security.
Amlan Sahoo
Systems-Engineer at a tech services company with 10,001+ employees
Real User
Leaderboard
I like the vendor support from McAfee and the overall architecture looks simple. The version I worked on had a bug in the alarm system.

Valuable Features

This is the first SIEM product that I have used. My impressions so far are that I like the vendor support from McAfee and the overall architecture looks simple.

Improvements to My Organization

I helped a client of ours implement and deploy it.

Room for Improvement

The product documentation is good, but could be better. Also a bug-free version would be nice as the version I worked on had a bug in the alarm system.

Use of Solution

I've used it for five months.

Deployment Issues

We had bug alarm issues during deployment. The bug, I think, was part of the product.

Stability Issues

We had no issues with the stability.

Scalability Issues

We have had no issues scaling it for our needs.

Customer Service and Technical Support

Customer Service:

Customer service is very good.

Technical Support:

Technical support is very good.

Initial Setup

The initial setup was straightforward.

Implementation Team

You will have a better implementation if you get support from the vendor.

Pricing, Setup Cost and Licensing

Overall, it was expensive, as it has split components.

Other Solutions Considered

We have now started using ArcSigh as well. I don't have much experienced with it, but the overall architecture looks similar to McAfee.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user374493
Security Consultant, Presale and System Engineer at a tech services company with 501-1,000 employees
Consultant
If you provide it with the Advanced Correlation Engine and Global Threat Intelligence, you can raise your infrastructure to be a complete advanced SOC.

What is most valuable?

Doing Incident analysis in my opinion with ESM is easier than other solutions. There are a lot of ways to build queries and a great filter engine; if you provide ESM with the Advanced Correlation Engine and Global Threat Intelligence you can raise your infrastructure to be a complete advanced SOC.

How has it helped my organization?

I work for a System Integrator.

What needs improvement?

I have almost no complaints with this solution because it's almost a complete solution, but I do hope to have more stability in the next upgrade and to have the interface re-engineered to be HTML5-based rather than Flash-based.

I'd also like some Splunk-like ELM (Log Manager) enterprise functions.

For how long have I used the solution?

I've used it for three years, from versions 9.1 to 9.5

What was my experience with deployment of the solution?

Yes, sometimes it seems that versions with major upgrades come with some bugs and regressions that affected deployment.

What do I think about the stability of the solution?

Yes, sometimes it seems that versions with major upgrades come with some bugs and regressions that affected stability.

What do I think about the scalability of the solution?

It has scaled to our needs.

How are customer service and technical support?

Customer Service:

Customer service is very good and very professional.

Technical Support:

Technical support is very good and very professional.

Which solution did I use previously and why did I switch?

I also work with with RSA and McAfee SIEM solutions.

How was the initial setup?

If you buy the all-in-one solution (Virtual or Hardware), the setup takes a couple of hours.

What's my experience with pricing, setup cost, and licensing?

SIEM is not a Log Manager; ESM is meant for people who need advanced SOC functionality and not only to satisfy compliance rules.

Disclosure: My company has a business relationship with this vendor other than being a customer: We're a partner.
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Consultant
One of the biggest strengths of Nitro is the underlying database but stability has been a problem.
At Infosecnirvana, we have quite a number of posts dedicated to SIEM. We have done a detailed comparison of SIEM products in a post titled – SIEM Comparison along with providing a detailed check list for SIEM evaluation. We have also posted about SIEM products from time to time as reflected by our post on IBM QRadar and ArcSight. Following up with those posts, this blog is our take on McAfee Nitro SIEM. So let’s get started Introduction: McAfee in 2011 purchased Nitro Security to enter into the SIEM space and subsequently were taken up by Intel. This period of 2011 actually saw a few things happen in the SIEM market space. This included HP buying ArcSight, IBM buying QRadar and McAfee buying Nitro etc. etc. Each of those SIEM products have taken a different route over the last 3 years.…

At Infosecnirvana, we have quite a number of posts dedicated to SIEM. We have done a detailed comparison of SIEM products in a post titled – SIEM Comparison along with providing a detailed check list for SIEM evaluation. We have also posted about SIEM products from time to time as reflected by our post on IBM QRadar and ArcSight. Following up with those posts, this blog is our take on McAfee Nitro SIEM. So let’s get started

Introduction:

McAfee in 2011 purchased Nitro Security to enter into the SIEM space and subsequently were taken up by Intel. This period of 2011 actually saw a few things happen in the SIEM market space. This included HP buying ArcSight, IBM buying QRadar and McAfee buying Nitro etc. etc. Each of those SIEM products have taken a different route over the last 3 years. Nitro security was one of those niche players in the market which had an IPS portfolio as well a SIEM portfolio, remnants of which still linger in the overall McAfee ESM product suite. The McAfee ESM product suite is basically a combination of a few components like:

  • ESM - Enterprise Security Management, which serves as the Management Interface for all SIEM components, Reporting engine capable of generating compliance and policy reports.
  • ACE - Advanced Correlation Engine which is interesting a dedicated engine to perform Risk Based (rules based) Correlation, Historical Correlation, Asset Based Risk Scoring and Custom risk scoring based on combinations of fields.
  • DBM - Database Monitor. One of the products McAfee has as standalone for Database Log Generation, Session Auditing etc, is called the DBM. This is a Database IPS kinda product that monitors network traffic via SPAN, port mirror or taps and does not create any impact on database. So for all the legacy databases that don’t have Audit trail enabled or the auditing is not detailed enough, DBM is the perfect fit. Apart from the monitoring audit trail of all transactions from login to log-off including all session queries and commands, it also provides Auto discovery of database instances including unauthorized or rouge databases. The DBM comes in both a network sensor as well as a host agent footprint.
  • ADM - Application Data Monitor. This is again a Application IPS kinda product capable of performing Layer 7 Protocol detection, Full meta-data collection, traffic monitoring via SPAN, port mirror or taps. Full session data capture and visibility into all application traffic is also provided by this sensor along with Advanced Threat detection capabilities. Again, it can be deployed as a sensor or a host agent.
  • ELM - Enterprise Log Manager. This is akin to any log management solution in SIEM and provides Log storage both Local and Network based.
  • Receivers - These are nothing but Parsers, Netflow Collectors, VMWare Collectors and anything that is able to parse and normalize logs.

Strong points for Nitro SIEM:

After careful evaluation of Nitro SIEM, we would like to highlight these few points as the core Strength of Nitro SIEM:

  1. Architecture: One of the reasons for Nitro SIEM’s popularity is the Architectural flexibility. As a Security administrator, you can pick and chose how you want to architect your solution. If you want to be as modular as possible, then all the above mentioned components can be deployed standalone and integrated using the ESM (Remember EPO architecture for McAfee Endpoint solutions!!!). Say you prefer a smaller footprint, then you can build something called “Combo Boxes” which as the name mentions combines several components in a single box. This helps administrators starved of resources or budget to effectively deploy Nitro SIEM.
  2. Powerful Data Management: One of the biggest strengths of Nitro is the underlying Database – The SAGE DB aka NitroEDB (Nitro Embedded Database) developed by Idaho National labs (the founder of Nitro was a researcher there). NitroEDB is a relational database that supports huge volume, VLDB applications as well as extremely fast in-memory processing. This is the core reason why Nitro SIEM is able to have a High Ingest Rates and extremely fast query speed. This is a killer benefit compared to the other products like ArcSight with its below par implementation of MySQL and PostgreSQL and IBM QRadar with its proprietary EDB (updated based on comments from JC). Splunk is the closest in competition to Nitro with its GFS like implementation.
  3. High Ingest Rates: As mentioned above, NitroEDB enables SIEM to have a high event ingestion rates @ 300K EPS. We don’t think any SIEM in the market today scales up to this number. ArcSight SIEM is the closest with a 100K maximum with its Logger platform and a pure play Syslog-NG server can do 300K EPS.
  4. Network Based Threat Detection: As with QRadar Intelligence Platform, the Nitro platform also uses Network Packet Analysis for DBM and ADM (as mentioned in the components) to perform Database monitoring and Application monitoring. Both QRadar and Nitro are comparable in the Application monitoring space but when it comes to Database Monitoring, Nitro wins it hands down. ArcSight and the others are poor in this space, something they will have to start looking at.
  5. Database Monitoring: As mentioned above, the DBM is the stand out as it provides excellent auditing capabilities for DB auditing and log collection. This is irrespective of DB version, OS, Auditing capability etc. The monitoring can be done off-box using a sensor in the network or using an agent. Again, this is one of the differentiators compared to ArcSight or QRadar as both of them rely only on JDBC connectivity to pull audit logs (provided Auditing is enabled on DB)
  6. Historical Correlation: Nitro has the ability to perform historical correlation better than the others in the market. One of the reasons for that is the capability to run complex queries and computations (for risk score correlation) against a large data set. This is primarily attributed to the NitroEDB as mentioned above which is really powerful in terms of query performance. QRadar and ArcSight are not as good at historical correlation and pale in comparison with NitroEDB performance for historical queries. Splunk is better at historical queries, but correlation is not as mature in Splunk as the others.
  7. SCADA Device Support: Apart from ArcSight, arguably the only other product in today’s market that has extensive support for SCADA is Nitro SIEM. This is definitely useful in penetrating the Utilities industry, Manufacturing industry etc. and is one of the key differentiators compared to the others.

Weak points for Nitro SIEM:

  1. Stability: In our testing and real-life deployments, one of the recurring problems we have faced with Nitro SIEM is stability. It is rare to have all the components working without issues at any given point in time. One of the reasons for this we think is the integration tier that has to interact with the various components to perform Security monitoring. There are just too many points of failure and troubleshooting is a nightmare. This is essential in organizations where in-house monitoring is performed. In case of outsourcing, even though this is still an issue, the risk is transferred to the outsourced vendor. Hopefully, McAfee realizes this and fixes these teething issues of stability in future releases.
  2. Correlation: Even though Risk based correlation is a great value add in Nitro, the overall capabilities fall short when compared with the others in the market. We might be a bit biased with this piece as we always compare Correlation capabilities of any SIEM tools we evaluate against HP ArcSight. In our opinion, ArcSight Correlation is by far the best in the industry and no product can match it in terms of flexibility, power of customization and advanced computing. That said, Nitro does compete hard and we would definitely be keen to see them take the Risk/Rules based correlation to the next level.
  3. Event Parsing & Custom Event Support: Even though the support for Events generated by Third Party vendors is excellent, we feel that more devices and vendors can be supported as does ArcSight. However, custom parsers or receivers are not intuitive to create in Nitro SIEM as with QRadar. Nitro is not as good as the Super-Easy QRadar Custom Mapping feature or Splunk with its Field Extraction where it’s a breeze to develop any custom connector. Nitro, thus has some room for improvement in this area.
  4. User Interface: Although the UI reminds you of all things McAfee (EPO, NSM etc), we feel that a flash driven UI is not the best for SIEM. This is not to take away anything from the capabilities of the product in terms of data presentation, but Flash driven UI proves to be a dampener on the overall experience. As a general opinion, we are keen to see anything other than a Java or Flash UI because we feel that both of them are the most vulnerable software out there and both are clunky when it comes to event analysis, visualization etc. This is where we feel QRadar has a refreshing interface. It does use Java for some parts of the console, but otherwise, the Browser console is so light and so simple that working with QRadar is a delight. Even Splunk has a wonderful UI and is really easy to use compared to ArcSight and Nitro which feel clunky and heavy.

Conclusion:

Overall, McAfee Nitro SIEM is a very good product that scales up against the Industry leaders – ArcSight and QRadar toe to toe. However, as with all acquisitions, they have a few chinks to work out before they truly are ready to lead the pack. Gartner ratings, if anything to go by, consistently rate McAfee in the leaders quadrant but they have been in the 3rd position for quite some time now. With HP ArcSight not doing anything new in the last two releases, QRadar is the only competitor to look forth and emulate. Hope McAfee rises above the competition with a more stable and mature SIEM product thereby shaking the Industry up.

So that’s it folks. Feel free to comment on what you feel about McAfee Nitro SIEM and what its benefits and weakness are.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about McAfee, Splunk, IBM, and more!