Item: Trellix Enterprise Security Manager
Rating: 8
Author: Philip Clarke

Use Cases and Deployment Scope

McAfee Enterprise Security Manager is used not only for its log collection capabilities but also for its advanced threat intelligence. We are using the product as part of moving into Intel's complete suite of products, where appliance integration will bring a commonality to our incident capabilities and help with faster response times and visibility.

Pros and Cons

Advanced Threat intelligence gives us the ability to prioritise alerts quickly and efficiently.
SIEM log collection allows us to integrate our other Intel products to a centralised point.
Physical appliances is one of the areas we have moved away from, so the ability for ESM to be available as a VDI was key.

If there is a requirement to integrate into other vendor products i.e. (log sharing) then this was very cumbersome.
Integration of vulnerability scanning that is available in other vendor products would be a good addition.
When integrating all of Intel's products a third party consultancy is usually required, where other vendor products can be configured without this additional cost.

Return on Investment

Centralisation of events form NIDS/IPS/IDS, Firewall(s), Web Proxy and Endpoint
Ability to have third party management
Actively upgraded product with good vendor support

Alternatives Considered

We looked at a few products, these were AlienVault, ESM, LogRhythm and Alert Logic.

ESM at the time had more functionality and a friendlier and cleaner user interface than LogRhythm

ESM had an ability to integrate easily into Intel's endpoint solution versus AlienVault where a parser would have to be written, though AlienVault's inclusion of vulnerability management and IDS made it stand out from some of the others.

ESM had a better correlation engine and log drill through than Alert Logic, and in our scenario we were not looking for a hosted solution at the time.

ESM has a good network of partners and in the event a managed service is required the transition to this is made very easily.

Other Software Used

AlienVault USM, McAfee Endpoint Protection Suite, Microsoft Office 365, IBM Cognos, Zscaler Web Security

Likelihood to Recommend

McAfee Enterprise Security Manager is well placed when the environment has other Intel products. We operate McAfee Move and the two products work extremely well together. The anti-virus product can be very cumbersome if used with another SIEM solution when log collecting.

We have other areas where intel solutions are not in use and in these circumstances we used another well-known SIEM solution that had an easier implementation phase than Intel's and where remote access was challenging.

Products Replaced

Key Differentiators

Product Features
Product Usability
Existing Relationship with the Vendor

The feature set was important along with usability, but the integration with our other Intel products was a key purchasing decision

Evaluation Lessons Learned

If we had to evaluate again, we would look more closely at what are we trying to achieve and does it make sense to keep some of the other products we already have. A key element is to have a completely integrated suite of products all working in unison, and though this can be achieved by having a multi-vendor environment it is never as clean as a single vendor solution. Also we would look at the outsourcing of certain IT security functions, in the case of SIEM solutions it can make more sense to have this activity outsourced where the third party has a larger scope and more realtime experience of event s that are happening to other clients and can then apply the incident response to all of their customers.

SIEM causing Anger then use Enterprise Security Manager

Overall Satisfaction with McAfee Enterprise Security Manager