McAfee Enterprise Security Manager (ESM) has a variety of agentless log collection methods and unlimited scaling that provide drastic performance improvements and rapid communication between SIEM technologies and external tools. Remote host command execution supports products without direct integration.

ESM has a generic web API and next-gen collector that simplify the work associated with bringing in events from new data sources. ESM can support new cloud services as they become available, thereby reducing rework. The platform contains a data source diagnostic tool that automatically troubleshoots data sources that no longer send events to the receiver, keeping ESM functioning as expected. After all, a SIEM is only as good as the data put into it.

One thing we believe McAfee ESM could do without is leveraging Adobe Flash Player for components of the platform. We view Adobe Flash Player as an outdated way of operating. Other than that, we really liked the look and feel of the dashboard. Subscribers may choose from several highly flexible, out-of-the-box templates, ensuring that summaries and overviews meet business-specific needs and reach optimal usability. Customization options include dark mode, integration with Active Directory, the ability to have multiple views open simultaneously and a do-not-disturb mode that hides system notifications. The dashboard supports extensive drilldown functionality, covering a breadth of event details such as geolocation, description, log data and others.

Raw log storages are available with or without compression. Raw data can be compressed up to a 14:1 ratio to minimize space usage. The enterprise log search indexes the raw data to display it within the enterprise log manager. This feature provides security teams with the ability to efficiently perform threat management, threat hunting and threat investigation.

McAfee has built its reputation on enterprise manageability at a large scale and that legacy continues with ESM. Several orchestration and automation components in this platform, including threat detection and remediation, contribute to its efficiency. Along with the 1B+ sensors that feed data into threat intelligence and the threat watchlists that can be created, four distinct correlation engines add context and enrichment to threat data, giving security teams a better understanding of any events that have occurred. There is no need to learn special syntax or deal with complex correlational analysis because everything is UI-driven.  

The automation, orchestration and extensive customizability in ESM effectively simplify security operations so that analysts can act on threats with confidence. ESM even supports pre-emptive blacklisting, giving analysts the ability to block communication with specific IP addresses for a set amount of time or indefinitely.

Pricing starts at $42,000 for a combo box and includes access to a knowledgebase and FAQ list. 24/7 phone, email and website support are available for 20 percent of the product purchase price. There is a question mark icon built directly into the dashboard that conveniently references product documentation.

Tested by: Matthew Hreben