1 2 Previous Next 12 Replies Latest reply on Jun 10, 2015 8:05 AM by johnstate

    Poll: What is your experience with McAfee SIEM support

    rhinomike

      Hi,

       

      In the last few months we have been using the McAfee SIEM quite heavily and the more we use, the more bugs and issues we find. So far so good, bugs will always exist and are part of most technologies, however, our team is truly appalled by the level of support we receive around McAfee SIEM* in the APAC region. So let me ask:


      1. How would you rate experience with the McAfee SIEM support?
      2. What level of support do you have?
      3. In what region are you based?
      4. What areas are particularly painful?

       

      * Please note I highlight SIEM support. McAfee support around AV and it's bread and butter offerings tends to be great, but the SIEM support, holy golly!

        • 1. Re: Poll: What is your experience with McAfee SIEM support
          rhinomike

          I will start:


          1. How would you rate experience with the McAfee SIEM support?


          Beyond painful. Makes me miss dealing with the a very large Indian based outsourcing company (and that support was already bad...)


          2. What level of support do you have?


          Gold.


          3. In what region are you based?


          APAC.


          4. What areas are particularly painful?

           

          • Tier 1 and 2 Engineers seem to have very little understanding of the product and what a SIEM truly is.
          • Support is provided with very little commitment. E.g.
            • Support Engineers will not call us back,
            • Support Engineers will not provide updates to cases,
            • Support Engineers will refuse escalation requests.
          • In addition we have noticed a pattern where every time we hit a harder bug (e.g. Re: ELM not seeing SAN storage) we are pushed to the PER route.

           

          Hope this helps others

          • 2. Re: Re: Poll: What is your experience with McAfee SIEM support
            pepelepuu
            • How would you rate experience with the McAfee SIEM support? (On a scale from 1(Not Existent) to 10 (Can't live without it, because its great!!)
              • 6
            • What level of support do you have?
              • Platinum
            • In what region are you based?
              • US- Midwest
            • What areas are particularly painful?
              • Communication
              • Follow Through
              • Knowledge Sharing
              • Status, etc
              • Product:
                • MVM
                • ESM
                • ELM

            Now with all that said, I really believe its the process, or support model being used. The tier II engineers only have what tier 3 provides, which isn't always thorough or accurate.  So as a true enterprise customer, I have learned to be patient with the engineers. NOT THE COMPANY OR SUPPORT MODEL IN PLACE.

            I have been dealing with issues on every layer of the OSI model, and since everything is so modular, calling support will only get you a ticket opened until you close it, and they close it. If you review the attached excerpt from the McAfee Platinum Support Handbook which illustrates it, you'll see how though it looks good it's nothing more than mere sales material.

             

            The attachment will also illustrate our biggest problem. Based on the SLA, as defined Sev 3 tickets are escalated to tier 3 at 3 days, and then engineering at the 5 day point. I currently have 6 sev 3 tickets open, ranging from an open date of 12/1/ - 12 /22.

             

            You learn to adjust your expectations, until a third party starts to sell support for the Vendor. But again, I can't say enough, how sorry I feel for the guys answering the phones, because Vendor documentation isn't accurate, and the sheer volumes and complexity put on 5 - 6 techs per region. I tell you what, those guys earn every penny. The problem is at the top...not the people we come in contact with.

            • 3. Re: Poll: What is your experience with McAfee SIEM support
              rcavey

              I really want to beat up on SIEM Support but in all honesty I think that the problem lies upstream into management but let's not forget that McAfee/Intel are trading on the stock market and in business for the $$$$.

               

              A few things I'd like to put out there... this Poll got me excited for a sec but.... even if it did get some attention some lazy "explicit adjective" would snuff it because actually doing something about it would require commitment and funds.

              - I think the product is selling pretty well( more than anyone thought ) now that McAfee has swallowed the Nitro Security product into the arsenal.

              - Tier I lost some good folks in the past year because they were not putting the money into the people or backing the support infrastructure.

              - The underlying databases and what the product can do and the speed it can do it is pretty frickin awesome.

              - Beat on the sales and product managers relentlessly if you are *not* getting what you feel is good support.


              1. How would you rate experience with the McAfee SIEM support?


              My rating varies by each call so I can't pin down a number rating/


              Tier I -  Very helpful and they do try to help but once they are stumped you gotta worry a little when you are going to hear back from someone.  I feel for these guys and gals(seem to be better overall than the guys currently) as they are the front line.

                   note:  Tell them if you are pretty savy with Linux and they won't have to "baby step" you through what commands they want you to run.

              Tier II - Depends on who you get some good some eh?

                   note: some of the guys over analyse the entire ticket and could be a bit more forthcoming about what is really happening.

              Tier III - I've been mostly impressed with these folks *when* you can get to the point of getting them on a call but that is really hard to get.


              2. What level of support do you have?


              Gold


              3. In what region are you based?


              US DC Metro


              4. What areas are particularly painful?

               

              • I've never head of a successful PER request, has anyone else?
              • Over the summer we got through to sales and product management that support was sooooo bad we got assigned a support resolution expert that was supposed to setup a weekly meeting with metrics and action items which was never followed through on ( Hello management?? )
              • They are quick to point the finger at custom rules as the source of a problem recently.
              • Tier 1 and 2 Engineers are stumped almost immediately on ELM issues.  I don't think they receive any training or get knowledge from engineering. ( Hello management?? )
              • Support overall is poorly managed ( They know Tier I is way overwhelmed, Hello management?? )
              • Management has to see the numbers and the exit interviews of people that have left..... must be ignoring the data.
              • Commitment to resolving receiver HA problems ( Watch out for 9.4.2 11182014 it will hurt ) and is a constant problem with packets dropping on the floor at the receiver because neither one keeps the ShareIP when anomaly's happen.



              Cheers,

                -Bob

              • 4. Re: Poll: What is your experience with McAfee SIEM support
                rhinomike

                pepelepuu


                > The attachment will also illustrate our biggest problem. Based on the SLA, as defined Sev 3 tickets are

                > escalated to tier 3 at 3 days, and then engineering at the 5 day point. I currently have 6 sev 3 tickets

                > open, ranging from an open date of 12/1/ - 12 /22.


                You are lucky. I have Sev 3 tickets that are nearly 90 days old and still without any clear definition on when they will be solved. My Account Manager seems genuine in his attempts to help but as you mentioned I also think the support model is broken from the top.


                What I find remarkable is the fact that when you deal with McAfee's core products like EPO and VSE the support quality is quite decent, even for those under Gold support, however, when you step in SIEM land, it is hell on earth.


                rcavey

                 

                > * I've never head of a successful PER request, has anyone else?

                 

                We had one selected for development several months after raised it. Legend says you have better chances of getting a PER addressed if you conjure the right McAfee staff.


                > * Over the summer we got through to sales and product management that support was sooooo bad we got assigned

                > a support resolution expert that was supposed to setup a weekly meeting with metrics and action items which was

                > never followed through on ( Hello management?? )

                 

                We had the same issue where the McAfee host setup a regular call for ticket updates. After 2 weeks the calls ceased after updates turned into "we are waiting for tier 3" sort of status update.

                 

                > They are quick to point the finger at custom rules as the source of a problem recently.

                 

                Funny you mention that. Today I was reading some status updates and had the impression this was going to be the next step in the bug blame game.

                 

                > Commitment to resolving receiver HA problems ( Watch out for 9.4.2 11182014 it will hurt ) and is a constant problem

                > with packets dropping on the floor at the receiver because neither one keeps the ShareIP when anomaly's happen.


                You are not alone in Receiver bugs running this version of code we are also having issues after issues with receivers running 9.4.2.


                Anyone else would like to share their experience?


                • 5. Re: Poll: What is your experience with McAfee SIEM support
                  streamer

                  How would you rate experience with the McAfee SIEM support?

                  > 4/10

                  What level of support do you have?

                  > Platinum

                  In what region are you based?

                  > EMEA

                  What areas are particularly painful?

                  > Almost everything. I had to fix all our issues by myself. (for example: ETM Redundancy, ERC HA, ELM Redundancy, Hardware Fault [ELM], Parser optimization, Data Source grouping etc.)

                  rcavey wrote:

                   

                  • Tier 1 and 2 Engineers are stumped almost immediately on ELM issues.  I don't think they receive any training or get knowledge from engineering. ( Hello management?? )

                  I absolutly agree with you!

                   

                  The only thing I appreciate they are quick release patch. McAfee ESM is a best solution SIEM products but they needs to be improved support level to come to the place it deserves.

                  • 6. Re: Poll: What is your experience with McAfee SIEM support
                    rcavey

                    2nd BUMP....

                     

                    Come on people?!?!?   A couple of hundred views and under 10 replies....  Your input could help make a difference. Give it to us straight and hold no punches. :-)

                    • 7. Re: Poll: What is your experience with McAfee SIEM support
                      chris_hankins

                      1. How would you rate experience with the McAfee SIEM support?


                      A "4" at best and that is probably because I have not had to deal with them recently on anything major. We have been an ESM customer for nearly 3 years (purchased right after the Nitro acquisition) and the mass exudes of all things knowledgeable about the SIEM product. We run a very complex setup and know the product inside and out, probably better than most of the support engineers we work with. From my experience we only open support requests when there is a bug. Here is my break down:


                      Tier I -  I find the Tier-1 crew to be some of the most frustrating to work with. Their job consists mostly of searching their internal support wiki for answers, not performing any level of actual troubleshooting. This is equivalent to what this forum is for and in fact I can say they lean on this forum pretty heavily to identify problems as we have had times where their support staff actually has posted our problem and systems data into the forum looking for assistance. Massive support and customer privacy fail.

                      Tier II - Agree that it depends on who you get? But some of the good ones are so burned out they just want to take the ticket for their allotted time to pawn off to Tier III and will rarely perform much more than what has already been done at the Tier I level by searching and collecting basic information.

                      Tier III - These guys are the ones who usually know the product but from my experience there is about a handful of them and they have so many tickets they cant come up for air. Generally really good at identifying the problem and moving things to resolution if you can get them to focus solely on that problem for a while.


                      2. What level of support do you have?


                      Gold


                      3. In what region are you based?


                      US


                      4. What areas are particularly painful?

                       

                      • The constant need to patch to fix one little thing which creates 10 new support issues. Become the break > patch > identify what's broke > patch > identify what's broke cycle
                      • Support communication into the status of requests or information during hand off to another Tier non-existent.
                      • I've never head of a successful PER request, has anyone else? LOL I had to include this one as well.
                      • Customization as the source of problems. If we all ran it out of the box it would work great, but touch something and its never a support issue.
                      • Tier 1 and 2 Engineers are stumped almost immediately on ELM issues.
                        • Add DEM, Linux and Windows Agents to this list or anything having to do with their parsers or rules.
                      • We still have tickets in Tier III that are unresolved after 2 years, our general time to resolution is in months/quarters rather than days
                      • 8. Re: Poll: What is your experience with McAfee SIEM support
                        rcavey

                        2nd BUMP .....  still under 10 "actual" replies.... my two bumps don't count

                         

                        Ok how bout just concurring with maybe a paste the comment(s) related to your experience?   Take the 3 minutes and just do it, thanks.

                        • 9. Re: Poll: What is your experience with McAfee SIEM support
                          aszotek
                          1. How would you rate experience with the McAfee SIEM support?

                          3/10 for lower tiers, really bad as of now. lots of issues remain not addressed, the same issues occur, support is always surprised and reacts like this:

                          McAfee: "never seen this issue before, you are the only customer with this issue"

                          Me: "are you serious? we had this issue 5x already!"

                          McAfee: "no, never seen..."

                          The above applies to 1st tier as well as SEO level. I have probably dealt with all levels of McAfee support (including QA and Devs to sort serious database collapses), my company is also on beta program for new releases. Dealing with highest levels of support gets things sorted, but to reach such levels takes many many escalations & threats, but it's totally worth it as the answer from Devs automagically changes to "hotfix is on it's way to next maintenance release", which is reassuring.

                          Big problem for them is that this kind of information is not properly cascaded down to lower levels of support, not to mention documentation which is pretty much non-existent.

                          To be fair, the support for other McAfee products, namely Foundstone (renamed to MVM) and Intrushield (IPS) is worse by order of magnitude than support for Nitro SIEM.

                          2. What level of support do you have?

                          Platinum

                          3. In what region are you based?

                          EMEA

                          4. What areas are particularly painful?

                          - Repeated nonsense responses from lower tiers

                          - HA support is a joke

                          - support is only familiar with using NGCP user for everything, clueless about real-life user issues and permissions

                          - quick to blame customization as source of problem

                          - sneaky ticket updates/closures

                          - if new release is available, support will push for immediate upgrade, which in most cases breaks other things

                          - dealing with Support Manager

                          - overall UK based support on all levels is not very skilled

                          - US support is much better (higher tiers available), but painful because of time difference

                          1 2 Previous Next