McAfee Enterprise Security Manager (ESM)
Strengths: Best analysis SIEM we saw and absolutely the most complete SIEM package.
Weaknesses: If there is one it would be price.
Verdict: This is very different from its predecessor, and remains the gold standard. We select it as SC Lab Approved.
Intel Security's McAfee Enterprise Security Manager (ESM) is a security information and event management suite. It is available as a VM or hardware appliance and supports a massive number of products to produce useful information for security administrators.
We received the VM version. We were sent a download link to the virtual appliance, which - with no additional setup - was deployed to our hypervisor. After giving it an IP address, all that was needed was pointing syslog and other supported devices toward the receiver and from there the logs were correlated. Adding Active Directory is as simple as plugging in account credentials and the IP address of the domain controller, no agent install is necessary: ESM will pull logs through Windows Management Instrumentation (WMI) on an interval set by the user.
The product does everything one would expect a SIEM to do: collect logs across a wide number of devices and integrate with Active Directory. The receiver pulls all the logs in and they are all easily available to the user. Its permissions and user account control makes it easy to limit access to only what certain users need to see.
What really sets the tool apart though is its advanced correlation engine. The deductions made are absolutely astounding. ESM makes correlating different sources and finding outliers, suspicious events and general oddities in the network as easy as can be. Minor outliers can stand out like a sore thumb to the ESM, which makes it extremely useful for quickly and easily tracking down security events and policy violations. The drilldown view allowed us to see the exact logs that caused the alarm or event, enabling the system administrator to decide if the event is worth chasing down.
Documentation includes an extensive list of supported products and syslog parsers, although some information was a bit harder to find than we would have liked. Still, the documentation was good and up to the quality we have come to expect from this company.
There are two support options: McAfee Enterprise Technical Support and McAfee Business Technical Support. McAfee Enterprise Technical Support assigns a single point of contact, called a Support Account Manager, who will visit onsite up to twice per year. All support contracts are 24/7 via telephone.
McAfee Enterprise Security Manager has in the past been the gold standard for enterprise grade SIEMs, and it still is. McAfee Enterprise Security Manager provides some of the most useful inferences and information, while not being bogged down by frequent false alarms or wild guesses. It is not the least expensive option out there - at nearly 10 times the price of the least expensive SIEM we reviewed this month - but if you have the money to spend, there is nothing better out there. - BJ