McAfee Enterprise Security Manager v9.3.2
Strengths: Capable of supporting thousands of events per second with a huge rule set and extensive reporting options.
Weaknesses: Slightly unintuitive user interface.
Verdict: A heavy duty SIEM platform which performs well under the heaviest event load.
Enterprise Security Manager from McAfee is a truly enterprise-grade SIEM. Able to process thousands of events per second and store billions of events and flows, it offers great visibility into network activity for customers of any size.
The initial configuration was easy. After unboxing the appliance and making the normal physical connections, we powered on the device and were presented with an ASCII menu. Through that menu we configured a management IP, which allowed us to access the product's Flash-based web interface. Upon logging in, a configuration wizard popped up, which guided us through changing the default logins, configuring date/time information and configuring additional network interfaces. We were given the option of configuring a secondary management interface, as well as multiple monitoring interfaces - which are not actually assigned IP addresses, adding a degree of stealth to the product. After completing the wizard, we added data sources and the tool began processing.
Enterprise Security Manager is actually a suite of products composed of a number of different components, divided into the Interface, Data Storage, Management and Analysis and Data Acquisition categories. The Data Acquisition category consists primarily of such standalone components as the Nitro IPS; the Application Data Monitor, which captures data provided by the IPS service; and the Database Event Monitor, which handles information on the collection, analysis, audit trails and reporting on database access for a number of database platforms. It also includes the Event Receiver service, which handles the acquisition of syslog and flow data to the storage and analysis engine.
The Data Storage, Management and Analysis components cover the Advanced Correlation Engine, which is a standalone appliance that offloads correlation activities from the primary Enterprise Security Manager; the Enterprise Log Manager, which handles the storage, management and access to log data; and the Enterprise Security Manager itself, which is the central administration point for the entire product suite, controls all component communication via encrypted channels and hosts the product's user interface.
McAfee's product documentation is top-notch. PDF files are downloadable through the company's support portal, which cover the product's installation, administration and general use. Content from those guides are also available on the device itself through its help feature.
McAfee offers a number of different support options. The gold business support package includes daily product updates, upgrades and malware alerts and analysis services. It also includes chat, web and 24/7 phone support, best practices guides and online test environments. The gold enhanced business support option adds access to product specialists, and the platinum support tier provides a named support account manager.
The tool is priced at $47,994, which includes the first year of support. The gold level software and advanced return merchandise authorization (RMA) costs $9,598, and one year of next-business-day onsite support is $9,598.