We have two SIEMs in the Labs and we use them slightly differently. The McAfee ESM is our workhorse. We use the version 10 and we really like the new html5 user interface. This SIEM started life as the NitroView and it was, at that time, unquestionably the best analyst's SIEM available. Today, Nitro having been acquired by McAfee, sold to Intel, and returned to McAfee, the product has undergone many changes, all of them very positive from our perspective. Perhaps the most important change is its personality. It still is a great analyst's tool but it has become far more user-friendly over the years. Today it is a fine SOC engineer's tool without losing any of its analytical chops.
This is a highly configurable tool and we stretch it constantly. It is so feature-rich that we would be hard-pressed to address everything that it can do in a single review. The easy way to introduce yourself to the ESM, once you have it installed and configured in your environment, is just to turn it on and look the default dashboard over. Without any fancy manipulation, you are presented with lots of important and useful information. From that point, you can select any of dozens of views concentrating on just about anything from malware to user activity to compliance. It comes pre-configured with special dashboards for just about any compliance task you can think of.
The power doesn't stop there, though. The dashboards consist of collections of views that select elements that go together and place those collections in windows that you can edit and move around, adding your own elements and creating entire new collections for truly custom dashboards. For any given task, you start by selecting the dashboard you want and then performing drill-downs. This gives you a custom-designed threat hunting environment. This lets the SIEM do double duty: as a correlator of sensors with the job of alerting on suspicious behavior, and as a first-rate threat hunting tool.
Here in the Labs we are engaged mostly in research and testing. We let our SIEMs watch the Internet directly with no firewall. So, this is like drinking, not from a firehose, but from Niagara Falls. Add to that, we have a honeynet, deception network and a TOR exit node. We don't have the SIEM configured precisely the same as you might in a production environment in your enterprise. That speaks volumes about the versatility of the device.
In a typical enterprise environment, you would be feeding it from every log source you could find – and it will accept them all, most out of the box, but you may need to do a bit of fiddling for odd or unusual log and flow sources. The tool looks at all events and flows, correlates them and plays them against standards you configure to get to risk. So, at the end of the day, with the addition of vulnerability and weighting data, ESM becomes a risk measuring machine.
McAfee has provided, automatically, a collection of threat intelligence feeds but you can add your own easily as well. Some are as easy as adding a simple command for execution with a single click. For example, we use several web sites to analyze intelligence on an IP address. We added those feeds to the ESM and now when we select an IP address we can select a threat feed we want to send it to as well. This returns intelligence on that IP – perhaps it is on a block list or has a bad reputation. We get all of this with a click of the mouse. Setting it up took about two minutes per threat intelligence site.
We have used the ESM in enterprise situations where we have been able to analyze logs such as domain controller and active directory server logs and correlate those data with others we may have found. This adds significantly to the threat hunt.
We have found support to be exceptional. The product is available as a virtual appliance or a physical one. There are specific support programs for each one. Support packages at the gold level include all updates for rules, signatures and content packs. Since you can build out your own content packs that is pretty powerful. Support at that level is 24X7. Documentation is everything it should be and pricing is very reasonable for the power the SIEM delivers.IT should go without saying that this will be SC Lab Approved for another year, but just to avoid confusion, it has a home in the Labs for the next 12 months.
Product: McAfee Enterprise Security Manager (ESM)
Company: McAfee, LLC
Price: Starts at $39,995
What it does: SIEM
What we liked: As SIEMs go there is pretty much nothing on this product not to like but if we had to pick out a couple of things that impress us in particular, they would be flexibility, extensibility, ease of use and strong analysis capability.
The bottom line: You may, as we do, have multiple SIEMs in your organization, each for a different purpose. One of those should be the McAfee ESM. Put this in the hands of your best SOC engineers and you'll notice that when there are disturbances on your enterprise you'll have just the tools you need to address them. Or, if you have more junior people, this is a good toll to use for training as well as analysis and alerting.