McAfee delivered SC Labs an OVF file of this virtual appliance for testing. The process was very straight forward to import into VMware and get up and running. Once the appliance booted up, the menus were not as clean and well organized as the rest the pack. After referencing the documentation, we were able to navigate through the CLI Menu and setup the management interface. Once that step was done, everything else is managed through the web console.
The first thing that stood out on the web console was the device prompted us to change the password. While this is always best practice, very few security devices prompt you to do this; we think that this should be a trend for others to follow. After logging in and accepting terms, we were met with a clean interface in shades of blue.
Once inside, we spent a bit of effort getting Windows, Linux, and networking equipment setup to forward logs to ESM. While this did take a bit of effort, it seemed fairly on par with most others in the group. Data started flowing almost immediately and graphs started updating. We ran our log generation scripts and watched data flow into the clean interface. At that point, we were able to drill down and investigate individual alerts. It did take a while for the widgets to update, but once they did, it clearly displayed the new search criteria.
The dashboard provides a lot of heads-up information and is intuitive to click through. Being exposed to older versions of ESM, you can tell that this has been a product that McAfee has put a lot of thought and effort into development recently. The interface in version 10 has a modern feel and has incorporated HTML5 for modern computing devices. This tool has dashboards and information that can be leveraged across the entire SOC.
McAfee ESM automates compliance monitoring and reporting. Leveraging the Unified Compliance Framework, it offers hundreds of pre-built dashboards, complete audit trails, and reports for more than 240 global regulations and control frameworks.
For a SIEM to be successful, it must take feeds from your organization's assets. McAfee's ESM is up for the task. It can digest basic syslog, take feeds from Windows WMI, analyze Netflows and even has an agent option to help ingest logs into the ESM. It's safe to say, if you have a product, ESM can process the logs. While McAfee has a wide variety of solutions that it can interface with, it truly shines when used with McAfee's product suite. If you are running other McAfee products, you should strongly consider adding this toolset.
The documentation provided was easy to follow and full of screenshots, making it simple for all skill levels to install and configure the device. In the event you run into any issues with your ESM, McAfee support is included with the first year. It offers an online knowledge base as well as a very active community expert exchange.
- Michael Diehl with Dan Cure;
tested by Matt Hreben and Michael Diehl