This is another of our SC Lab Approved tools that we have been using over the past several years. For this review, we upgraded to v10 which has quite a few major improvements. The most obvious is the HTML 5 user interface. The ESM always has been a superb analyst tool, but with every new release it becomes more of a SOC tool without sacrificing the depth required by serious analysts.
In addition to the UI, the newest release uses ElasticSearch which speeds searches across large datasets significantly. The ESM always has been noted for the large number of devices, applications and operating environments from which it can take data, and this new release is no exception. However, it also interfaces directly with such McAfee applications as ePolicy Orchestrator, Advanced Threat Defense (malware), Network Security Manager (intrusion prevention), Threat Intelligence Exchange (share security data) and Active Response (search endpoint telemetry in real-time to provide targeted threat remediation). Obviously, if you are a McAfee shop, this needs to be in your kit.
The ESM uses what it calls "Receivers" as data collectors and you can distribute Receivers throughout your enterprise as needed. Log management is done by the Enterprise Log Manager (ELM). Usually these pieces are part of full deployment but they also can be deployed as a single "all-in-one" configuration as we have here in the SC Labs. That can be deployed as a virtual machine - again, as we have here in the SC Labs - or a physical server. We deployed our instance from a supplied OVF template on our VMware system. Log data is input by push (syslog, for example), pull (as with WMI logs) or an agent on the monitored device. Setup of monitored devices is straightforward.
In the SC Labs, we have our ESM watching the deception network, which consists of both Linux and Windows machines. Once you have configured the devices, that will send data to your Receiver. and you can begin to take data and configure the rest of your ESM. This is done from the System Properties menu. This menu contains quite a number of submenus, most of which will be familiar to longtime ESM users.
The concept of content packs is one of the ESM's strongest features. Content packs contain specialized information that organizes the ESM resources for a particular application. For a given application, you will need some resources, both internal - such as a specific dashboard - and external - such a threat feed or two. While you certainly can set this up manually, having the content pack is far faster and more consistent.
In the System Properties menu, you'll also find such expected submenus as System Information, Network Settings and the like, plus new ones, such as Cyber Threat Feeds. This is unquestionably a next-generation tool, complete with advanced algorithms, big data handling and external threat feed correlation along with several nice features to make all of the other things work well, e.g., ElasticSearch.
In our deployment of the ESM in our virtual environment, we've found that it is much more efficient than earlier versions. The new UI moves things along quite smartly. We were, initially, concerned because the VM wants more CPU cores, ideally, than we have available, so we reduced the number cores by two and the performance hit was indistinguishable from what we expected.
Overall, we continue to like working with this product. It really is an analyst's dream tool, but it takes a bit of learning to get the most out of it. That said, over the past decade, it has made giant strides from the lab to the SOC and we would recommend this unhesitatingly as a general purpose SIEM in the SOC. It has every feature that we can think of that might be needed for a serious SOC analyst. The little extra time spent to learn how to make it really get the best results will pay huge dividends over the long haul.
