Beruflich Dokumente
Kultur Dokumente
Security
GLOBAL
Insight
Dashboards Reports Alerts
THREAT INTELLIGENCE Threat Detection &
Incident Response
3
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 3
McAfee ESM strong points Advanced Detection Techniques
Provides rule and risk-based detection engine, behavioral
analysis and IoC ingestion to detect complex attacks.
Ease of Operations
Simplify SIEM operations via
“ready to go” use case oriented No hidden costs
content pack bundles available No license’s limitations on volume of data
collected, performances or number of log
with no extra-costs.
sources (except in the MSP pay go license)
Integrated Solution
Orchestrate the complete security Scalable and Multi-tenant
environment to reduce delays between Multi-tenant requirements can are achieved either
detection and remediation phases. via segregation of data or via distributed ESM
providing flexibility and scalability for current or
future needs.
Collection of over
450 sources
McAfee Threat McAfee McAfee McAfee
out-of-the-box 3rd Party
Intelligence Advanced Active Threat
Exchange Server Response Solutions
Threat Workspace
OpenDXL
3rd Party McAfee Global Detection
Theat Intelligence Threat Intelligence
Threat Feeds
▪ GTI (built-in watchlist but requires a license)
▪ Third party feeds. Eg: Open source
▪ Malware Domain List
▪ OpenPhish
▪ SANS – Internet Storm Center
▪ Ransomware tracker
▪ Spamhaus
▪ Tor Servers and Exit Nodes
Day 0
Day -60 BackTrace Real Time Day 0+
ESM-X11
400,000 80,000 19TB SSD + 8TB SSD
ESM-X9
300,000 60,000 19TB SSD + 8TB SSD
ESM-X7
200,000 35,000 16TB SSD+ 2 TB SSD
Enterprise Security Manager (ETM) Indicates Virtual Appliance Indicates Hardware Appliance
Performance Rating
(without correlation)
ERC is rated by
Events Per Second (EPS) ERC-4700
30,000 5.6TB SSD
ERC-3500
20,000 12TB+400GB SSD
ERC-VM+6x4-core-addon
16,500 32cores – 104GB RAM
Performance Rating
ELM is rated by
Events Per Second (EPS)
ELM-6050
100,000 40TB + 800GB SSD
ELM-5700
75,000 32TB + 800GB SSD
ELM-SSD5
55,000 5.6TB SSD
• Raw Log Integrity Management
Ensures Forensic Integrity with SHA1 hashes
• Redundant Capable
Primary and Secondary ELM can be configured
1,500 ELM-VM
8cores – 4GB
• Flexible Storage
Local, SAN (Fibre), CIFS, NFS, iSCSI, NAS and Combinations
Performance Rating
ACE is rated by
Events Per Second (EPS)
225,000 ACE-4700
5.6 TB SSD
ACE-2650
75,000 12TB
• Deviation correlations
Looks for anomalous behavior
Performance Rating
ADM is rated in network bandwidth
1gbps APM-3500
12TB
• No DR/HA option
ADM-VM
50mbps 8cores – 4GB RAM
Performance Rating
Combo is rated by
Events Per Second (EPS)
3,500 ESM-ELM-ERC-5700
1,750 32TB + 800 GB SSD
• The storage for the ELM must be off-box: DAS, SAN, NFS or CIFS storage.
• No upgrade to a distributed ESM architecture
• No HA/DR options for combo appliances
5,000 ESM-ELM-ERC-VM
1,500 8cores – 16GB RAM
• Performance of the ERC decreases when you use the correlation engine of ERC
DAS ESM
Query
SAN ,NAS or DAS
ACE historical
Parsed
Parsed
Parsed
Optional SIEM
Raw
Raw
Collector Agent
(Free for all ESM
customers)
Event Data Network
ERC ADM Packets
Optional Database
Activity Monitor
(Part of McAfee
Database Security)
ADM
------
DEM
Databus
Event Event
ESM 2
1
3 ESM 4 ▪ Data replication provides real-time
survivability in the event of ESM failure
All Devices:
• 1116 – EDB – all devices
• 1119 – EDB Secure – all devices
ESM
Query
Correl
ACE real time ELM
Parsed
Raw
• Standalone ESM Appliance
SSD storage provides faster query results on recent events
• Standalone Receiver
Event Data Performance up to 30,000eps
ERC
• Standalone ELM with Local and optional External Storage
Stores the ELM database and storage pools
• Standalone ACE
In real-time mode. A 2nd ACE can be used for historic correlations
ESM
Query
Correl
ACE real time ELM
Parsed
Raw
• Multiple Standalone Receivers
Mix of hardware and Virtual Receivers
Event Data
ERC
Event Data
ERC
Query
Correl
(Raw storage is then reduced by RAID 5)
Only one DAS per ESM SAN ,NFS, CIFS, iSCSI or DAS
Parsed
can be used as an alternative to DAS for ELM
3rd Party Platforms
SAN requires approved third party SAN adapters
Customer based SAN, and iSCSI
Raw
can be used for archived partitions
SAN requires approved third party SAN adapters
ESM
Query
Correl
ACE real time ELM
Parsed
Raw
Shared
Query
Correl
ACE real time ELM
Parsed
Raw
• Redundancy maintained between ESMs
Synchronizes data using same ESM/Receiver process
• Mostly Active/Passive
Only the primary ESM can be used but queries from Dashboards and
reports can be shared between the primary and the redundant ESMs
Query
Correl
ACE real time
ELM
Parsed
Parsed
Parsed
Raw
• Data duplication to primary and to redundant ESM via the ERC and Kafka
Event Data The ERC Kafka bus keeps data for 72h
ERC
• Realtime ACE can pull data directly from the ERC
ESM
Query
Correl
SAN ,CIFS, NFS or DAS
Parsed
Raw
SAN ,CIFS, NFS or DAS
Event Data
ERC
• Mirrored Storage Pools
Uses multiple pools to mirror the raw logs
ESM
Query
Correl
ACE real time ELM Redundancy Synchronization ELM
Parsed
Raw
• Redundancy maintained between ELMs
Synchronizes data using same ESM/Receiver process
Event Data
• ELMs deployable in diverse Geographic Locations
ERC Can be deployed across the building, city or country
• Active/Passive
Only the primary ELM can be used
Query
Correl
ACE real time ELM
Parsed
Raw
Event Data
ERC • ACEs deployable in diverse Geographic Locations
however a real-time ACE should be near the active ESM
• Standy option
By manually enabling realtime correlation in a 2nd ACE or in a historic ACE
Correl
ACE option
Parsed
More Raw
Event Data ERC option
• All-in-One appliances can be extended via Multiple DAS
Up to 90TB each for ESM and ELM
A single DAS cannot be shared by both ESM and ELM
• Storage can also be extended via 3rd Party Platforms
Shared
Event Data HA Pair Customer based CIFS, NFS, SAN, and iSCSI can be used
IP
ESM
Correl
Query
Query
ACE real time
ELM
Parsed
Parsed
ELS
Raw
• Standalone ELM with Local and optional External Storage
Stores the ELM database and storage pools with high compression
Raw
• Standalone ELS with Local and optional External Storage
Also stores the raw data but provides faster forensic search but without
compression (typically requires 20 time more storage than ELM)
Event Data
ERC • No redundancy option
Hence why raw data should also be stored in the ELM
ESM
ESM
Correl
Query
ACE real time
ELM
Parsed
Parsed
Parsed
• Shared cluster uses load balancing
Raw
The ERC is using round robin to share the database partitions equally
between all shared nodes
Correl
Correl
ACE real time
Parsed
Parsed
Parsed
Event Data
ERC
Correl
Correl
Query
Query
ACE real time
Parsed
Parsed
ELS
Raw
Raw
Event Data
ERC
ESM
Correl
Query
Query
ACE real time
ELM
Parsed
Parsed
ELS
Raw
Raw
Event Data Third party
ERC Raw
Log Management
ESM
Query
ELS
Third party
Kafka consumer ELM
Parsed
Raw
Raw
Raw
• Allows third party to consume the Kafka raw events topic securely
Third party can consume the raw event traffic generated by the ERCs
Raw+Parsed
Event Data
ERC
Correl
Correl
Query
Query
ACE real time
Parsed
Parsed
ELS
Raw
Raw
DSB
Raw+Parsed
Event Data
ERC
Parsed
Parsed
• No centralized configuration
Each ESM is configured locally,
export/import can be used
Correl
Correl
Event Data
ERC
Parsed
Parsed
Child ESM
DSB ACE real time
ACE real time DSB
Raw+Parsed
Event Data
ERC
SSH port 22
Correl
Query
ACE real time
Event Data
Shared
HA Pair
IP
ERC option
Correl
Correl
Query
ACE real time
Parsed
ELM Redundancy Synchronization ELM
SSH port 22
Parsed
Parsed
Event Data
Shared
HA Pair
IP
ERC option
Correl
Correl
Query
ACE real time
Parsed
Parsed
ELM Redundancy Synchronization ELM
SSH port 22
Parsed
Parsed
Parsed
Event Data
Shared
HA Pair
IP
ERC option
Correl
Correl
Query
Query
ACE real time
Parsed
Parsed
ELS
Event Data
Shared
HA Pair
IP
ERC option
Version 11
Snowflex in/out 1210, 1211, 1212 tcp ESM cluster
Snowclient/jdbc in/out 8103, 8104 tcp ESM cluster
Version 11
Kafka in/out 9092 tcp To/from ESM, ACE, ELS, DSB
EDB Secure in/out 1119 tcp To/From all devices
Data source supported devices and latest integration list are available in the Knowledgebase
https://docs.mcafee.com/bundle/enterprise-security-manager-data-sources-configuration-reference-guide/page/GUID-8D26D4CB-
B170-4C2A-AAB1-07FBB4AC02A9.html
SIEM Foundations and Expert center are available on the McAfee Community Website
https://community.mcafee.com/docs/DOC-6272
https://community.mcafee.com/community/business/siem
https://community.mcafee.com/community/business/expertcenter/products/siem