Workshop Nursultan 2019 - ESM

ESM Basics Review
Технический воркшоп McAfee

Нур-Султан, 31 мая 2019
Иван Яковлев | Sales Engineer EMEA
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 1

Common features of major SIEM Solutions
• Log collection
• Log archiving
SIEM
• Log parsing & data enrichment
• Structured or unstructured search
• Dashboard with forensic drill down
• Reporting
• Correlation
(Single events, Event rates, Events sequence,
Deviations from baseline)
• Integration with threat Intelligence data
• Alerts & Automatic Responses
• Compliance packages for PCI-DSS, HIPAA, FISMA,
SOX, ISO27000…

10,000 Foot View of SIEM
LOCAL
SENSOR
INTELLIGENCE
Cloud services deployment

(AWS & Azure supported today)
On-Prem Infrastructure
Threat Actionability &

Intelligence
McAfee SIEM
Personnel
Automation
Optimise Security Operations
Security
GLOBAL
Insight
Dashboards Reports Alerts
THREAT INTELLIGENCE Threat Detection &
Incident Response
3
McAfee ESM strong points Advanced Detection Techniques
Provides rule and risk-based detection engine, behavioral
analysis and IoC ingestion to detect complex attacks.
High Performance database

Provides real-time assessment of Actionable Workflows
organization’s security posture through Designed to increase speed of
business-oriented dashboards. human analysis while lowering
operating costs.
Ease of Operations
Simplify SIEM operations via
“ready to go” use case oriented No hidden costs
content pack bundles available No license’s limitations on volume of data
collected, performances or number of log
with no extra-costs.
sources (except in the MSP pay go license)
Integrated Solution
Orchestrate the complete security Scalable and Multi-tenant
environment to reduce delays between Multi-tenant requirements can are achieved either
detection and remediation phases. via segregation of data or via distributed ESM
providing flexibility and scalability for current or
future needs.

Integration ∙ Data Exchange Layer (DXL)
SIEM data collection
McAfee McAfee McAfee McAfee

Enterprise Security ePolicy McAfee
Endpoint Network Security Web
Manager Orchestrator Platform Gateway
/ DLP
Firewall Antivirus McAfee

Web proxy HIPS Application McAfee
IPS DLP Data Monitor Database Security
DNS Email
WAF Web
Load balancer OS
Wifi Directory Data Exchange Layer
Switch Services
Router Database
OpenDXL
Network flow Vulnerability
scanner
Collection of over
450 sources
McAfee Threat McAfee McAfee McAfee
out-of-the-box 3rd Party
Intelligence Advanced Active Threat
Exchange Server Response Solutions
Threat Workspace
OpenDXL
3rd Party McAfee Global Detection
Theat Intelligence Threat Intelligence

McAfee SIA Partners
UBA Workflow Threat Intelligence Collection

automation sharing
Many more on data collection…

Threat Intelligence feeds
Connect SIEM to the world
Threat Feeds
▪ GTI (built-in watchlist but requires a license)
▪ Third party feeds. Eg: Open source
▪ Malware Domain List
▪ OpenPhish
▪ SANS – Internet Storm Center
▪ Ransomware tracker
▪ Spamhaus
▪ Tor Servers and Exit Nodes
Configure Cyber Threat Feed

▪ Source: IOCs from STIX or McAfee ATD
▪ Destination: Watchlists or Backtrace

Real Time & Historical Analytics
Verify if your organization has already been impacted by a known threat
Dedicated Cyber Threat Management Dashboard for real-time monitoring
Automatic ingestion of Indicators of Compromise (IOC) data
Automated historical analysis of newly reported threats with Backtrace
Eliminates hours of analyst time through automation
Day 0
Day -60 BackTrace Real Time Day 0+

McAfee ESM
Components

McAfee SIEM Solution Components
Overview
Valuable Options
Required ▪ ADM - Application Data Monitor, network monitoring
▪ ESM - Central console, online database, and central configuration ▪ Provides application layer visibility, content inspection,
▪ Either a separate appliance/VM, or included within combo ETMELM netflow and layer 3 filtering; connected via TAP or SPAN
▪ Receiver - Log Collection, parsing, aggregation (ESM) ▪ DAS - Storage extension

compression (ELM) and optional local correlation
▪ Needed for high event rates & long retention periods for aggregated and
▪ Either a separate appliance/VM, or the receiver within a combo
original events for the ELM or ESM
▪ ELS - Raw log management, leveraging Elasticsearch

Highly Recommended
▪ Alternative or addition to ELM for query speed, but with much larger
▪ ELM - Raw log management, and long term cold storage storage requirements than ELM
▪ Required for compliance, provable log integrity (via hashing)
▪ DSB – Data Streaming Bus, Kafka appliance
▪ ACE – Advanced Event Correlation
▪ Required to export raw events to 3rd party using Kafka
▪ Dedicated near-real time and historical event correlation;
rule based, risk analysis; deviation analysis ▪ Required with Parent/Child architecture from version 11.1
▪ GTI – Global Threat Intelligence ▪ SIEM Collector – Collection agent

▪ This is an option for the ESM ▪ Collects local & remote Windows events (including WEF), Windows EVT files,
Text files (Log tail), SQLserver C2 audit logs, Custom SQL (MSSQL & Oracle)
▪ Linux version of the agent collects Text files (Log tail)

Enterprise Security Manager (ESM or ETM) central console, online database, and central configuration
Performance Rating
ESM is rated by Events Per Second (EPS)
ESM-X11
400,000 80,000 19TB SSD + 8TB SSD
ESM-X9
300,000 60,000 19TB SSD + 8TB SSD
ESM-X7
200,000 35,000 16TB SSD+ 2 TB SSD
ESM-VM+6x4-core-addon • Stores Event & Flow data using McAfeeEDB

83,000 22,500 32cores – 112GB RAM Patented, high-performance, embedded data access engine
• Hosts browser-based SIEM interface

ESM-6050
90,000 20,000 40TB + 800GB SSD
Easy to use. Highly customizable Views / Dashboards.
• Manages rules thru Policy Manager.

65,000 ESM-5700 Customizable Data Source and Correlation rules
20,000 32TB + 800GB SSD
• Configures Reports and Alarms

ESM-VM + 4-core-addon Customizable Reporting and Flexible Alarm Management
18,000 5,000 12cores – 32GB RAM
• Redundant Capable
Primary and Secondary (up to 5) ESMs can be configured
5,000 1,500 ESM-VM
8cores – 16GB RAM
• Designed to be Scalable
Max ingestion Max Query Designed to support 80,000’s events per second
Enterprise Security Manager (ETM) Indicates Virtual Appliance Indicates Hardware Appliance

Event Receiver (ERC) event/flow collection, parsing, aggregation, compression and optional correlation
Performance Rating
(without correlation)
ERC is rated by
Events Per Second (EPS) ERC-4700
30,000 5.6TB SSD
ERC-3500
20,000 12TB+400GB SSD
ERC-VM+6x4-core-addon
16,500 32cores – 104GB RAM
• Collection point for Events and Flows

ERC-2650 Push – devices forward events or flows using SYSLOG, NetFlow, etc.
14,000 12 TB Pull – event/log data is collected from the data source using SQL, WMI, etc.
Agent – data sources are configured to send event/log/flow data using a small-footprint
agent such as McAfee SIEM Event Collector, SNARE, Adiscon, Lasso, etc.
ERC-1270
7,500 4TB
• Hosts Rules-based Correlation Engine
Can be enterprise wide or specific to local receiver
ERC-VM + 4-core-addon But at the cost of significant performance reduction
4,000 12cores – 24GB RAM
• HA Capable
High Availability Receivers can be configured on Physical appliances (not on VM)
1,500 ERC-VM
8cores – 8GB RAM
• Designed to be Scalable
Designed to support up to 30,000’s eps per appliance
Indicates Virtual Appliance Indicates Hardware Appliance

Enterprise Log Manager (ELM) integrated log management
Performance Rating
ELM is rated by
Events Per Second (EPS)
ELM-6050
100,000 40TB + 800GB SSD
ELM-5700
75,000 32TB + 800GB SSD
• Archive Management for Raw Events

ELM-VM+6x4-core-addon Receiver forwards unaltered logs to ELM
67,500 32cores – 100GB RAM
• Maintains ELM Management database
Ability to manage parsed and raw logs simultaneously
ELM-SSD5
55,000 5.6TB SSD
• Raw Log Integrity Management
Ensures Forensic Integrity with SHA1 hashes
ELM-VM + 4-core-addon • Raw logs Compression Management (up to 20:1)

12,500 12cores – 20GB RAM Delivers Maximum Storage Efficiency
• Redundant Capable
Primary and Secondary ELM can be configured
1,500 ELM-VM
8cores – 4GB
• Flexible Storage
Local, SAN (Fibre), CIFS, NFS, iSCSI, NAS and Combinations

Advanced Correlation Engine (ACE) dedicated correlation appliance
Performance Rating
ACE is rated by
225,000 ACE-4700
5.6 TB SSD
• Dedicated rules-based correlation engine

Includes hundreds of predefined event correlation rules
ACE-VM+6x4-core-addon
90,000 32cores – 100GB RAM
• Enables Historical Correlation
Match new rules against historic events in near Real-Time
Note that an appliance is either in Historical or Real-time mode
ACE-2650
75,000 12TB
• Deviation correlations
Looks for anomalous behavior
• Quantitative Risk Scoring Correlation

ACE uses Rule-Less correlation to determine threat activity
40,000 ACE-VM + 4-core-addon
12cores – 20GB RAM
• Combined Correlation Engines without overhead
Operates independently of event collection
30,000 ACE-VM • Standby option

8cores – 4GB RAM
By manually enabling realtime correlation in a 2nd ACE or in a historic ACE

Application Data Monitor (ADM or APM) network content visibility
Performance Rating
ADM is rated in network bandwidth
1gbps APM-3500
12TB
500mbps APM-1270 • Monitors application (Layer 7) traffic

4TB
via SPAN or Network Tap
via four promiscuous network interfaces
ADM-VM+6x4-core-addon • Supports 100+ application protocols and 500+ document types.

350mbps 32cores – 100GB RAM Pre-built detection rules for regulated and sensitive data types
Full session data capture and visibility into all application traffic
• Supports user-definable dictionaries and custom rules

ADM-VM + 4-core-addon
100mbps 12cores – 20GB RAM
• Creates full audit trail of application events
• No DR/HA option
ADM-VM
50mbps 8cores – 4GB RAM

Combo (ETM-ELM) all-in-one SIEM, log management, and event/flow collection
Performance Rating
Combo is rated by
7,000 3,500 ESM-ELM-ERC-6050

32TB + 800 GB SSD
3,500 ESM-ELM-ERC-5700
1,750 32TB + 800 GB SSD
• The storage for the ELM must be off-box: DAS, SAN, NFS or CIFS storage.
• No upgrade to a distributed ESM architecture
• No HA/DR options for combo appliances
5,000 ESM-ELM-ERC-VM
1,500 8cores – 16GB RAM
• Performance of the ERC decreases when you use the correlation engine of ERC
Max ingestion Max Query


Global Architecture
DAS ESM
Query
SAN ,NAS or DAS
ACE historical
ACE real time ELM
Parsed
Parsed
Parsed
Optional SIEM
Raw
Raw
Collector Agent
(Free for all ESM
customers)
Event Data Network
ERC ADM Packets
Optional Database
Activity Monitor
(Part of McAfee
Database Security)

Architecture changes
in version 11

What’s new in v11.x
▪ New architecture supporting Kafka-based Data Streaming

Bus
▪ ESM scaling for ingestion and query performance
▪ Enhanced ESM replication for resiliency
▪ Expanded raw logs support: events to ELM (cold)

and ELS (hot)
▪ HTML5 interface auto-refresh capability

Architecture Prior to v11
Challenges with existing architecture

ELM ACE
1. Fixed, single-purpose appliances
2. Multiple single points of failure
3. Rigid, serialized ingestion path
Data
4. Limited scalability
ERC ESM
Source Events
5. Closed architecture
ADM
------
DEM

ESM 11.0: High Performance. Lower Cost. No Compromises.
Data flows to the apps that need it. Each app fit for purpose and can scale independently.
Data Streaming Bus
Log Search & Log Retention &

Collection & Parsing Correlation
Threat Hunting Compliance ESM
Enrichment Uncompressed. Short Compressed. Signed. Real-time. Fast & ESM

Normalization term storage. Long term retention for Efficient. Drag-and- ESM
Aggregation Optimized for high- compliance. drop rule creation.
speed search and
Cluster
hunting. ESM Cluster
Enterprise Enterprise Advanced Enterprise

Log Search Log Manager Correlation Engine Security Manager
Events
(Elastic-based) (McAfee EDB-based) (In memory, no data store) (McAfee EDB-based)

ESM 11.0 Data Platform: Collect, Enrich and Share Data at Any Scale
Ingest a high volume of data cost-effectively
▪ Comprehensive data collection: Device to cloud. Easily scale to billions of events
▪ Predictable collection and storage costs – easily accommodate growth
Normalize and enrich raw security events in near real-time

▪ Produce relevant security data for people and analytics
Efficiently share data

▪ Data flows to appropriate data stores and analytics applications
Kafka-based data bus
Logs and Events Receivers Short-term Long-term Real-time Analytics Advanced

Storage Storage In-memory Analytics
Search & hunting Compliance, archive Correlation & detection UEBA
& forensics

11.x Architecture
Data Streaming Bus
Databus
1. Built upon the strengths of Kafka’s low-latency

producer/consumer model
2. Databus SDK provides improved security
3. Scalability to 2M+ transactions/second*
4. Inherent data replication (optional)

11.x Architecture
Data Streaming Bus
Raw Raw Parsed
Event Event Event
Data Ingestion & Parsing

Collection & Parsing
1. Decouples the collection and parsing of data
Enrichment 2. Collector nodes ingest raw data and publish to the
Cluster
Normalization raw data topic of Databus
Aggregation
3. Parser nodes consume from raw data topics, perform
necessary parsing, etc and publishes processed
events to the parsed data topic
4. Clustering provides linear scalability and improved
Events resiliency

11.x Architecture
Data Streaming Bus
Raw
Event
Enterprise Log Management “Sharding is a method of

Log Search & horizontal database
Threat Hunting partitioning that is used to
1. Built upon the strengths of Elasticsearch separate very large data
2. Consumes raw events from Databus Uncompressed. Short models into smaller, faster,
term storage.
3. Multi-node data ‘sharding’ provides superior scale, Optimized for high-
more easily managed pieces
performance and survivability speed search and called data shards”
4. Supports highly scalable storage and retrieval hunting.
Cluster
of unstructured data Enterprise
Log Search Enterprise
5. Simple query syntax for conditional searches
(Elastic-based) Log Search
(Elastic-based)

11.x Architecture Stream / Advanced
Analytics 3rd Party Integrations
Data Streaming Bus
Raw Parsed Correlated
Event Event Event
Advanced Correlation “Apache Spark is a fast

machine learning engine for
Correlation
large-scale data processing.
1. Correlator nodes consume from parsed data topic, Analytics run up to 100x
perform stateful correlation and publish results to Real-time. Fast & faster than Hadoop
correlated data topic of Databus Efficient. Drag-and- MapReduce in memory or
drop rule creation.
2. Advanced analytics platforms (UEBA, etc.) can 10x faster on disk”
participate as correlator nodes (requires SDK)
3. Stream analytics (Spark) platforms can provide
additional Machine Learning logic* Advanced
Correlation Engine
* Future feature support (In memory, no data store)

11.x Architecture
Databus (Kafka Stream Bus)
Parsed Correlated
Event Event
Distributed ESM & Snowflex “A snowflake schema is a

logical arrangement of
tables in a multidimensional ESM
1. Data clustering extends the industry-leading database such that the
performance of the existing McAfeeEDB ESM
entity relationship diagram
2. Consumes from parsed and correlated topics of resembles a snowflake ESM
Databus shape”
3. Each Snowflex node adds ingest (partitioning) and ESM Cluster
query (replication) performance
4. Enables data segregation for geographic and multi- Enterprise
Security Manager
tenant data isolation (fencing) (McAfee eDB-based)

ESM 11.0: Cost-Effective, Incremental, Horizontal Scale
Scenario: Need for more ESM ingestion or query capacity Benefits

▪ Simple, scalable expansion of ESM
Solution: Purchase additional ESM ingestion and query performance
Configure as part of ESM ‘Data Center’ ▪ Aggregate performance increases with

each additional ESM
Create ESM cluster ▪ Concurrent query performance increases
with each replica
(Optional) Add cluster replica for resilience
▪ Mix-and-match any supported
appliances and VMs to create a cluster
▪ Simplified policy management across all
Cluster 0 : Replica 1
ESMs in the cluster
ESM 2
1
3 ESM 4 ▪ Data replication provides real-time
survivability in the event of ESM failure
Mix and match appliances and VMs

ESM 11.0: Additional Ports
All Devices:
• 1116 – EDB – all devices
• 1119 – EDB Secure – all devices
Communication Between Devices:

• 9092 – Kafka - ERC, ACE, ADM, DBM, ELS
• 2181 – Zookeeper – ERC, ACE, ADM, DBM, ELS
ESM Cluster Only:
• 1211 – Snowflex – ESMs
• 1212 – Snowman – ESMs
• 8103 – Snowclient/jdbc gossip – ESMs
• 8104 – Snowclient/jdbc response – ESMs

ESM 11.0: Optimized Log Storage
Send logs to ELS and ELM
Enterprise Log Search (ELS) Enterprise Log Manager (ELM)

Fast Investigations Data Retention
▪ Optimized for query speed, leveraging ▪ Optimized for data storage
Elastic search
▪ Industry leading 14-20x compression rate
▪ Supports storage and retrieval for long term retention
of unstructured and structured data
▪ Hashed data to support chain of custody
▪ Simple query syntax for conditional and forensics
searches
▪ Ideal for longer-term storage of
▪ Ideal for shorter-term storage of security- compliance-related logs
related logs for hunting

ESM 11.0: HTML5 Interface Auto-Refresh Capability
▪ Dashboard views can update

automatically with new data
▪ Configurable refresh interval
▪ Ideal for Current Posture and

other near real-time monitoring
dashboards

Deployment Scenarios

Scenario #1 ∙ ESM, ACE, Receiver and ELM (version 10 & 11)
ESM
Query
Correl
ACE real time ELM
Parsed
Raw
• Standalone ESM Appliance
SSD storage provides faster query results on recent events
• Standalone Receiver
Event Data Performance up to 30,000eps
ERC
• Standalone ELM with Local and optional External Storage
Stores the ELM database and storage pools
• Standalone ACE
In real-time mode. A 2nd ACE can be used for historic correlations
• Initial Deployment for Large Enterprise Environments

Expected to support 30,000eps and up

Scenario #2 ∙ Distributed Environment Event Collection (v10 & 11)
ESM
Query
Correl
ACE real time ELM
Parsed
Raw
• Multiple Standalone Receivers
Mix of hardware and Virtual Receivers
• Designed for Large Enterprise environments

Event Data Expected to support 80,000eps
ERC
Event Data
ERC
Event Data
ERC

Extended Storage ∙ DAS, SAN, CIFS, NFS, iSCSI (v10 & 11)
• McAfee ELM DAS subsystems
Extended storage for Raw Logs
• McAfee ESM DAS subsystems
Extended storage for Parsed Events
DAS ESM 50TB and 90TB options available
(Raw storage is then reduced by RAID 5)
50TB and 90TB options available Up to two DAS per ELM
Query
Correl
(Raw storage is then reduced by RAID 5)
Only one DAS per ESM SAN ,NFS, CIFS, iSCSI or DAS
• Storage can also be extended via

ACE real time ELM 3rd Party Platforms
• Storage can also be extended via Customer based NFS, CIFS, SAN and iSCSI
Parsed
can be used as an alternative to DAS for ELM
3rd Party Platforms
SAN requires approved third party SAN adapters
Customer based SAN, and iSCSI
Raw
can be used for archived partitions
SAN requires approved third party SAN adapters
Event Data • McAfee ERC log archive

Raw logs can be sent to NFS or CIFS
ERC NFS, CIFS For external consumpsion (e.g. MBA)
or for backup purposes (no restore option)

HA Options ∙ HA Receiver Pairs (v10 & 11)
ESM
Query
Correl
ACE real time ELM
Parsed
Raw
Shared
Event Data HA Pair

IP
ERC • Dual Receivers share Virtual IP

Uses Cross Connect IPMI for state awareness
Only on physical appliances connected by a Ethernet cable
Remote Management is not possible with IPMI
• Designed for HA Collection Environments

Ensures event collection is never interrupted

DR Options ∙ Redundant ESM (version 10)
Primary ESM Redundancy Synchronization Redundant ESM
Query
Correl
ACE real time ELM
Parsed
Raw
• Redundancy maintained between ESMs
Synchronizes data using same ESM/Receiver process
Event Data • ESMs deployable in diverse Geographic Locations

Can be deployed across the building, city or country
ERC
• Secondary ESM can be promoted at any time
Unlike HA which is automatic, Redundant ESM is manually enabled
Receivers maintain collection to ensure no data loss
• Mostly Active/Passive
Only the primary ESM can be used but queries from Dashboards and
reports can be shared between the primary and the redundant ESMs
• Up to 5 redundant ESMs for a primary ESM

DR Options ∙ Redundant ESM (version 11)
Query
Primary ESM Redundant ESM
Query
Correl
ACE real time
ELM
Parsed
Parsed
Parsed
Raw
• Data duplication to primary and to redundant ESM via the ERC and Kafka
Event Data The ERC Kafka bus keeps data for 72h
ERC
• Realtime ACE can pull data directly from the ERC

DR Options ∙ Mirrored ELM Storage (v10 & 11)
ESM
Query
Correl
SAN ,CIFS, NFS or DAS
ACE real time ELM
Parsed
Raw
SAN ,CIFS, NFS or DAS
Event Data
ERC
• Mirrored Storage Pools
Uses multiple pools to mirror the raw logs
• Provides storage redundancy in case of storage Failure

Ensures that raw events are not lost
But an ELM failure requires an RMA if no redundant ELM is
available

DR Options ∙ Redundant ELM (v10 & 11)
ESM
Query
Correl
ACE real time ELM Redundancy Synchronization ELM
Parsed
Raw
• Redundancy maintained between ELMs
Synchronizes data using same ESM/Receiver process
Event Data
• ELMs deployable in diverse Geographic Locations
ERC Can be deployed across the building, city or country
• Secondary ELM can be promoted at any time

Receivers maintain collection to ensure no data loss
• Active/Passive
Only the primary ELM can be used
Only 1 redundant ELM for a primary ELM

Standby Options ∙ Second ACE (v10 & 11)
ESM Correlation ACE historical/standby
Query
Correl
ACE real time ELM
Parsed
Raw
Event Data
ERC • ACEs deployable in diverse Geographic Locations
however a real-time ACE should be near the active ESM
• Historical ACE can be changed to real-time

This is a manual operation
• Standy option
By manually enabling realtime correlation in a 2nd ACE or in a historic ACE

Combo ∙ All-In-One Appliance (v10 & 11)
DAS option ESM

ELM SAN ,NFS, CIFS, iSCSI or DAS
Event Data ERC (one is required)
Correl
ACE option
Parsed
More Raw
Event Data ERC option
• All-in-One appliances can be extended via Multiple DAS
Up to 90TB each for ESM and ELM
A single DAS cannot be shared by both ESM and ELM
• Storage can also be extended via 3rd Party Platforms
Shared
Event Data HA Pair Customer based CIFS, NFS, SAN, and iSCSI can be used
IP
ERC option • Redundancy/HA not supported on the Combo

However an external ERC can be configured in HA

Faster Forensic with Raw Events ∙ ELS (version 11)
ESM
Correl
Query
Query
ACE real time
ELM
Parsed
Parsed
ELS
Raw
• Standalone ELM with Local and optional External Storage
Stores the ELM database and storage pools with high compression
Raw
• Standalone ELS with Local and optional External Storage
Also stores the raw data but provides faster forensic search but without
compression (typically requires 20 time more storage than ELM)
Event Data
ERC • No redundancy option
Hence why raw data should also be stored in the ELM
• Can use the same ERC as ELM only from version 11

In version 9/10 the ERC can only send raw data to one device

ESM scalability ∙ ESM Sharded Cluster (version 11)
ESM
ESM
Correl
Query
ACE real time
ELM
Parsed
Parsed
Parsed
• Shared cluster uses load balancing
Raw
The ERC is using round robin to share the database partitions equally
between all shared nodes
• All nodes should have similar performance and storage capacity

Otherwise the cluster will be limited to the slowest node with the lowest
Event Data storage
ERC • More nodes can be added in the cluster
But once added they cannot be removed

ESM scalability ∙ ESM Sharded Cluster with redundancy (v11)
Query
Correl
Correl
ACE real time
Parsed
Parsed
Parsed
Event Data
ERC

ESM scalability ∙ ESM Sharded Cluster with ESM+ELM redundancy (v11)
Query
Correl
Correl
Query
Query
ACE real time
Parsed
Parsed
ELS
ELM Redundancy Synchronization ELM

Parsed
Parsed
Parsed
Raw
Raw
Event Data
ERC

Export raw events using text files ∙ ERC archives (v10 & 11)
ESM
Correl
Query
Query
ACE real time
ELM
Parsed
Parsed
ELS
Raw
Raw
Event Data Third party
ERC Raw
Log Management
• Export Raw events in compressed text format to NFS/CIFS

Using around 1:4 Gzip compression

Export raw events using Kafka ∙ Data Streaming Bus (version 11)
ESM
Query
ELS
Third party
Kafka consumer ELM
Parsed
Raw
Raw
• Steamline Kafka traffic

Except the ERC to ELM traffic which is not using Kafka
ACE real time DSB
Raw
• Allows third party to consume the Kafka raw events topic securely
Third party can consume the raw event traffic generated by the ERCs
Raw+Parsed
But it cannot publish events to it
• One DSB cluster only

No high availability
Event Data
ERC

ESM scalability ∙ ESM Sharded Cluster with full redundancy + DSB (v11)
Query
Correl
Correl
Query
Query
ACE real time
Parsed
Parsed
ELS

Third party
Kafka consumer
Parsed
Parsed
Parsed
Raw
Raw
Raw
DSB
Raw+Parsed
Event Data
ERC

Hierarchical ESMs ∙ Regional Control (version 10)
Parent ESM • Events forwarded from the Child ESM

All events of filtered events
• Data masking option

Available for forwarded events
Parsed
Parsed
• No centralized configuration
Each ESM is configured locally,
export/import can be used
ACE real time

Child ESM
Correl
Correl
ACE real time ELM Child ESM

ELM
Parsed
Event Data ERC

Raw
Event Data
ERC

Hierarchical ESMs ∙ Regional Control (version 11)
Parent ESM • Events forwarded from the Child ESM

All events of filtered events
DSB required from version 11
• Data masking option
Available for forwarded events
DSB
• No centralized configuration
Each ESM is configured locally,
export/import can be used
Parsed
Parsed
Child ESM
DSB ACE real time
ACE real time DSB
Raw+Parsed
ELM Child ESM

ELM
Event Data ERC
Raw
Event Data
ERC

McAfee ESM v11
upgrade
and clustering scenarios
ESM 201 training

Redundant ESM+ELM (version 10)
SSH port 22
Redundancy Synch Redundant ESM

Primary ESM
Correl
Query
ACE real time

Parsed SSH port 22
Raw SSH port 22
Event Data
Shared
HA Pair
IP
ERC option

Redundant ESM+ELM (version 11)
SSH port 22, Ports 1210-1212, 1119, 2181, 8103-8104
Query
Correl
Correl
Query
ACE real time
Parsed
SSH port 22
Parsed
Parsed
Raw SSH port 22

Kafka port 9092
Event Data
Shared
HA Pair
IP
ERC option

Redundant ESM+ELM with shared cluster (version 11)
SSH port 22, Ports 1210-1212, 1119, 2181, 8103-8104
Query
Correl
Correl
Query
ACE real time
Parsed
Parsed
SSH port 22
Parsed
Parsed
Parsed
Raw SSH port 22

Kafka port 9092
Event Data
Shared
HA Pair
IP
ERC option

Redundant ESM+ELM with shared cluster and ELS (version 11)
SSH port 22, Ports 1210-1212, 1119, 2181, 8103-8104
Query
Correl
Correl
Query
Query
ACE real time
Parsed
Parsed
ELS

SSH port 22
Parsed
Parsed
Parsed
Raw SSH port 22

Raw
Kafka port 9092
Event Data
Shared
HA Pair
IP
ERC option

Deployment
Requirements
ESM 201 training

Network requirements
Version 11
Snowflex in/out 1210, 1211, 1212 tcp ESM cluster
Snowclient/jdbc in/out 8103, 8104 tcp ESM cluster

(except DXL)
Version 11
Kafka in/out 9092 tcp To/from ESM, ACE, ELS, DSB
EDB Secure in/out 1119 tcp To/From all devices

Additional Resources

List of resources
Product guides and Release notes

https://docs.mcafee.com/bundle?value=204
API details are in the online help

https://<esm console>/rs/esm/help
Data source supported devices and latest integration list are available in the Knowledgebase
https://docs.mcafee.com/bundle/enterprise-security-manager-data-sources-configuration-reference-guide/page/GUID-8D26D4CB-
B170-4C2A-AAB1-07FBB4AC02A9.html
SIEM Foundations and Expert center are available on the McAfee Community Website
https://community.mcafee.com/docs/DOC-6272
https://community.mcafee.com/community/business/siem
https://community.mcafee.com/community/business/expertcenter/products/siem
Live pre-configured demonstrations are available in McAfee MDemo

https://mdemo.skytap-portal.com

McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2019 McAfee LLC.

Workshop Nursultan 2019 - ESM

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Workshop Nursultan 2019 - ESM

Hochgeladen von

Copyright:

Verfügbare Formate

ESM Basics Review

Технический воркшоп McAfee

Иван Яковлев | Sales Engineer EMEA

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 1

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 2

Cloud services deployment

Threat Actionability &

High Performance database

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 4

SIEM data collection

McAfee McAfee McAfee McAfee

Firewall Antivirus McAfee

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 5

UBA Workflow Threat Intelligence Collection

Many more on data collection…

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 6

Configure Cyber Threat Feed

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 7

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 8

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 9

▪ Receiver - Log Collection, parsing, aggregation (ESM) ▪ DAS - Storage extension

▪ ELS - Raw log management, leveraging Elasticsearch

▪ GTI – Global Threat Intelligence ▪ SIEM Collector – Collection agent

▪ Linux version of the agent collects Text files (Log tail)

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 10

ESM-VM+6x4-core-addon • Stores Event & Flow data using McAfeeEDB

• Hosts browser-based SIEM interface

• Manages rules thru Policy Manager.

• Configures Reports and Alarms

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 11

• Collection point for Events and Flows

Indicates Virtual Appliance Indicates Hardware Appliance

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 12

• Archive Management for Raw Events

ELM-VM + 4-core-addon • Raw logs Compression Management (up to 20:1)

Indicates Virtual Appliance Indicates Hardware Appliance

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 13

• Dedicated rules-based correlation engine

• Quantitative Risk Scoring Correlation

30,000 ACE-VM • Standby option

Indicates Virtual Appliance Indicates Hardware Appliance

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 14

500mbps APM-1270 • Monitors application (Layer 7) traffic

ADM-VM+6x4-core-addon • Supports 100+ application protocols and 500+ document types.

• Supports user-definable dictionaries and custom rules

Indicates Virtual Appliance Indicates Hardware Appliance

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 15

7,000 3,500 ESM-ELM-ERC-6050

Max ingestion Max Query

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 16

ACE real time ELM

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 17

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 18

▪ New architecture supporting Kafka-based Data Streaming

▪ ESM scaling for ingestion and query performance

▪ Enhanced ESM replication for resiliency

▪ Expanded raw logs support: events to ELM (cold)

▪ HTML5 interface auto-refresh capability

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 19

Challenges with existing architecture

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 20

Data Streaming Bus

Log Search & Log Retention &

Enrichment Uncompressed. Short Compressed. Signed. Real-time. Fast & ESM