Skip navigation

Black, White and Grey

April 2015 Previous month Next month

Big Data vs SIEM?

Posted by cblack1 Apr 23, 2015

I got a question today on which I would really like some feedback from the community. I know quite a bit about SIEM, but comparatively little about Big Data solutions. Below is my take on the question. If you have another, please comment and let's have a discussion.


How is a SIEM solution different and similar to a Big Data solution?



Although there is some overlap in the area of analysis, there are many SIEM functions that would be difficult to reproduce in a pure analytics platform.


SIEM is a purpose-built solution designed to ingest, parse, store and correlate data from security and other log sources. The primary difference is that SIEM is a near real-time analysis tool, designed to match complex conditions against high volumes of incoming log data and to provide visibility and a response capability. That response could be simple, like an alert that notifies a user by email, or it could be a more sophisticated set of actions through integration with other security products in your environment to provide automated response.


SIEM also provides a set of analysis tools with pre-built content specifically designed to aid in analysis of security information. The user interface is intuitive (YMMV) and allows users to build complex queries, dashboards and reports without needing any particular database expertise. Pre-built reports give the enterprise the ability to quickly see value from the deployment, rather than having to develop all reporting from scratch in-house. Finally, in the case of McAfee's SIEM solution, pre-built integration with other McAfee products allow organizations to maximize their security investment by getting additional value out of already purchased solutions.


Big data solutions are typically batch oriented, general purpose databases not optimized specifically for the purpose of security analytics. There is no pre-built security content that may be leveraged and all views, reports, or other output would have to be designed by users.


Considering the large number of security products in the current enterprise environment, even the most basic task, that of writing custom parsers for every single data type, would be time and cost prohibitive for most organizations. Big data solutions also have no real time monitoring component, no mechanism to alert on matched conditions, no pre-built integrations with other data sources or products.


Big Data is a fantastic tool for analysis of unstructured information. It can be useful as both source and destination for collected event or even SIEM metadata. However, wishful marketing to the contrary, it is not a suitable replacement for SIEM.

So, what are your thoughts on the question?

This one definitely falls into the "Grey" category.



On a redundant ESM pair, how long can a secondary device be disconnected before we need to worry that we might have trouble re-syncing?


Short Answer:

It depends.


Long Answer:

It depends on data rates and free space on the ESM. In a very low volume environment, like we see in many of our SMB customers, it might be as long as a few weeks. In a very high volume environment, collecting from thousands of event sources, that might be as short as a few days. There is really no way to know for sure ahead of time.


This is yet another reason why SIEM users should practice good "log hygiene", eliminating event sources that do not serve a business purpose, and reducing the logging level on all devices to the minimum required to accomplish the required use cases. It not only provides a longer outage window in the above scenario, but also maximizes performance of the system overall and increases the retention periods available for the business-relevant data. Watch this space for more on that topic in future posts.

I got one from a customer in APAC today, by way of their SE.



Can I have a Primary ESM+DAS-50 with Redundant ESM+DAS-100? The intent would be to keep more data on the Redundant ESM.”




No. We require primary and redundant appliances to be exact replicas of each other. This is the supported and recommended way to enable redundancy. Since one is essentially a mirror image of the other, they must both be identical platforms.

Just to highlight how important this requirement is, I will include a quote from one of the SIEM product managers.

" I'm not aware of anyone running in this config, but just the thought of it makes me nervous"



What is "Call Home" and What Ports Do I Need to Use it?




Call Home is the name given to a helpful feature of the McAfee SIEM. Call Home allows the customer to initiate a secure tunnel outbound on port 443 from their SIEM component (ESM, ELM, Receiver, etc.) to McAfee SIEM Support, allowing support engineers remote access to the customer's SIEM resources. The Call Home feature is used only by McAfee support personnel, and can be initiated only by the customer.


We support, but do not require direct outbound Call Home connections from each SIEM component. In fact, our recommended best practice is to make ESM the only system that is allowed outbound access on that port. Since ESM maintains secure communications on port 22 with other SIEM components already, as long as there is a connection to the customer's ESM, support will be able to access the other components. No functionality is lost, and the principle of least privilege is adhered to.






How often do you update the UCF Content?




According to kcole, Senior SIEM Product Manager, UCF updates their DB every quarter and we update ours in every major release. Historically, we have had 1-2 major releases per year. As an example, 9.4, 9.5, or 10.0 would qualify as major releases.



Don't know what UCF is?


Check out the datasheet here:

A question from a prospect today:


What version of the NERC standard does the UCF (Unified Compliance Framework) cover in our latest SIEM release, (v9.5.x)?

The Answer:

McAfee SIEM 9.5.0 supports NERC v5.


For a complete listing of all supported compliance frameworks, please see here: Compliance Regulations available in 9.5.2 - Updated March 23, 2016






Posted by cblack1 Apr 9, 2015

Welcome to the inaugural post of my new blogging project. I am a SIEM Specialist here at Intel Security, and in the course of my work I get a huge variety of questions from customers about our SIEM product. While I have been working with SIEM since 2004, I am relatively new to Intel Security, so there is still a lot I don't know yet. As a result, I often have to go find the answers either in manuals, internal email threads, or directly from the Product Management team members.

It occurred to me that if my customers and prospects are asking these questions, there are probably others out there who are also wondering, but haven't had a chance to ask. I decided to capture these questions here in my blog and share the answers that I find. I hope you find this a useful resource, and feel free to suggest other questions you would like to see answered here.