McAfee SIEM - FAQ

Version 2


    GENERAL

     

    Q: What is the difference between SIEM and ESM?

    A: SIEM, Security Incident and Event Management is a product category, just like Intrusion Prevention Systems or antivirus are product categories. ESM (Enterprise Security Manager) is the name of the main component of the McAfee SIEM solution.

     

    Q: What models of SIEM exist?

    A: The McAfee SIEM components all come in hardware or virtual appliances. All SIEM components can be standalone, using their own dedicated appliance. Some components are combined together on some appliance models, in what we call a combo appliance. The following combinations exist:

    •    All in one: ESM + Event Receiver + Log Manger

    •    Event Receiver + Log Manager

     

    Q: What are the components that make up the McAfee SIEM solution?

    A:  The following are the key components of McAfee SIEM:

     

    ComponentDescription
    Recommendation

    ESM (Enterprise Security Manager)

    This is the SIEM central console and includes the enterprise database. Nearly all configuration, management, reporting and workflows are done here.Required
    ERC (Event Receiver)

    Receivers collect events, flows and logs from data sources (McAfee and 3rd party products). Receivers also normalize, aggregate, enrich and can also perform rules-based event correlation.

    At least one Event Receiver is required.

    Small implementations can use a combo appliance that include the ESM and the Event Receiver.

    ACE (Advanced Correlation Engine)

    The ACE performs rules-based correlation, but it also performs the important task of relieving Receivers from having to do correlation. ACEs also perform risk, deviation, and historical correlation.

    Highly recommended
    ELM (Enterprise Log Manager)

    ELMs collect and store raw logs for compliance purposes and raw log search. ELMs can also perform full text indexing of stored logs. ELMs also provide a forensically sound audit trail of logs.

    Optional for the overall system, but often required for compliance, and generally recommended.

    Small implementations can use a combo appliance that includes the ESM, Event Receiver and Log Manager.

    Distributed implementation can use a combo appliance that includes an Event Receiver and a Log Manager.

    ADM (Application Data Monitor)

    ADM analyzes layer 7 traffic flows, providing rich information on risks at the application level.

    Optional

    DEM (Database Event Monitor)DEM monitors database transactions from the network, removing the need to install a component on databases to monitor them. It adds the ability to see local/internal database events as well as prevent unwanted database activity.Optional
    StorageMcAfee Direct Attached Storage provides high performance storage array for ESM and/or ELM, redundant architecture with RAID controller, mirrored cache, and IO multi-pathing.

    Optional to expand storage on ELM or ESM.

    Needed for high event rates & long retention periods for events / raw logs and if customers do not have alternative storage to provide for the ESM or ELM.

    Recommended if customers want faster storage than CIFS/NFS/iSCSI, since DAS and SANs are generally faster than the above options.

    GTI (Global Threat Intelligence)This adds McAfee's GTI Reputation information to help assess event risk. This is a license-based component that does not require any additional hardwareOptional but highly recommended to quickly identify communications that put your environment at risk and that are a sure sign of compromise attempts.

     

    Q: How many consoles do I need to manage all those components?

    A: The Security Manager provides a single central unified web-based console to manage all SIEM components (Security Manager, Log Manager, Receiver, Reputation feed, reporting, creations of custom parsers, and application monitoring).

     

    Q: What happens if my EPS (Events per Second) rate exceeds what I’m licensed for?

    A: Unlike some other SIEM products, we do not drop events and there's no license violation.  All events will be queued on the receiver and processed when possible.

    The licensing is done per appliance unit regardless the number of:

    o    Data sources that you have

    o    Sources of vulnerability information  you use

    o    Events per second

    o    Admin users

    o    Parsers* required for to collect data

    o    Compliance templates like SOX,GLBA,NERC-CIP , ISO-27002 and others

    To recap this important point, the McAfee SIEM solution does not drop events or disable some features in case the number of events exceeds the nominal processing capacity of the appliance so you don’t lose events or visibility of events during incidents, which is usually a time when events would spike.

     

    *See “what is a parser” for more information

     

    Q: Is the communication between the components safe?

    A: All data between the McAfee SIEM components is encrypted using AES encryption. Components will only communicate with a device that they share a key with.

     

    Q: When and how do the SIEM components talk to each other?

    A: The data source (product generating event, flows and logs) generates events. Some data sources, such as many firewalls, IDS, and similar sources, will send events to the receiver as they occur, via syslog. On some other type of data sources, such as McAfee ePO , the receiver will pull the data at a configurable interval.

    Events that are collected by the Receiver are parsed, normalized, aggregated, and then queued for a short time.  The ESM then pulls those queued events from the Receiver at a configurable interval. The “Get Event and Flows” icon of the ESM console allows  you to force the ESM to pull events from the receiver right away.

     

    Q: Where can I find SIEM resources?

    A: Here is list of useful SIEM resources:

    McAfee SIEM product page and sales contacts: http://www.mcafee.com/us/products/siem/index.aspx

    McAfee SIEM community (discussions, blogs, how to’s…): https://community.mcafee.com/community/business/siem/content

     

     

    MCAFEE SIEM INTEGRATION

     

    Q: What products are currently integrated with the McAfee SIEM and how are they integrated?

    A: First, the McAfee SIEM can receive events from third parties and McAfee solutions. For a complete list of supported products, please refer to the following document:

    http://www.mcafee.com/us/resources/data-sheets/ds-siem-supported-devices.pdf

    This list is updated on a weekly basis. And support for new products and new versions is automatically updated on a regular basis with rules updates.

     

    Second, the McAfee SIEM comes with pre-built connectivity to many McAfee technologies, such as the ability to directly ask the McAfee IPS system to blacklist malicious IP addresses, or to tell McAfee ePO to apply specific tags to endpoints. The McAfee also provides, via existing APIs, an open interface that allows orchestrating action with other technologies from third parties.

     

    Q: What is a parser? And what data source formats are supported?

    A parser is a component that allows the Receiver to makes sense of the events, logs and flows, it receives. The parser analyzes and identifies the parts of the information coming from a specific data source (product you are collecting events from) to understand their structure, and then map those parts to a common SIEM syntax. A parser is required for   each type of data source. The McAfee SIEM comes with over 250 different parsers, as well as support for those common formats: Syslog (both UDP and TCP), WMI, McAfee SIEM Collector (Agent), MEF (McAfee Event Format), Netflow (generic Netflow, sFlow, IPFIX, JFlow) and CEF (Common Event Format) and SEF (Standard Event Format).

     

    Q: Can you create custom parsers for new or unsupported data sources?

    A: Yes, McAfee SIEM allows users to create custom parsers for data sources that McAfee SIEM doesn't support out of the box. SIEM users will generally use regex to parse the various message formats, and then create normalization mappings.  See next question for more details.

     

    Q: What should you do if a parser for a product that I need to integrate with the McAfee SIEM does not exist?

    A: First, you can create your own custom parser. Please refer to the following document to learn how to write a custom parser.

    https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24926/en_US/How%20to%20write%20a%20McAfee%20ESM%20Custom%20Parser%20and% 20troubleshoot%20a%20data%20source.pdf

    If you are writing you own parser, you might also find the following Regular Expressions resources useful:

    http://gskinner.com/RegExr/

    http://www.hongkiat.com/blog/regular-expression-tools-resources/

     

    Second, you can submit a PER (Product Enhancement Request) for a new parser.

    Please follow the instruction in the following document to submit a PER: https://kc.mcafee.com/corporate/index?page=content&id=KB60021

    Parser update requests: https://mcafee.acceptondemand.com/

    If you submit a PER, remember to provide as much data and log samples as you can. The variety and quality of log samples provided will directly affect the quality and event coverage of the parser.

     

    Q: Can I receive events through a Syslog-NG relay?

    A: Yes, McAfee SIEM can correctly handle traffic that has been relayed through a Syslog-NG server. When creating or editing the Syslog-NG data source in the ESM console, select Syslog-NG under the Syslog Relay drop down.  Then define data sources for each individual data source that is being relayed.

     

    Q: Can I receive events from a Splunk server?

    A: Yes, McAfee SIEM can correctly handle traffic that has been relayed through a Splunk server. When creating or editing the Splunk relay data source in the ESM console, select Splunk under the Syslog Relay drop down. Then define data sources for each individual data source that is being relayed.

     

    Q: Can I receive events from an Arcsight server?

    A: Yes, McAfee SIEM can handle traffic that has been relayed through an Arcsight server in CEF format. When creating or editing the ArcSight data source select CEF as the data format. Then define data sources for each individual data source that is being relayed.

     

    Q: What actions can the McAfee SIEM take?

    •    Send email Notifications

    •    Run Script: You can write scripts in any scripting language that is supported on the Scripting Host, and then run scripts on a designated Scripting Host or launch them via SSH.

    •    Launch URL

    •    Execute Report

    •    Display Popup Notification

    •    Play Sound

    •    Actions with other technologies from third parties via open interface APIs.

    •    Apply ePO tags

    •    Blacklist IPs from McAfee IPS

     


    FEATURES

     

    Q: What are baselines and why should I use them?

    A: Baselines allow you to see what is normal, and what’s not at a glance. That way, you can identify anomalies with a high degree of accuracy. You can for example easily spot unusual user behavior patterns, suspicious deviations in network activity  or anomalous communication patterns, while not being distracted by spikes in activity that occur on a regular basis and are a normal part of your environment, such as scheduled vulnerability scans.

     

    Q:  How do I enable baselines?

    A:  Everything that comes into the SIEM is baselined on the fly. Bowtie icons, red/blue split show where a baseline is (bowtie) and what's over it (red). This view takes into account day of week, with days being defined as midnight to the second before midnight. Baselining calculations look over the last 5 periods (e.g. looking at 3 days, look at last 5 periods of 3 days). All of this is calculated on the fly and can therefore impact console performance, so some customers some turn it off selectively (users can do this per View components).

     

    Q: What is Geolocation and why should I use it?

    A: Geolocation tells you which countries and cities of the world the systems in your environment are communicating with. This help you identify if abnormal communication (such as with a country you do not do business with) are taking place, and it will in identifying the physical location of a threat.

     

    Q:  How do I view geolocation data for my existing events?

    A:  Geolocation has to be turned on, on the receiver, and if you use those, on the  ACE ADM and DEM. Geolocation must be enabled  at the time the event is parsed in order for the Geolocation data to be parsed out and viewable. To enable Geolocation, go to the Device Properties>Events, Flows, And Logs>Click the Geolocation button and choose the desired Geolocation settings. This is the same path you would take to configure ASN settings.

    Note: You are either parsing Geolocation data or ASN data, you cannot do both at the same time.

    To see Geolocation data, you can select Event Views>Geolocation Map. To see geolocation information for an individual event, select the event then go to the pancake menu, hover over Event Drilldown, and select Events. Then highlight an event on the list and click the Geolocation tab.

     

    Q: What are watchlists and why should I use them?

    A: Watchlists allow the McAfee SIEM to maintain state about the world around it.  For example, watchlist are an “economical” and efficient way for you to detect “Low and Slow” attacks, tracking state over long time periods.

    Imagine somebody who scans the network on a given Monday. They don’t do anything more until the next Tuesday, 8 days hence, when they maliciously probe some open services. Using a correlation rule to detect such an attack would consume a huge amount of memory because it would need to track this over such a long time. But the watchlist feature allows you to automatically put the user/IP probing the network on a watchlist after the reconnaissance is detected, and then associate the Tuesday probing with the reconnaissance that took place the week before. Another real world example includes credit card thefts where criminals don’t use stolen card right away. They knew the credit cards would be on a list distributed to merchants that got updated every week or two. They waited until the stolen cards dropped off the list and then abused them. In this scenario, a watchlist is the ideal tool for keeping lists of cancelled credit card numbers or fraudulent IBANs.

     

    Q: How do I keep my watchlists current?

    If they’re to remain useful, watchlists must be regularly updated.  You have a wide range of techniques at your disposal to support this, such as automated file import (CIFS, FTP, NFS, SCP, SFTP), Database queries (Hadoop, MS SQL, MySQL, Oracle), LDAP queries, Pull values from incoming events, Watchlist API, Automatic ageing (watchlists can have an optional timeout, if you want to age out entries after X hours or days).

    Watchlists can have up 1 million entries