SIEM Foundations: Architecture Primer

Version 5

    The McAfee SIEM solution is comprised of several appliance-based platforms working in conjunction to deliver unmatched value and performance to enterprise security professionals within an enterprise.  A multitude of deployment configurations allow for the most scalable and feature-rich SIEM architecture available, delivering real-time forensics, comprehensive application and database traffic/content monitoring, advanced rule- and risk-based correlation for real-time as well as historical incident detection and the most complete set of compliance features of any SIEM on the market.  All appliances are available in a range of physical and virtual models.



    The following list details the entire suite of available SIEM components.


    ESM - Enterprise Security Manager (sometimes referred to as ETM)


    The McAfee ESM is the ‘brains’ of the McAfee SIEM solution.  It hosts the web interface through which all SIEM interaction is performed as well as the master database of parsed events used for forensics and compliance reporting.  It is powered by the industry-leading McAfeeEDB proprietary embedded database which boasts speeds more than 400% faster than any leading commercial or open source database.


    All McAfee SIEM deployments must start with [at least one] ESM (or a combination ESM/REC/ELM appliance).


    REC - Event Receiver (sometimes referred to as ERC)


    The McAfee REC is used for the collection of all third-party event and flow data.


    Event collection is supported via several methodologies:

    1. Push – devices forward events or flows using SYSLOG, NetFlow, etc.
    2. Pull – event/log data is collected from the data source using SQL, WMI, etc.
    3. Agent – data sources are configured to send event/log/flow data using a small-footprint agent such as McAfee SIEM Event Collector, SNARE, Adiscon, Lasso, etc.


    The Event Receiver can also be configured to collect scan results from existing vulnerability assessment platforms such as McAfee MVM, Nessus, Qualys, eEye, Rapid7, etc.  In addition, the REC supports the configuration of rule-based event correlation as an application running on the Receiver.  Receiver-based correlation has several limitations.   Risk based correlation, deviation, and correlation flows are not supported on a Receiver; an ACE (see below) is required for these functions. Also, as a rule-of-thumb, Receiver-based correlation imposes approximately 20% performance penalty on your Receiver. For most enterprise environments, McAfee recommends using an ACE to centralize the correlation, and provide sufficient resources for this function.


    McAfee Event Receivers come in physical appliances with EPS ratings ranging from 6k to 26k events per second as well as VM-based models with event collection rates ranging from 500 to 15k EPS.


    Multiple REC appliances (or VM platforms) can be deployed centrally to provide a consolidated collection environment or can be geographically distributed throughout the enterprise.  Typical deployment scenarios will locate an Event Receiver in each of several data centers, all of which will feed their collected events back to a centralized ESM (or to multiple ESM appliances for redundancy and disaster recovery purposes).


    ELM - Enterprise Log Manager


    The McAfee ELM stores the raw, litigation-quality event/log data collected from data sources configured on Event Receivers.  In SIEM environments where compliance is a success factor, the ELM is used to maintain event chain of custody and ensure full non-repudiation.


    In addition to providing compliant-quality raw event archival, the ELM also supports the full-text index (FTI) for all event details.  The McAfee SIEM supports the ability to perform ad-hoc searches against the unstructured data maintained in the archive.




    The ESMRECELM - also called an All-in-One (AIO) or a ‘combo box’ - provides the combined functions of the McAfee Enterprise Security Manager (ESM), Event Receiver (REC) and Enterprise Log Manager (ELM) in a single appliance.


    As most SIEM POC deployments are intended to showcase functionality rather than performance, the ESMRECELM is commonly used to demonstrate the features and ease of use delivered by the McAfee SIEM.  It can be deployed with minimal disruption (single appliance, minimal rack space and power, single network connection and IP address).


    In larger POC or production SIEM environments, a combo box may be inadequate to handle the sizable EPS performance requirements of an enterprise.  The largest ESMRECELM peaks at 6k EPS and provides no local storage for ELM archive but instead requires supplemental storage by means of a SAN connection, NFS or CIFS share.


    ACE - Advanced Correlation Engine


    The ACE provides the SIEM with unmatched advanced correlation capabilities that include both rule- and risk-based options.  In addition to performing real-time analysis, the ACE can be configured to process historical event/log data against the current set of rule and risk profiles, as well as deviation correlation and flow-correlation.  The ACE provides native risk scoring for GTI (for SIEM) and MRA-enabled customer environments.  It also allows custom risk scoring to be configured to highlight threats performed against high-value assets, sensitive data and/or by privileged users.


    Typical production SIEM deployments will include two ACE appliances – one performing real-time rule and risk correlation and another configured for historical rule and risk correlation of events.


    ADM - Application Data Monitor (sometimes referred to as APM)


    The ADM provides layer 7 application decode of enterprise traffic via four promiscuous network interfaces.  It is used to track transmission of sensitive data and application usage as well as detect malicious, covert traffic, theft or misuse of credentials and application-layer threats.


    Not to be confused with a true DLP, the integration with the SIEM provides advanced forensics value by preserving full transactional detail for sessions violating the user-defined policy managed from within the McAfee ESM common user interface.  Complex rule correlation can leverage policy violation or suspicious application usage events to identify potential security incidents in real-time.


    DEM - Database Event Monitor (sometimes referred to as DBM)


    The DEM provides a network-based solution for real-time discovery and transactional monitoring of database activity via two or four promiscuous network interfaces.  It works in lieu of OR in parallel with the McAfee (Sentrigo) agent-based database activity solution to provide comprehensive, transaction-level database monitoring of user or application DB usage.


    « outlinenext »