cancel
Showing results for 
Search instead for 
Did you mean: 

Best practice of installing ESM

Jump to solution

Hi there.

I don't understand why there are separate components of ESM such as ACE, ELM, ELS, ESM, ER and all-in.

In which cases I need separate installing and in which all-in?

What is the best practice of installing? (For example, I have 3k endpoints, what components can be installed on the same server and what better to separate?)

Can you explain all of these components as I'm 5? What is must have to install and what is optional?

I read the documentation, saw some youtube and kind of not clearly understand.

3 Solutions

Accepted Solutions
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Best practice of installing ESM

Jump to solution

Do you need help scoping the devices? Obviously, the best is to have a dedicated device for each function, ACE, REC (ER), ELM, ESM (also called ETM).

ESM: Kinda the brain of the operation, it is "technically" the only required component.
REC (ER): Collects data from devices, mostly mandatory for a useful SIEM.
ACE: Evaluates (multiple) individual event(s) and creates a composite event, which often indicates some sort of a problem. Not entirely mandatory, basic ACE functionality can be provided by the REC.
ELM: Stores the entire event not just the parsed details. Often used when there is an audit or compliance reason to retain events for some amount of time. Not mandatory.
ELS: Niche use case for when entire packets need to be searched. Uses elastic full text indexing to provide reasonably fast results. For example an ELM query can take hours, where as an ELS query can take minutes or seconds. Trade off from a ELM, is no data compression, so you can store far fewer events in it's search buffer. Not mandatory.

If you are doing a POC and want to just install the minimal amount of devices, I'd suggest an ESM and REC, both of those should give you ~80% of the SIEMs total functionality.

Brent
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Best practice of installing ESM

Jump to solution

Oh both of those are other specialty devices for very specific use cases. I find they don't provide a lot of value (often you already have other devices that can get this data), but if you need their feature set they can be useful.

DEM: Database monitor. You provide it a span port from your database server, and it monitors traffic. One large downside is any connection using encryption (especially PFS enabled) is unreadable.

ADM: The best way to think of this is a layer 7 firewall that has more direct integration to the SIEM. If you already have a layer 7 firewall (or outbound proxy) you probably have access to most of the data this would provide.

In v11, the issue with only having an ELM or ELS was resolved.

Brent
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Best practice of installing ESM

Jump to solution

If only using a REC and ESM, the REC will store the unparsed events for a short while until it's disk is full, then it will rotate off the oldest records first. Often this is enough time to assist with parser creation and whatnot.

In ESM v11 there was a plan to move the HTML5, most of the display components have been migrated to HTML5, most of the configuration is still done in flash, and you can still get to the legacy flash GUI at any time by going to: https://<IP>/Application.html

Kafka is a new transport method. In v10 data transfers are done in time increments via SCP/RSYNC one of the primary differences in v11 is a new data streaming technology for sending events in real time. This also allows for near instantaneous correlation, rather than have to wait for events to be polled from the REC, then the ACE, then trigger an ESM alarm. Kafka is also the reason why you can use a ELS and ELM in v11, as it can send to multiple destinations. The last bleeding edge feature being working on in v11 is "snowflex" which is database sharding/clustering of the ESM for horizontal scalability.

Brent
6 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Best practice of installing ESM

Jump to solution

Do you need help scoping the devices? Obviously, the best is to have a dedicated device for each function, ACE, REC (ER), ELM, ESM (also called ETM).

ESM: Kinda the brain of the operation, it is "technically" the only required component.
REC (ER): Collects data from devices, mostly mandatory for a useful SIEM.
ACE: Evaluates (multiple) individual event(s) and creates a composite event, which often indicates some sort of a problem. Not entirely mandatory, basic ACE functionality can be provided by the REC.
ELM: Stores the entire event not just the parsed details. Often used when there is an audit or compliance reason to retain events for some amount of time. Not mandatory.
ELS: Niche use case for when entire packets need to be searched. Uses elastic full text indexing to provide reasonably fast results. For example an ELM query can take hours, where as an ELS query can take minutes or seconds. Trade off from a ELM, is no data compression, so you can store far fewer events in it's search buffer. Not mandatory.

If you are doing a POC and want to just install the minimal amount of devices, I'd suggest an ESM and REC, both of those should give you ~80% of the SIEMs total functionality.

Brent

Re: Best practice of installing ESM

Jump to solution

What about DEM, ADM?

I understand correctly, I can use ELM or ESL, not both? 

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Best practice of installing ESM

Jump to solution

Oh both of those are other specialty devices for very specific use cases. I find they don't provide a lot of value (often you already have other devices that can get this data), but if you need their feature set they can be useful.

DEM: Database monitor. You provide it a span port from your database server, and it monitors traffic. One large downside is any connection using encryption (especially PFS enabled) is unreadable.

ADM: The best way to think of this is a layer 7 firewall that has more direct integration to the SIEM. If you already have a layer 7 firewall (or outbound proxy) you probably have access to most of the data this would provide.

In v11, the issue with only having an ELM or ELS was resolved.

Brent
Highlighted

Re: Best practice of installing ESM

Jump to solution
Some additional questions about ELM and ELS. If I'm not using ELM or ELS, where the events will be stored? When I'm using REC and ESM, there are stored only parsed and normalized events, yes?

As I can see in ESM 11.x McAfee trying to use HTML5 and kicking Flash. But the components and methods of deploying are the same? I also heard something about "Kafka", but didn't get what it is. And as I understand from the documentation, with ESM 11 I can to do clusters. Right?
So, what are the main differences between ESM 10.x and 11.x?
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Best practice of installing ESM

Jump to solution

If only using a REC and ESM, the REC will store the unparsed events for a short while until it's disk is full, then it will rotate off the oldest records first. Often this is enough time to assist with parser creation and whatnot.

In ESM v11 there was a plan to move the HTML5, most of the display components have been migrated to HTML5, most of the configuration is still done in flash, and you can still get to the legacy flash GUI at any time by going to: https://<IP>/Application.html

Kafka is a new transport method. In v10 data transfers are done in time increments via SCP/RSYNC one of the primary differences in v11 is a new data streaming technology for sending events in real time. This also allows for near instantaneous correlation, rather than have to wait for events to be polled from the REC, then the ACE, then trigger an ESM alarm. Kafka is also the reason why you can use a ELS and ELM in v11, as it can send to multiple destinations. The last bleeding edge feature being working on in v11 is "snowflex" which is database sharding/clustering of the ESM for horizontal scalability.

Brent

Re: Best practice of installing ESM

Jump to solution
Hi Brenta,

FYI, I understand that DEM is now deprecated and replaced with DAM, which is an application you install on the database server itself and it (DAM) communicates with the receiver. I just recently followed the SIEM ESM Engineer 1 course and the trainer told me that.

Barney
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center