cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM Multi-Tenanting

Can anybody advise, please ... is the McAfee SIEM capable of multi-tenanting? This might be a scenario where SIEM is deployed at a MSSP serving a number of customers, where some degree of data separation between customers is required, and the fact that different customers might (likely) have overlapping IP address ranges.

9 Replies

Re: McAfee SIEM Multi-Tenanting

Hi,

It is achievable but there are some considerations.

For example with overlapping IP's you should connect these customers to different receivers.

ELM: using different ELM or storage pools.

ACE: Filtering of the information you want to be correleated.

ESM: you can give access only to speciefic resources per user/ role basis.


Let me know if you have more speciefic questions

Re: McAfee SIEM Multi-Tenanting

Thanks Alexander.

I can see that would work, and it makes sense to deploy receivers at the customers' sites (if only to reduce WAN bandwidth usage by taking advantage of aggregation), but how to cope with overlapping IPs when the events hit the ESM?

Re: McAfee SIEM Multi-Tenanting

Hi,

AS the Events will originate from different Receivers there will be no problem just to put additional filters so it will return results only for the desired Customer/IP.

Another way is if you create a Role/Users with access only to specific Sources.

This way if customer is logged in he will see only the events from his sources.

however it is not possible to have duplicate IP's under single receiver.

Re: McAfee SIEM Multi-Tenanting

Hi,


On top of what @Alexander has suggested you can also configure zoning in order to effectively differentiate customer data and use this zoning in ACE to create multiple correlation engines. As for ELM either you create multiple storage groups to support multiple customer log retention requirements or you can use single ELM per customer.

Regards,

Vinaya.

Re: McAfee SIEM Multi-Tenanting

Bumping this, to ask: what if you want to run correlation rules on the receiver?

Sure, you can pull all the correlation rules for your tenants. But you can't set up multiple correlation rules which pull data from Tenant A's zone, Tenant B's zone, etc, even though the advanced option when you create a source allows you to limit down to one zone.

Thoughts?

James

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: McAfee SIEM Multi-Tenanting

You better off use a dedicated ACE with multiple correlation engines (one per customer), rather than have correlation engine on the receivers themselves.

Highlighted
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

Re: McAfee SIEM Multi-Tenanting

We've been doing this for years with no real issues.  You'll need a separate receiver (or receivers) per customer, but shared ELM with separate pools and shared ACE with a correlation engine per customer.  Use zones and proper filtering and it's fine. 

Re: McAfee SIEM Multi-Tenanting

When i created zoning, i was able to add two same IP log sources with same data format and vendor details but in diffrent zone.

I have added it but yet to get a live feed.

Is this working for anyone else.

Yes on one reciever. I am recieving on diffrent port number.

Re: McAfee SIEM Multi-Tenanting

Sorry for so late on replying on this thread.

If you keep proper zoning and segregate the policies well, you definetely can manage it.

Also version 11.0 is being designed specifically for MSSP providers, had anyone experienced anything with 11.0 version yet, please share your experience

Gaurav

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community