2 Replies Latest reply on Oct 1, 2014 12:54 PM by rcavey

    Use McAfee SIEM for operational troubleshooting & analytics ?

    mfrans

      Our main focus for SIEM is security related : focussing on threat detection.

       

      Today question was raised whether we can extend the scope of the McAfee SIEM also towards system analytics.

      Mainly focussing on troubleshooting and analytics of patterns , deviations, root cause analysis, reporting, alerting  etc..

       

      Are there other companies who have positioned their McAfee SIEM solution also for this purpose or should we look for "big data" alike solutions like splunk, logstash,BMC Orion,...

       

      It always will be a grey zone which log events are needed for security related issues and which are more in the system management area.

      Should we try to separate them as much as possible or not?

       

      Other question I have : are there people who have experience with log collection in McAfee SIEM from one central log environment (like Splunk or other comparable environments) instead of collection the logs directly from the individual log sources

       

      Please share some experiences and if possible indicate the pitfalls + pro & cons.

       

      One huge challenge I already see is the vast amount of logs and related EPS that will be generate from all the systems we have running here.

      Impact on the architecture and sizing of our McAfee SIEM components definitively will be a challenge if we would opt for this approach  

       

      Thanks for your inputs.

        • 1. Re: Use McAfee SIEM for operational troubleshooting & analytics ?
          rcavey

          Good for you!!

           

          So, why you can't use any data coming in from any system for non-security related information/analysis???  Is there anything special about security data? no it's just data=information and nothing more. Of course it has been geared to seeing more security related things but that is just the configuration.... You could probably delete all the McAfee rules and turn the SIEM into what you want it to be... That is way extreme but if you had the $$$ and the talent the sky is the limit.

           

          If you can parse it with a special rule or modify any existing rule to do what you want.... you are in business. You can add your own custom data types populate the fields among the many things the SIEM.

           

          Remember,  a SIEM has to be monitored to be tuned properly ... the more EPS the more of both are needed.

          That is my quick 2 minute short answer

          • 2. Re: Use McAfee SIEM for operational troubleshooting & analytics ?
            rcavey

            In response to your Other question.....  "splunk to Nitro" 4th result in google points to this Forward data to third-party systems  very useful looking page so if you have a product in mind or something you have already it might be in the docs. Also, check this document --> http://www.mcafee.com/us/resources/data-sheets/ds-siem-supported-devices.pdf

             

            The real downer of it all..... If you have to ask McAfee to create a parser or add-on feature via the PER system which many folks have waited many months with no response at all which could put a grinding halt on part of your effort.

             

            Cheers,

              -B