4 Replies Latest reply on Oct 7, 2014 3:28 AM by vinaya_k

    McAfee SIEM Multi-Tenanting


      Can anybody advise, please ... is the McAfee SIEM capable of multi-tenanting? This might be a scenario where SIEM is deployed at a MSSP serving a number of customers, where some degree of data separation between customers is required, and the fact that different customers might (likely) have overlapping IP address ranges.

        • 1. Re: McAfee SIEM Multi-Tenanting



          It is achievable but there are some considerations.

          For example with overlapping IP's you should connect these customers to different receivers.

          ELM: using different ELM or storage pools.

          ACE: Filtering of the information you want to be correleated.

          ESM: you can give access only to speciefic resources per user/ role basis.

          Let me know if you have more speciefic questions

          • 2. Re: McAfee SIEM Multi-Tenanting

            Thanks Alexander.


            I can see that would work, and it makes sense to deploy receivers at the customers' sites (if only to reduce WAN bandwidth usage by taking advantage of aggregation), but how to cope with overlapping IPs when the events hit the ESM?

            • 3. Re: McAfee SIEM Multi-Tenanting



              AS the Events will originate from different Receivers there will be no problem just to put additional filters so it will return results only for the desired Customer/IP.

              Another way is if you create a Role/Users with access only to specific Sources.

              This way if customer is logged in he will see only the events from his sources.

              however it is not possible to have duplicate IP's under single receiver.

              • 4. Re: McAfee SIEM Multi-Tenanting


                On top of what @Alexander has suggested you can also configure zoning in order to effectively differentiate customer data and use this zoning in ACE to create multiple correlation engines. As for ELM either you create multiple storage groups to support multiple customer log retention requirements or you can use single ELM per customer.