7 Replies Latest reply on Oct 11, 2017 11:32 PM by akerr

    McAfee SIEM Multi-Tenanting


      Can anybody advise, please ... is the McAfee SIEM capable of multi-tenanting? This might be a scenario where SIEM is deployed at a MSSP serving a number of customers, where some degree of data separation between customers is required, and the fact that different customers might (likely) have overlapping IP address ranges.

        • 1. Re: McAfee SIEM Multi-Tenanting



          It is achievable but there are some considerations.

          For example with overlapping IP's you should connect these customers to different receivers.

          ELM: using different ELM or storage pools.

          ACE: Filtering of the information you want to be correleated.

          ESM: you can give access only to speciefic resources per user/ role basis.

          Let me know if you have more speciefic questions

          • 2. Re: McAfee SIEM Multi-Tenanting

            Thanks Alexander.


            I can see that would work, and it makes sense to deploy receivers at the customers' sites (if only to reduce WAN bandwidth usage by taking advantage of aggregation), but how to cope with overlapping IPs when the events hit the ESM?

            • 3. Re: McAfee SIEM Multi-Tenanting



              AS the Events will originate from different Receivers there will be no problem just to put additional filters so it will return results only for the desired Customer/IP.

              Another way is if you create a Role/Users with access only to specific Sources.

              This way if customer is logged in he will see only the events from his sources.

              however it is not possible to have duplicate IP's under single receiver.

              • 4. Re: McAfee SIEM Multi-Tenanting


                On top of what @Alexander has suggested you can also configure zoning in order to effectively differentiate customer data and use this zoning in ACE to create multiple correlation engines. As for ELM either you create multiple storage groups to support multiple customer log retention requirements or you can use single ELM per customer.





                • 5. Re: McAfee SIEM Multi-Tenanting

                  Bumping this, to ask: what if you want to run correlation rules on the receiver?


                  Sure, you can pull all the correlation rules for your tenants. But you can't set up multiple correlation rules which pull data from Tenant A's zone, Tenant B's zone, etc, even though the advanced option when you create a source allows you to limit down to one zone.





                  • 6. Re: McAfee SIEM Multi-Tenanting

                    You better off use a dedicated ACE with multiple correlation engines (one per customer), rather than have correlation engine on the receivers themselves.

                    • 7. Re: McAfee SIEM Multi-Tenanting

                      We've been doing this for years with no real issues.  You'll need a separate receiver (or receivers) per customer, but shared ELM with separate pools and shared ACE with a correlation engine per customer.  Use zones and proper filtering and it's fine.