4 Replies Latest reply on Oct 7, 2014 3:28 AM by vinaya_k

    McAfee SIEM Multi-Tenanting

    philipshauntaylor

      Can anybody advise, please ... is the McAfee SIEM capable of multi-tenanting? This might be a scenario where SIEM is deployed at a MSSP serving a number of customers, where some degree of data separation between customers is required, and the fact that different customers might (likely) have overlapping IP address ranges.

        • 1. Re: McAfee SIEM Multi-Tenanting
          alexander_h

          Hi,

           

          It is achievable but there are some considerations.

          For example with overlapping IP's you should connect these customers to different receivers.

          ELM: using different ELM or storage pools.

          ACE: Filtering of the information you want to be correleated.

          ESM: you can give access only to speciefic resources per user/ role basis.


          Let me know if you have more speciefic questions

          • 2. Re: McAfee SIEM Multi-Tenanting
            philipshauntaylor

            Thanks Alexander.

             

            I can see that would work, and it makes sense to deploy receivers at the customers' sites (if only to reduce WAN bandwidth usage by taking advantage of aggregation), but how to cope with overlapping IPs when the events hit the ESM?

            • 3. Re: McAfee SIEM Multi-Tenanting
              alexander_h

              Hi,

               

              AS the Events will originate from different Receivers there will be no problem just to put additional filters so it will return results only for the desired Customer/IP.

              Another way is if you create a Role/Users with access only to specific Sources.

              This way if customer is logged in he will see only the events from his sources.

              however it is not possible to have duplicate IP's under single receiver.

              • 4. Re: McAfee SIEM Multi-Tenanting
                vinaya_k

                Hi,


                On top of what @Alexander has suggested you can also configure zoning in order to effectively differentiate customer data and use this zoning in ACE to create multiple correlation engines. As for ELM either you create multiple storage groups to support multiple customer log retention requirements or you can use single ELM per customer.

                 

                Regards,

                 

                Vinaya.