McAfee Enterprise Security Manager
May 01, 2016
Starts at £28,140 for the VM software version or £33,767 for the hardware version.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Probably the most comprehensive and powerful SIEM we’ve seen, continuing the legacy of the old Nitro product up to the present time.
- Weaknesses: None that we found.
- Verdict: For its performance, functionality and value, we are pleased to make Intel-McAfee one of our SC Lab Approved products and look forward to having in the SC Lab for a year’s worth of evaluation.
We have been watching this tool since it was born years ago as the NitroView SIEM. At that time, we said it was a vastly superior analysis tool but for user friendliness it had a way to go. A lot of its powerful functionality required a user with more than a little knowledge in the art of SIEM management. You certainly could not make that statement now. This is many times more powerful than those early models and so much is done automatically, if you wish, that it is a great SOC tool without sacrificing its value as an analyst tool.
This amazed us since the UI has not changed fundamentally since the first release. Moreover, it is a next-generation SIEM that is constantly evolving. Even so, it has immense functionality and integrates with a huge list of industry-standard log sources. The basic tool provides SIEM, compliance enterprise log management, network analysis functions and includes McAfee Event Receiver, which collects data for correlation and analysis by McAfee Enterprise Security Manager. It is licensed per VM instance.
Enterprise Security Manager - ESM - provides scalability and the performance needed for collecting and correlating massive volumes of log, flow and contextual data, including third-party threat feeds, application sessions and database activity. It provides simultaneous real-time and historical operations for optimising threat investigations and forensics. While that is a bit of a mouthful, ESM does deliver. It comes standard with the McAfee Integrated Threat Defence and Global Threat Intelligence, but can consume threat feeds from a large number of third-party sources.
In addition, the tool can ingest indicators of compromise (IOCs) from leading sources and, something we really like, STIX xml files. All of this goes into the mix and the tool analyses based on the usual log input, asset input and weighting and other traditional SIEM capabilities, plus the threat intelligence and IOCs. There is an expanded watch list capability that now includes such things as https, and IOCs can be searched over a user-selected period using Backtrace. This allows analysis and alerting based on an IOC that was not available at the time of an earlier event but that might describe aspects of the event that weren't caught at the time.
Other new features include access to a sandbox and preconfigured use cases. One of the challenges with earlier versions of ESM was setting up meaningful dashboards. That usually meant figuring out what you wanted to see in a particular use case, setting up a dashboard, a set of assets and weightings, and experimenting until you got just the right combination of displays to give a meaningful starting point for drilldown. True, there always have been some canned use cases supplied with the product but they were limited. Not anymore. Now the tool comes with dozens of preconfigured use cases and they are among the richest and most complete we've seen in any tool. Drilldown is excellent and you can pivot on findings within a particular drilldown for more detail.
Should a particular use case yield a questionable file, it goes to a sandbox where it is analysed and the results are fed back into the overall threat analysis and alerting. While the product is an on-premises tool, it communicates regularly with the McAfee cloud where it gets updates to such things as use cases, rules and content packs.
Documentation is excellent and support is comprehensive. Pricing is not inexpensive, but it is more than reasonable for this powerhouse. This is a tool that shines in a large environment, but we have used it in a much smaller venue with very good success.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry