In this series so far, we’ve covered the McAfee Enterprise Security Manager (ESM), capabilities that make our SIEM solution stand out and how this solution can benefit your organization. In this final installment of our ‘Evolution of SIEM’ series, I am going to highlight a few of the orchestration options for ESM to help you get the most out of your SIEM solution.
Within McAfee Enterprise Security Manger, actions are driven by alarms that have been configured to go off whenever a variety of events occur. However, there are a few different possibilities for how you can orchestrate your system and receive these alarms. Let’s take a look at two products that both complement ESM and offer a variety of orchestration options: the ePolicy Orchestrator and Network Security Platform.
ePolicy Orchestrator (ePO) allows administrators to categorize systems by manual or criteria-based “tags.” These tags can be used to assign configuration profiles to assets, launch tasks on managed endpoints, or filter dashboards and reports. You have the option to set these tags manually or as a triggered alarm action, which allows for the following use cases:
- Flagging suspicious systems for follow-up. Tagging is a great way for incident response staff to track which systems require investigation and in turn, helps to drive immediate remediation activities. As a result, your endpoint security staff is able to prioritize remediation efforts based on the systems with the most critical security issues.
- Quarantine and remediation of compromised systems. When investigating an ongoing attack or breach, there are sometimes repeated behaviors that indicate a compromised system. By leveraging ePO policy assignment rules and tasks, the SIEM can conduct real-time responses, neutering the threat and effectively minimizing the amount of damage that could have been done.
Another product that is a natural complement to ESM is the Network Security Platform (NSP). Administrators can set network access control lists on NSP sensors manually, or as a triggered alarm action to assist with behavior-based blacklisting. Often times, high volumes of reconnaissance activity make it difficult for security analysts to follow up directly on each incident, which makes it difficult to effectively block communication with malicious hosts. This is where SIEM comes in. You can leverage a SIEM solution to carry out an automated response at the network layer, which will successfully block all future connections from the attacker.
When properly leveraged, a SIEM solution allows you to respond to threats faster and with less effort. The above are just a few of the various orchestration actions and responses that are available for a SIEM solution.
For more information on this subject, be sure to check out the McAfee SNS Journal for the latest news, product spotlights and technical briefs. You can subscribe for monthly updates here. You can also stay up to date on what McAfee has to offer by following @McAfeeBusiness on Twitter, and exploring our SIEM community.