The massive amount of log, event and flow data within the SIEM offers security analysts answers to essential security questions such as “who is accessing critical business systems,” or, more importantly, “was there any anomalous activity before, during or after the connection?”
To get all these answers, though, users need to filter, correlate, and view relevant events by adding knowledge or “Content” to the SIEM system. Typically, the SIEM expert creates and maintains the arsenal of dashboard views, correlation rules, watchlists, alarms, and reports related to this data processing. They draw on knowledge of event sources, related semantics and of course the targeted use cases. For example, creating correlation rules not only requires deep insights into the adversary activity, it also requires knowledge of the SIEM data system to create the right content without affecting system performance. The combination of the threat knowledge and required system configuration can be time consuming and challenging before the SIEM delivers on all of its value.
There’s new help for this operational burden and training hurdle. Starting in version 9.5, McAfee Enterprise Security Manager (ESM) customers can simplify operations with “ready to go” content packs for top security use cases such as those described by Gartner Analyst Anton Chuvakin in one of his blogs. Now SIEM users can respond to threats or compliance needs without wasting time understanding the event source output or creating the content from scratch. Additionally, SIEM administrators are unencumbered from the task of creating, tuning and maintaining use case-specific content.
Free, and easy to use
The frequently updated content packs include not only ‘best practices’ on how to setup McAfee ESM for a specific threat monitoring use case, they also hold all the ingredients (rules, dashboards, and reports) to get the desired outcome. Systems administrators save time and avoid trial and error as they employ vendor-supplied content as they mature their related policies and procedures.
Built by Intel Security SIEM experts, these content packs are distributed free of charge. Users can review, select, download and deploy the SIEM content configurations directly from within the McAfee SIEM User Interface. Guidelines on intended usage, related device types, pre and post installation steps are explained to the system administrator for better insights and expected outcomes of the targeted use case. After installation, most of the content, including reports and correlation rules, can be tailored to user-specific enterprise environments. Distribution of the content packs is provided via the existing McAfee ESM Rules Server so no additional network or firewall changes are required to get access to the updates. This also allows for new content to be published and deployed between software release cycles and for updates to be applied without requiring any operational downtime for the SIEM platform.
For more information on the content packs, please visit the expert center, here.
The kb articles are available by logging onto kb.mcafee.com and then typing in “siem content pack”:*/title” in the search term bar