WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
See our complete list of Top 10 SIEM Products.
Company description: Founded in 1987 as McAfee Associates, it became Network Associates in 1997 as a merger of McAfee Associates, Network General, PGP Corporation and Helix Software. In 2004, the company changed its name back to McAfee to reflect its focus on security-related technologies. McAfee was acquired by, and was a wholly owned subsidiary of, Intel from 2011 through 2017. In April 2017, McAfee returned to being a standalone security company. Currently, it is a joint venture between Intel and TPG Capital. It continues to be profitable.
Product description: McAfee ESM includes threat intelligence feeds, correlation, analytics, profiling, security alerts, data presentation and compliance. It is said to deliver actionable intelligence and integrations required to prioritize, investigate and respond to threats, while the embedded compliance framework and built-in security content packs simplify analyst and compliance operations. ESM is the core product of McAfee's SIEM solution portfolio, which includes McAfee Enterprise Log Manager (ELM), McAfee Advanced Correlation Engine (ACE), McAfee Event Receiver (ERC), McAfee Database Event Monitor (DEM), McAfee Application Data Monitor (ADM) and McAfee Global Threat Intelligence (GTI). McAfee ESM offers integration with dozens of complementary incident management and analytics solutions, including McAfee Threat Intelligence Exchange. Based on endpoint monitoring, it aggregates low-prevalence attacks, leveraging global, third-party, and local threat intelligence.
"Incident response teams and administrators can use McAfee Active Response to look for malicious zero day files that lay dormant on systems, as well as active processes in memory," said Karl Klaessig, Product Marketing Manager for McAfee SIEM. "It also uses persistent collectors to continuously monitor your endpoints for specific Internet Operating Centers (IoCs), automatically alerting you if an IoC appears somewhere in your environment."
Markets and use cases: Klaessig said several verticals leverage it more than others, such as public sector, higher education and healthcare. The company has added specific capabilities to support these markets.
Metrics: McAfee Enterprise Security Manager can store billions of events and flows, making them available for ad hoc queries, forensics, rules validation and compliance. Klaessig said McAfee ESM has been cited by analysts as offering the highest throughput of any SIEM solution.
Security qualifications: FIPS 1402 level 2, CC EAL2+, listed on DoD Unified Capabilities Approved Products List, U.S. Army Information Assurance Approved Products List, approved for Navy networks, and compliant with NIST SP 80092, NIST SP 80053, NIST SP 80082 and NERC CIP007.
Intelligence: It offers remote command execution options to interact with orchestration and security systems via third party system that allows scripting (CLI, URL or API). ePO Tagging sends McAfee Agent wakeup calls that allow automated task and policy changes.
Delivery: McAfee ESM, McAfee ELM, McAfee ACE, McAfee ERC, McAfee DEM, and McAfee ADM can be purchased as an appliance. While available as individual appliances, McAfee ESM, McAfee ELM, and McAfee ERC components are also available as a combination appliance for flexible deployment options. In addition, McAfee SIEM products can be purchased as a virtual appliance (support for VMware, Red Hat KVM, and AWS).
Agents: The McAfee SIEM Collector is host-based software that uses agents to send events to McAfee ESM. It is also possible to gather windows data without agents.
Pricing: McAfee SIEM appliances are rated and sold by their ability to handle a certain event-per-second capacity rather than a price per data source or price per number of events per second (EPS), with no EPS limits enforced on the appliance. In addition, no extra licensing costs are required for added data sources. For single appliance deployments, there are four models available, two physical appliances and two virtual appliances:
- ESM-ELM-ERC-5700, 1,500 EPS hardware appliance, 32 TB + 800 GB SSD local storage, List: $74,086
- ESM-ELM-ERC-6050, 3,500 EPS hardware appliance, 40 TB + 800 SSD local storage, List: $111,935
- ESM-ELM-ERC-VM-8, Up to 8 cores, 1000 EPS virtual appliance, List: $39,995
- ESM-ELM-ERC-VM-12, Up to 12 cores, 5000 EPS virtual appliance, List: $59,995