Reaping the benefits of SIEM
For automated tools such as Security Information and Event Management (SIEM) to improve your security posture and reduce your response time, they need to be intelligent, actionable, and integrated. They need to help you find what’s important so your team can spend more time with the most critical issues and less time trying to understand what’s important and what’s not. The latest release of McAfee Enterprise Security Manager (ESM), v9.5, augments your team’s abilities with enhanced real-time monitoring, automated historical analysis, simplified operations, and tighter integration with threat intelligence.
Automation that is not intelligent is just an amplifier – it increases both the good and the bad. McAfee ESM 9.5 gets smarter by enhancing its real-time monitoring capabilities with a threat management dashboard that can receive and understand information on emerging suspicious and malicious threats reported via STIX/TAXII, McAfee Advanced Threat Defense, and third-party URLs. Instead of having to collect this information manually, you can now quickly and easily review and manage cyber threat intelligence at a glance from a centralized dashboard. McAfee Advanced Threat Defense (ATD) sandboxing functions investigate potential indicators of attack or compromise. ESM now integrates and automates communications with ATD, receiving notification of convicted files, asking for additional details, and adding the necessary information to watch lists and alerts.
Making decisions on whether a threat is relevant and its risk level is becoming increasingly complicated. McAfee simplifies deployment and ongoing risk monitoring with hundreds of out-of-the-box rules and reports, as well as pre-defined content packs that include views, reports, watch lists, key variable, and alarm rules for specific use cases. The first 12 content packs include monitoring for insider threats, data leakage, email content, suspicious activity, malicious activity, malware, reconnaissance, web filtering, and Microsoft Windows authentication. Using the risk advisor dashboard, you can now get information instantly about a threat, its severity, and the risk it presents through a risk score that unifies vulnerability status, asset criticality, and countermeasure protection available for the threat. This assessment helps prioritize security and patching efforts according to an asset’s value
Perhaps most important is the ability to automatically act on this intelligence, in the future and the past. When a new relevant threat is reported, you add it to your watch list to catch future events or flows with that hash or IP address. But what if your company was attacked before the threat was published? McAfee’s Backtrace feature looks for evidence that your organization has already been attacked, analyzing historical information to see if any machines are already affected. Backtrace will parse the threat notification and look through existing events to see if any elements, such as hash, file name, or IP address, match the event details. If it finds a match, it can generate an alarm, and perform a number of automated events to quickly mitigate and contain the attack.
Sophisticated criminal activity is overwhelming current piecemeal security solutions. McAfee ESM and Integrated Security Connected solutions enable broad data collection and automation of first response actions, helping you respond to attacks more quickly and efficiently.