What is Security Information and Event Management (SIEM)?

Security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

As threats and responsibilities have expanded, the role of SIEM solutions has morphed into one of the greatest assets an analyst has, becoming the Swiss army knife of incident response and orchestration. Security analysts use SIEM systems for advanced analytics, including user and behavior analysis, real-time monitoring, and data and application monitoring.

With this expanding role, SIEM architecture has evolved from a linear, sequential log management model that focuses on what happened in which order to a hub-and-spoke model, where SIEM tools aggregate and correlate data from security feeds. Spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).

An optimized security operations model requires the adoption of a security framework that makes it easy to integrate security solutions and threat intelligence into day-to-day processes. A central role for modern SIEM tools is to provide centralized and actionable dashboards that help integrate threat data to keep operations and management apprised of evolving events and activities. By linking threat management with other systems for managing risk and compliance, security operations center (SOC) teams can better manage overall risk posture. Such configurations support continuous visibility across systems and domains and can use actionable intelligence to drive better accuracy and consistency into security operations. Centralized functions reduce the burden of manual data sharing, auditing, and reporting throughout.

The following are the key components of McAfee SIEM solutions:

Component Description
McAfee Enterprise Security Manager (ESM) This is the SIEM central console and includes the enterprise database. Nearly all configuration, management, reporting, and workflows are done here.
McAfee Event Receiver (ERC) Receivers collect events, flows, and logs from data sources (McAfee and third-party products). Receivers also normalize, aggregate, and enrich and perform rules-based event correlation.
McAfee Advanced Correlation Engine (ACE) The ACE performs rules-based correlation, but it also performs the important task of relieving receivers from having to do correlation. The ACE also performs risk, deviation, and historical correlation.
McAfee Enterprise Log Manager (ELM) ELMs collect and store raw logs for compliance purposes and raw log search. It is optimized for data retention. ELMs can also perform full text indexing of stored logs. ELMs also provide a forensically sound audit trail of logs. McAfee Enterprise Log Manager accommodates different log management needs via flexible storage pools spanning local or remote storage devices and configurable retention periods.
McAfee Enterprise Log Search (ELS) McAfee Enterprise Log Search is optimized for fast investigations, leveraging Elasticsearch to perform high-speed searching across raw data. Near real-time retrieval of insights from high volumes of events, logs, flows, and threat intelligence provide timely and prioritized threat detection and investigation value from data.
McAfee Application Data Monitor (ADM) ADM analyzes layer 7 traffic flows, providing rich information on risks at the application level.
McAfee Direct Attached Storage McAfee Direct Attached Storage provides high performance storage array for ESM and/or ELM, redundant architecture with RAID controller, mirrored cache, and IO multi-pathing.
McAfee Global Threat Intelligence (GTI) for ESM This adds McAfee's GTI Reputation information to help assess event risk. This is a license-based component that does not require any additional hardware.

Security operations center resources