1.
McAfee ESM
Fulfilling the Promise of SIEM
Jan Hereijgers
Enterprise Account Manager, SIEM
December 13, 2012
1 McAfee Confidential—Internal Use Only

2.
The State of SIEM
SIEM Promise:
Turns Security Data Into Provides an Intelligent Supports Management
Actionable Information Investigation Platform and
Demonstration of Compliance
Legacy SIEM REALITY:
00001001001111
11010101110101
10001010010100
VS
00101011101101
Antiquated Architectures Events Alone Do Not Complex Usability and
Force Choices Between Provide Enough Context Implementation Have
Time-to-Data and Intelligence to Combat Today’s Threats Caused Costs To Skyrocket
2 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

3.
The Big Security Data Challenge
Billions of Events
APTs
Multi-dimensional Active
Cloud Trending; LT Analysis
Data
Insider
Anomalies
Large Volume Analysis
Compliance Historical Reporting
Thousands of Events
Correlate Events
Perimeter Consolidate Logs
3 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

4.
ESM: Delivering on the Promise
Meaningful Rapid
Intelligence Response
Big
Security
Data DB
Continuous Exceptional
Compliance Value
4 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

5.
Different From Ground Up …
The McAfee SIEM Event Database
 High-speed database ssed extensively throughout the US
DOD and DOE
 Award winning Sage/AdaSage technology
 15 years and over $30M invested in development at the Idaho
National Laboratory (INL)
 Purpose-built ( for rapid streaming of security events
 Up to 100,000 database insertion per second
 Custom fields & data definition specific to security events
010011 100
1001 100110
11 100 1 110
 Rich event taxonomy with 16 indexes
10 010011
001 100 1101  Provides event-data warehousing with minimal HW foot print
10101 110 1
 Facilitates real-time Business Intelligence for Security &
Compliance
 Perfected during ~300 man-years of joint development
McAfee Confidential—Internal Use Only

6.
Log Management and Search
• See log frequencies Investigate
• Search for logs
Log Management
INVESTIGATE LOGS AFTER THE FACT
6 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

7.
Legacy SIEM
Visualize, Investigate
• See log frequencies
• Search for logs
• Correlate events
Device and Events from
Authentication User
Application Log Security Devices Location
and IAM Identity
Files and Endpoints
VA Scan Data Network Flows Time OS Events
Traditional Context
Log Management
DETECTION OF KNOWN SUSPICIOUS PATTERNS
7 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

8.
Content Awareness
Visualize, Investigate, Respond
• See log frequencies
• Search for logs • Flows indicate frequency but miss the
• Correlate events what, who and how
• What data is involved? • Application and Database complete
the picture
• Who is doing it?
• Application logging inhibited
by performance
• Database logging inhibited by politics
Content Aware
Applications Traditional Context Database
Log Management
8 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

9.
ESM Fulfills Today’s SIEM Needs
Visualize, Investigate, Respond
• See log frequencies
• Search for logs Advanced Correlation Engine
• Correlate events
GLOBAL THREAT ENTERPRISE RISK
• What data
is involved?
LANDSCAPE LANDSCAPE
• Who is doing it? • Threat intelligence feed • Vulnerabilities
• Are they • Immediate alerting • Countermeasures
a bad actor?
• Historical Analysis • Individuals
• What is the risk Risk ePolicy
of the system? Advisor Orchestrator
• What is the risk
of the user?
Dynamic Content
Content Aware
Traditional Context
Log Management
9 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

10.
ESM Fulfills Today’s SIEM Needs
Visualize, Investigate, Respond
• See log frequencies OPTIMIZED
• Search for logs Advanced Correlation Engine
• Correlate events
GLOBAL THREAT ENTERPRISE RISK
• What data
is involved?
LANDSCAPE LANDSCAPE
• Who is doing it? • Threat intelligence feed • Vulnerabilities
• Are they • Immediate alerting • Countermeasures
a bad actor?
• Historical Analysis • Individuals
• What is the risk Risk ePolicy
of the system? Advisor Orchestrator
• What is the risk
of the user?
Dynamic Content
1.Shut down bad actor
2.Analyze last years events
3.Compliance issue identified
Content Aware
4.Investigate high risk system
Applications Traditional Context Database
Big Log Management High Speed
Security Intelligent
Data DB Scalable Architecture Correlation
10 NitroSecurity Next-generation SIEM McAfee Confidential—Internal Use Only

11.
GTI with SIEM Delivers Even Greater Value
Sorting Through a Sea of Events…
Have I Been Communicating With Bad Actors? 200M events
18,000 alerts
Which Communication Was Not Blocked? and logs
Dozens of
What Specific Servers/Endpoints/ Devices Were Breached?
endpoints
Handful
Which User Accounts Were Compromised? of users
Specific files
What Occurred With Those Accounts? breached
(if any)
Optimized
RESPOND How Should I Respond? response
11 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

12.
Scalable and Intelligent Architecture
Intelligence and GTI ePO MRA SIA
Operational efficiency
Adaptive Risk Analysis & McAfee Advanced Correlation Engine
Historical Correlation
McAfee Enterprise Security Manager
Integrated SIEM McAfee Enterprise Log Manager
& Log Management
McAfee Application McAfee Database
Rich App & Data Monitor Event Monitor
DB Context
Big
Scalable Collection & McAfee Receivers Security
Data DB
Distributed Correlation
12 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

13.
McAfee ESM (NitroSecurity)
Summary Overview Gartner SIEM MQ
 Founded: 1999
 Description: Nitro develops the industry's fastest analytical
tools to identify, correlate and remediate information security
threats in minutes instead of hours
 Employees: 120 employees
 Headquarters: Portsmouth, NH. R&D facilities in Idaho Falls.
 Customers: 700+ Active Customers. 30 in Fortune 500. 60%
of business through channel. 50% of business in US Federal
 Acquisitions: Acquired Rippletech (log collection and
reporting technology) and LogMatrix (analytics technology)
 Financials: 2010 Bookings = $25MM; 50% Growth YoY for
trailing 3 years
Notable Customers
McAfee Confidential—Internal Use Only

14.
Customer Case Study
McAfee
OPPORTUNITY DECISION
McAfee • “Nitro” and Q1 shortlisted
(pre-acquisition) • POC consisted of replicating original deployment plan
• Q1Labs exhibited same performance issues
as existing solution
• Internal security /
compliance (Plano, TX) • Nitro is selected
• Major SIEM
installed for two years
RESULTS
• “Never completed the
initial deployment plan even
with multiple $000,000’s • Deployed and delivering value in 30 days
of pro services” • 2 appliances outperformed 32 core SIEM deployment
• “Can get the log data in, • Eliminated consulting and instrumentation spend on
but CANNOT get useful making SIEM work
information out”
14 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

15.
ESM: True Situational Awareness
GREATEST ACCURACY IN
PINPOINTING THREATS
FASTEST TIME-TO-RESPOND
CONTINUOUS COMPLIANCE MONITORING
COST EFFECTIVE THROUGH
LOW TCO AND RAPID
TIME-TO-VALUE
15 NitroSecurity Next Generation SIEM McAfee Confidential—Internal Use Only

16.
McAfee Confidential—Internal Use Only