McAfee ESM allows security and compliance professionals to collect, store, analyze and act upon risks and threats from a single location.
McAfee ESM collects and aggregates data and events from security devices, network infrastructures, system and appliances. It then applies intelligence to that data by combining it with contextual information about users, assets, vulnerabilities and threats.
Enterprise Log Manager(ELM):
ELM supports storage and management of, access to and reporting of log data. The data received by ELM is organized in storage pool, each composed of storage devices. A retention time is associated with each storage pool and the data is retained in the pool for the period specified.
Event Receiver(ER):
The event receiver enables the collection of security events and network flow data from multi-vendor sources including firewalls, virtual private networks, routers, nitro IPS/IDS, netflow, sflow and others.
High availability receiver can be used in primary and secondary mode acting as backup of each other.
Advanced Correlation Engine(ACE):
McAfee advanced correlation engine identifies and scores threats events in real time using both rule and risk-based logic. Audit trials and historical replays supports forensics, compliance and rule tuning.
- Rule-based correlation: It detects threats using traditional rule-based events correlation to analyze collected information in real time. ACE correlates all logs, events and network flow with contextual information such as identity, roles, vulnerability and more.
- Risk-based correlation: It generates a risk score using rule-less correlation. When a risk score exceeds a certain threshold ACE generates an events and alerts you to growing threat conditions.
McAfee application data monitor tracks all use of sensitive data on the network, analyzing underlying protocols, session integrity and application contents.
When ADM detects a violation, it preserves all details of that application session for the use in incident response and forensics or for compliance audit requirements.
ADM can detect when sensitive information is transmitted inside email attachments, instant messages, file transfers, HTTP posts or other applications.
Database Event Monitor(DEM):
McAfee databse event monitor consolidates database activity into a central audit repository and provides normalization, correlation, analysis and reporting of that activity.
If network or database server activity matches known patterns indicating malicious data access, DEM generates an alert. In addition all transactions are logged for use in compliance.