Showing posts with label mcafee nitro. Show all posts
Showing posts with label mcafee nitro. Show all posts

NITRO ARCHITECTURE

Enterprise Security Manager(ESM):
    McAfee ESM allows security and compliance professionals to collect, store, analyze and act upon risks and threats from a single location.
    McAfee ESM collects and aggregates data and events from security devices, network infrastructures, system and appliances. It then applies intelligence to that data by combining it with contextual information about users, assets, vulnerabilities and threats.

Enterprise Log Manager(ELM):
    ELM supports storage and management of, access to and reporting of log data. The data received by ELM is organized in storage pool, each composed of storage devices. A retention time is associated with each storage pool and the data is retained in the pool for the period specified.

Event Receiver(ER):
    The event receiver enables the collection of security events and network flow data from multi-vendor sources including firewalls, virtual private networks, routers, nitro IPS/IDS, netflow, sflow and others.
    High availability receiver can be used in primary and secondary mode acting as backup of each other.

Advanced Correlation Engine(ACE):
    McAfee advanced correlation engine identifies and scores threats events in real time using both rule and risk-based logic. Audit trials and historical replays supports forensics, compliance and rule tuning.
  • Rule-based correlation: It detects threats using traditional rule-based events correlation to analyze collected information in real time. ACE correlates all logs, events and network flow with contextual information such as identity, roles, vulnerability and more.
  • Risk-based correlation: It generates a risk score using rule-less correlation. When a risk score exceeds a certain threshold ACE generates an events and alerts you to growing threat conditions.
Application Data Monitor(ADM):
    McAfee application data monitor tracks all use of sensitive data on the network, analyzing underlying protocols, session integrity and application contents.
    When ADM detects a violation, it preserves all details of that application session for the use in incident response and forensics or for compliance audit requirements.
    ADM can detect when sensitive information is transmitted inside email attachments, instant messages, file transfers, HTTP posts or other applications.

Database Event Monitor(DEM):
    McAfee databse event monitor consolidates database activity into a central audit repository and provides normalization, correlation, analysis and reporting of that activity. 
    If network or database server activity matches known patterns indicating malicious data access, DEM generates an alert. In addition all transactions are logged for use in compliance.
By

NITRO DEFINITION

Security Information and Event Management(SIEM) is a technology which provides real-time analysis of security alerts generated by network and security devices.
    - The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as security event management(SEM).
    - The second area provides long-term storage as well as analysis and reporting of log data is known as security information management(SIM).

 - Events: An event is an activity recorded by a device.
- Flows: A flow is a record of connection made between IPs.
- Logs: A log is a record of an event that occurred to a device.
- Parsing: The parsing is to divide words and phrases into different parts in order to understand relationship and meaning.
- Aggregation: An event or flow can potentially be generated thousands of times. Instead of forcing you to sift through thousands of identical events, aggregation allows you to view them as a single event or flow with a count that indicates the number of times it occurred.
- Normalization: Normalization is the process of re-organizing data in a database. So that is meets two basic requirements,
  • There is no redundancy of data(all data is stored in only one place) 
  • Data dependencies are logical(all related data items are stored together)
    The use of normalization is to allow database to take little disk space as possible, resulting in increasing performance.
- Correlation: It look for common attributes and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources in order to turn data into useful information.
By