What is most valuable?
The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.
I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.
How has it helped my organization?
The best way to describe the improvement is within the following areas:
- Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
- Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.
A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.
What needs improvement?
The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.
For how long have I used the solution?
I've been using it for three years as a managed security services provider.
What was my experience with deployment of the solution?
We have had no issues with the deployment.
What do I think about the stability of the solution?
There have been no issues with the stability.
What do I think about the scalability of the solution?
We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.
How are customer service and technical support?
Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.
Which solution did I use previously and why did I switch?
I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.
How was the initial setup?
I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.
The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.
What about the implementation team?
We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.
What was our ROI?
You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.
What other advice do I have?
There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a preferred global partner of Intel Security.
May 09 2016