Adding to these increased threats is the fact that our networked environments are increasing
exponentially in both diversity and complexity. For these reasons, a holistic real-time visibility into all
activities of systems is needed more than ever. It is not only extremely important, but now a required
capability to collect and correlate the various activities occurring on our critical networks. This type of
information is mandatory for identifying, prioritizing, and responding to cyber attacks, policy
breaches, and compliance violations. The McAfee patented database technology to consolidate,
correlate, and report on security information provides for such a holistic real-time situational
awareness.
The ESM is configured and managed via the System Properties dialog, which is accessed by selecting
the System node (the node at the highest level on the tree) on the System Navigation Tree, then
clicking on the Properties icon in the Actions Toolbar.
The System Information screen contains information regarding general system-wide status.
• The System, Customer ID, Hardware, and Serial Number fields provide information about the
system and its current operational status.
• The Database Status field shows when the database is performing other functions (e.g., a
database rebuild or background rebuild) and the status of those functions. An OK status means
that the database is operating normally.
• The System Clock; Sync Device Clocks; Rules & Software; Events, Flows & Logs; and Backup &
Restore, (as well as, when in FIPS mode, FIPS Self-test and Status options) can be changed,
updated, enabled, or viewed from this screen. In addition, you can view and export an ESM
Device Type Count report and an Event Time report.
• The Refresh button allows you to refresh the data displayed on this screen
NOTE: It is important to note that there is a list of properties on the left-hand side, but there are also
clickable properties in the right frame as well (bolded above). Text which is underlined is a link to a
secondary group of settings. Buttons always reference actions.
To set the ESM time to GMT, follow the steps below.
1. Access the System Information screen by clicking on the System node in the System Navigation
Tree and on the Properties icon in the Actions Toolbar.
2. Click on System Clock (GMT) on the System Information dialog. The System Clock dialog will
open.
3. To synchronize the ESM's time with a NTP server, click on the Use NTP to automatically update
the system clock checkbox.
4. Enter the NTP server’s IP address or hostname in the field provided.
5. Click OK to save your settings.
Retrieving Rule Updates Automatically
To automatically retrieve rule updates at a specified interval:
1. Access the System Information screen by clicking on the System node in the System Navigation
Tree, and on the Properties icon in the Actions Toolbar.
2. Click on Rules Update. The Rules Update dialog opens.
3. Click on the Auto check interval checkbox. If you have not already registered with the rules
server, the Customer Validation dialog will open. If you have already registered with the rules
server, skip Step 4.
4. Enter your customer ID and password and click on Validate.
5. Select the frequency with which you want the update checks to take place. By default, the
system is set to check for updates every hour.
6. Click OK to save your settings.
The Auto check every check box, if enabled, will cause the ESM to automatically check the devices for
events, flows and logs. Each device also has its individual auto-retrieval settings enabled. The Show
Devices option allows you to individually set auto events, flows and log settings on a per-device basis,
or by selecting all. Inactivity Settings allow a master user or system administrator to set the inactivity
threshold for any device on the system.
However, due to Windows system settings, the interval defined in Get Events and flows will have no
affect on event collections originating from WMI Data Sources.
If the Inactivity Threshold is set, the system will generate an alert when the device has been inactive
for the period of time designated. This alert will appear as a yellow flag next to the device on the
System Navigation Tree. To use this feature, do the following:
1. Click on the Inactivity Settings button located at the bottom of each of the following screens:
• System Properties > Events, Flows, and Logs
• Device Properties > Events, Flows, and Logs
• Receiver Properties > Events, Flows, and Logs
• ADM Properties > Events & Logs
• ELM Properties > Events & Logs
• DEM Properties > Events & Logs
The Inactivity Threshold dialog opens. The default setting for all devices is 0.
2. Highlight the device for which you want to set a threshold and click on Edit. The Edit Inactivity
Threshold dialog opens.
3. Set the maximum amount of time that this device can be inactive before generating an alert by
clicking on the up or down arrows in the Days, Hours, and/or Minutes fields.
4. Click on OK. You will be returned to the Inactivity Threshold screen. The device will reflect the
change in the Threshold column, as will any "child" of the device that has the Inherit checkbox
selected.
The data that is generated by these custom type fields can be viewed in the Details section of the
Event Analysis or Flows Analysis view.
This list displays predefined types, the custom types that have already been created, their data type,
and which event and flow location they occupy. When adding a new custom type, select the type of
data that this field will contain in the Data Type field. In the Events and Flows fields, select which of
the custom slots for each event or flow this custom type will occupy in the corresponding fields.
Clicking on the Index Data box allows you to filter by this custom type. If you do so, this type will be
added to the list of filters available for views, reports, and rules.
In addition to adding custom types, you can edit or remove them as well as export and import the
predefined and added custom types.
Data Enrichment allows you to add information to an event record that is not originally part of the
event data but can be inferred, based on a lookup into other data values, from the incoming event.
For example, to use this feature, you need to set up a data enrichment source by defining several
factors that will tell the ESM how to connect to your database and access one or two columns from a
table within that database. Then, you define the devices that will receive that data and how to enrich
the incoming data, both events and flows. Events that trigger on the ESM are not enriched and data
acquisition will take place on the ESM, not on the devices. Depending on your selections in the Main
and Source tabs, you might also have a Query tab, instead of a Scoring tab for example. More
information about Data Enrichment is provided later in this module.
You can manage database index settings, view and print information about the database memory
utilization of events and flows, configure storage locations for inactive partitions, configure the data
retention policy for events and flows, and configure how the database allocates space for event and
flow data.
• Settings – This allows you to change the index settings for various values related primarily to the
ports which are indexed for faster searching.
• Memory Use – This allows the user to view information about the memory utilization of the
database.
• Archival - When the storage space available for a table reaches its limit, the oldest partition is
deleted. The archival feature allows the customer to inactivate these partitions and store them in a
remote location instead of deleting them. Once the data is inactive, it is not included in queries for
views and reports. The Archival feature allows you to enable or disable them one at a time as
needed for inclusion in views and reports.
• Data Retention - This feature allows you to select the length of time for which you would like
events and flows maintained by the system as well as limit the amount of historical data inserted.
• Data Allocation - The maximum number of event and flow records that can be maintained on the
system is a fixed value. The Data Allocation feature allows the customer to set how much space
should be allocated for events and how much for flows. On the high speed X5 storage device, you
are also given the option to configure the number of events and the number of flows to be stored
on the X5 instead of the regular hard drive.
Here, you can set up the connection to a mail server. The Admin should setup recipients, that can
later be used to select from, when defining an alarm’s action that will include sending a message.
To do so, you must first enter the information needed to connect to the mail server as follows:
1. Click on Email Settings on the System Properties menu. The Email Server Information dialog will
open.
2. Enter the host and port of the mail server. The default post is 25.
3. If you want to use the TLS encryption protocol, click on the Use TLS check box.
4. Enter the username (e.g., Administrator@McAfee.com) and password required to access the
mail server.
5. In the Title field, enter a generic title for all of the email messages sent from the mail server
(e.g., you might want it to be the IP address for the ESM so recipients will know which ESM is
generating the message).
6. Enter a name in the From field.
7. If desired, click on the Send Test Email to test the connection.
The ESM Management page lets you perform several operations to manage the software, logs,
certificate, feature files, and communication keys for the ESM. The first of these is the Configuration
tab.
Manage Logs – Manage Log settings, and which events are logged.
Obfuscation – Allows you to mask the source and/or destination IP addresses of any alert record that
is sent out in event forwarding or sent to a parent ESM.
Logging – Set the default logging options for this device. The customer must have an ELM installed
and storage pools configured for this option.
System Locale – Select the language used for logging events such as health monitor and device log.
Name Map - The new Name Map feature allows you to enable or disable the port and protocol maps.
These affect whether the ESM displays names instead of numbers.
Certificate – Manage the SSL certificate for this device
Regenerate SSH / Export Keys / Restore Keys – Options for managing the SSH keys used for device
intercommunication and establishing an SSH session
Update ESM – This setting updates the ESM software version. Software updates are not downloaded
and processed through the system settings updates.
Get/Set Features – Get a list of features or set features. Used by support in advanced “hot fix” cases.
Connect – Creates a secure tunnel using OpenVPN from the device to the support desk. Used by
support to aid in troubleshooting and resolution of support issues.
Event forwarding allows you to send events from the ESM to another device or facility by Syslog or
SNMP (if enabled). You must define the destination, and can select if you want to include the packet
and obfuscate the IP data. You can add filters so the event data is filtered before it is forwarded.
In order to enable event forwarding, you will work with the following settings:
Standard Event Format (SEF) is available to forward events from the ESM to a Receiver on a
different ESM, as well as from the ESM to a third party. It is also available when sending
events from a third party to a Receiver.
SEF format is available to forward events from the ESM to a Receiver on a different ESM, as well as
from the ESM to a third party. It is also available when sending events from a third party to a Receiver.
The Standard Event Format (SEF) is a Java Script Object Notation (JSON)-based event format to
represent generic event data. The format represents events as JSON objects. Each JSON event can
have source, fields, and data properties. Of these properties, only data is required to have a valid
Event.
When setting up event forwarding with SEF from ESM to ESM, you need to perform four steps:
Step 1— Export data sources, custom types, and custom rules from the ESM that is forwarding
the events.
a. To export the data sources, migrate data sources to another system using the Receiver
Properties > Migrate option.
b. To export the custom types, access System Properties, click Custom Types, then click Export.
c. To export the custom rules, open the Policy Editor, and select the rules you wish to export, and
use the File > Export > Rules option.
Step 2— On the ESM with the Receiver you are forwarding to, import the data sources, custom
types, and custom rules that you just exported.
a. To import the data sources, migrate data sources to another system using the Receiver Properties
> Migrate option.
b. To import the custom types, access System Properties, click Custom Types, then click Import.
c. To import the custom rules, in the Rule Types pane of the Policy Editor, click the type of policy or
rules to import, then click File > Import > Rules.
Step 3— On the ESM that is receiving the events from another ESM, add an ESM data source.
a. On the system navigation tree, click the Receiver device you want to add the data source to, then
click the Add Data Source icon ( ).
b. On the Add Data Source page, select McAfee in the Data Source Vendor field, then Enterprise
Security Manager (SEF) in the Data Source Model field.
c. Complete the requested information, then click OK.
To add a host:
1. Select the Add button.
2. In the Add Host screen which appears, enter the host name and the IP Address of the host.
3. Hosts can be edited or removed in the same fashion.
4. The Lookup function allows for a host or range of hosts to be added by attempting to lookup
the combination. To perform a lookup, select the Lookup button.
5. Enter a single IP Address or an IP Address and a mask of 8 or greater for IPV4, or 104 or
greater for IPV6. The system will then lookup the hosts specified and if a duplicate entry
exists it will be updated.
6. The Update Hosts function will automatically refresh and update the entries when selected.
7. Hosts can be imported from a file using the Import action. The format of the file is a tab
delimited file with an IP followed by the hostname, and each entry is on a single line. The file
needs to have a TXT extension.
Login Security allows you to set options for how authentication and login security is handled. Use
login security to set up standard login settings, configure the access control list (ACL), and define
Common Access Card (CAC) settings. You can also enable Remote Authentication Dial In User Service
(RADIUS), Active Directory, and Lightweight Directory Access Protocol (LDAP) authentication.
Important notes:
1. At least one DNS server must be specified or the ESM will not be able to check for updates,
or email reports and notifications.
2. If changes are made, they are pushed immediately upon clicking Apply; the ESM will
reinitialize, and all current sessions will be lost.
The Profile Management pages lets you manage the profiles on the system so they can be used in
event forwarding, network discovery, and data source configuration.
From this screen you can add, edit, and remove profiles.
The Reports option allows you to generate and view reports that show data from events and flows
managed on the ESM. You can select to design your own report or run one of the reports that is
included in the ESM console, and can choose whether to send the data in PDF, HTML, or CSV format.
Reports will be covered in a later module in greater detail.
SNMP Configuration
SNMPv3 is supported with NoAuthNoPriv, AuthNoPriv, and AuthPriv options, using MD5 or SHA for
authentication and DES or AES for encryption (MD5 and DES are not available in FIPS compliance
mode). SNMP requests can be made to an ESM for ESM, Receiver, and IPS health information, and
SNMPv3 traps can be sent to an ESM to add to the blacklist of one or more of its managed IPS
devices. All McAfee appliances can also be configured to send link up/down traps and warm/cold
boot traps to one or more destinations of your choosing.
However, all devices now support SNMP requests. You can get information directly from each device
using SNMP, instead of going through the ESM. You can access this feature through the Configuration
option for each device. You would need to configure the settings listed in the SNMP Requests and
SNMP Traps tabs for each device.
The System Log page let you view a summary of the events generated and all security configuration
changes made on the ESM. You can view the specific events on any device by selecting the System
Log option at any time. The Event Count displayed in the System Log page is the total number of
events that have been logged on the ESM. The First Event is the date and time the first log event took
place and the Last Event is the date and time the last log event took place.
The system administrator is the only user that has access to all areas of the system, including the
Users and Groups area. Users and groups must be added to the system to have access to the ESM
console, its devices, its policies, and their associated privileges.
Name and Description – This is the name of the group and a brief description.
Users – A list of users that either belong to the group, or can be assigned to a new group.
IP Address Filters – These filters will limit the data that a user sees when executing reports or when a
user is selected as a notification recipient.
Zones – Limits data that a user sees based on devices assigned to zones.
Devices – Controls what devices a user in this group has access to.
Notifications – Controls what notifications the users in the group can view or modify.
Group Time Restrictions – Set restrictions to limit the days and times this group can access the ESM.
Users receive visual notification that their session is going to time out 15, 5, and 1 minute before the
time expires.
Reports – Controls what reports the users in the group have access to.
Watchlists – Select the watchlists that are visible to this group.
When adding a group, the Limit access of this group setting, in the Privileges tab, will disable certain
privileges in the list, and will allow limited options.
A watchlist is a grouping of specific types of information that can be used as filters or as an alarm
condition so you will be notified when they occur in an event. They can be global or specific to a user
or group and can be static or dynamic. A static watchlist consists of specific values that you enter; a
dynamic watchlist consists of values that result from regular expression or string search criteria that
you define.
More information about how to create and use watchlists will be provided in a later module.
As you install devices, such as Receivers, ADM, ACE, DEM or ELM, you must add them to
the ESM console to configure their settings. When adding devices to the ESM, it is always best
practice to add the Receivers first, before adding other components such as the ELM appliance.
One of the steps for adding devices prompts you to either import a key file, or to key the device.
Keying a device establishes a link between the device and the ESM, in order to insure that the device
will only respond to command and control requests from an ESM that shares the same key. If you
choose to key the device, be sure to have it physically connected to the network.
After installing a Receiver, configuring the device is necessary for proper operation.
Some of the options available from the Receiver Information screen are described below:
Sync - This option synchronizes the Receiver clock with the time of the ESM, so that both devices are
using the same time.
FIPS Self Test - If the system is operating in FIPS mode, the Receiver Properties dialog will include the
FIPS Self Test button. When you click on this button, the FIPS power-on self tests are run. They test
the integrity of the algorithms used within the crypto-executable. If the test is successful, the Status
field below will change to "FIPS OK." If the test fails, the Status field below will change to "FIPS Self
test failed!." When this happens, a red flag will appear next to the device name in the system
navigation tree. The FIPS self-test audit log information can be viewed in the Message log.
FIPS Identity Token - The value shown while in FIPS mode is the identity token used during the
power-up software integrity testing required by FIPS 140-2.
Zone - Will show the zone to which the device has been assigned if it has been assigned to one. If you
click on Zone, the Zone Policy Manager dialog will open allowing you to add zones to which you can
assign devices and data sources.
Status - This field displays the status of the processes on the Receiver as well as the FIPS status after
running a FIPS self test.
Start - This option starts the Receiver’s flow collection, firewall, and data source feed collection. This
operation has no effect if the Receiver is already operating normally.
Stop - This option stops the Receiver. It does not shut down the device but only halts the collection
of data source and flow information. It is recommended that the device not be stopped except in
unusual circumstances. Performing this operation will stop the flow of all traffic through the Receiver
device.
Refresh - The Refresh button will reload all the information displayed on this screen.
To make changes to the Name, System Name or Description fields, enter the new information then
click on Apply to save changes and remain in the Properties dialog, or click OK to save the changes
and close the Properties dialog.
To make connection changes, follow the steps below.
1. Highlight the Receiver's node on the system navigation tree.
2. Click on the Properties icon in the actions toolbar. The Receiver Properties dialog will open.
3. Click on the Connection option on the Receiver Properties screen. The Connection dialog will
open.
4. Enter the new information in the fields provided. Below is a brief description of each setting.
Target IP Address/Name - Enter the IP address or host name that will be used when trying to
communicate with the Receiver.
Target Port - The port over which communication will be attempted. The default port is 22
Device ID - This is a non-editable field that will display the ID for the Receiver.
Mark this device as disabled – Select this option to stop SSH communication to the ESM. The
icon for this device on the system navigation tree will indicate it is disabled.
The Configuration page for each type of device provides options to configure device settings such as
network interface, SNMP notifications, NTP settings, and ACL Settings.
• Interface – Configures how ESM and Data Sources will connect to the Receiver.
• SNMP – Configures SNMP notifications for the device.
• Data Archival – Configures the Receiver to forward a backup of the raw data to a storage device
for long-term storage.
• NTP – Manage NTP settings for the device.
• Sync Device – This will sync the Receiver with the data source settings on the ESM.
• ACL Settings – Configure the access control list settings to restrict access to the device.
From the Receiver Management screen, you will find actions to perform some typical job tasks. For
example, from here, you can view message logs and device statistics, update the software on a
device, enter Linux commands for a device using the Terminal option, grant access to the system for
McAfee Support using the Connect option, and monitor traffic using the Stream option.
From the Key Management screen, there are critical features to ensure communication between the
Receiver and the ESM. A key is created whenever adding a device to the ESM, and is the mechanism
used for secure device communication.
McAfee recommends exporting a copy of the key, because you will need it if you ever have to re-add
this device. Importing a key is useful to restore the ESM to previous settings. A password must be
retained to securely import and export the key. The password is created during the Add Device
wizard or when using the Key Device option here. When exporting a key, you have the option to set
the expiration date, which is the amount of time the key can be used if importing to another ESM or
legacy console. However, McAfee recommends that you export a personal copy of the device key
that is set to Never Expire and includes all privileges.
With the Manage SSH Keys option, you can view or delete the SSH communication keys for devices
that this Receiver can communicate with.
Remember, that once you’ve added the Receiver, you can begin adding other devices to the ESM. Do
this by using the Add Device Wizard. Select the type of device you want to install by clicking on the
appropriate radio button.
One of the steps for adding devices prompts you to either import a key file, or to key the device.
Keying a device establishes a link between the device and the ESM, in order to insure that the device
will only respond to command and control requests from an ESM that shares the same key.
To key a device:
1. If you have a key that you want to import, select Import Key and follow the directions. Otherwise,
click on Key Device.
2. Enter the root password for this device in the password and confirm password fields. Note that
the password must have at least eight characters, including one number, one punctuation mark or
symbol, and one uppercase character.
3. Click Next.
4. If prompted, enter the machine ID and, if keying an IPS, select the version of the device you are
using. Click Next.
5. If you are in FIPS mode, a popup dialog will appear informing you that the device has been keyed
and that it must reboot. You will be unable to communication with the device during the reboot
process.
6. The ESM will test device communication and report on the status of the connection. You will be
able to directly launch the Properties and Export Key screens upon successfully keying the device.
To view events for a specific time range, select the date and time range of the events you wish to
view by typing in the date/time value or selecting one from the calendars, then click the View button.
By default, the event log time range is set to show events for the current day. The Device Log dialog
will appear, which shows a list of all the events that have taken place within the specified time range.
High-availability Receivers are used in primary/secondary mode so the secondary Receiver can swiftly
take over functions when the primary Receiver fails, providing continuity of data collection that is
significantly better than that provided by a single Receiver. This setup consists of two Receivers,
either of which can act as the primary or secondary Receiver and can switch or be switched to the
other role as needed. The secondary Receiver monitors the primary Receiver continuously. When the
secondary determines that the primary has failed, the secondary receiver stops operations on the
primary receiver and takes over as the primary. The new primary remains as the primary until you
manually intervene to switch them back to their previous roles. You can swap roles between the
primary and secondary as needed.
Consult with a McAfee representative for information about Receiver models that support high-
availability functionality.