Punching Hard – McAfee Nitro SIEM


intel-security-logo

At Infosecnirvana, we have quite a number of posts dedicated to SIEM. We have done a detailed comparison of SIEM products in a post titled – SIEM Comparison along with providing a detailed check list for SIEM evaluation.  We have also posted about SIEM products from time to time as reflected by our post on IBM QRadar and ArcSight. Following up with those posts, this blog is our take on McAfee Nitro SIEM.  So let’s get started

Introduction:

McAfee in 2011 purchased Nitro Security to enter into the SIEM space and subsequently were taken up by Intel. This period of 2011 actually saw a few things happen in the SIEM market space. This included HP buying ArcSight, IBM buying QRadar and McAfee buying Nitro etc. etc. Each of those SIEM products have taken a different route over the last 3 years. Nitro security was one of those niche players in the market which had an IPS portfolio as well a SIEM portfolio, remnants of which still linger in the overall McAfee ESM  product suite. The McAfee ESM product suite is basically a combination of a few components like:

  • ESM – Enterprise Security Management, which serves as the Management Interface for all SIEM components, Reporting engine capable of generating compliance and policy reports.
  • ACE – Advanced Correlation Engine which is interesting a dedicated engine to perform Risk Based (rules based) Correlation, Historical Correlation, Asset Based Risk Scoring and Custom risk scoring based on combinations of fields.
  • DBM – Database Monitor. One of the products McAfee has as standalone for Database Log Generation, Session Auditing etc, is called the DBM. This is a Database IPS kinda product that monitors network traffic via SPAN, port mirror or taps and does not create any impact on database. So for all the legacy databases that don’t have Audit trail enabled or the auditing is not detailed enough, DBM is the perfect fit. Apart from the monitoring audit trail of all transactions from login to log-off including all session queries and commands, it also provides Auto discovery of database instances including unauthorized or rouge databases. The DBM comes in both a network sensor as well as a host agent footprint.
  • ADM – Application Data Monitor. This is again a Application IPS kinda product capable of performing Layer 7 Protocol detection, Full meta-data collection, traffic monitoring via SPAN, port mirror or taps. Full session data capture and visibility into all application traffic is also provided by this sensor along with Advanced Threat detection capabilities. Again, it can be deployed as a sensor or a host agent.
  • ELM – Enterprise Log Manager. This is akin to any log management solution in SIEM and provides Log storage both Local and Network based.
  • Receivers – These are nothing but Parsers, Netflow Collectors, VMWare Collectors and anything that is able to parse and normalize logs.

Strong points for Nitro SIEM: 

After careful evaluation of Nitro SIEM, we would like to highlight these few points as the core Strength of Nitro SIEM:

  1. Architecture: One of the reasons for Nitro SIEM’s popularity is the Architectural flexibility. As a Security administrator, you can pick and chose how you want to architect your solution. If you want to be as modular as possible, then all the above mentioned components can be deployed standalone and integrated using the ESM (Remember EPO architecture for McAfee Endpoint solutions!!!). Say you prefer a smaller footprint, then you can build something called “Combo Boxes” which as the name mentions combines several components in a single box. This helps administrators starved of resources or budget to effectively deploy Nitro SIEM.
  2. Powerful Data Management: One of the biggest strengths of Nitro is the underlying Database – The SAGE DB aka NitroEDB (Nitro Embedded Database) developed by Idaho National labs (the founder of Nitro was a researcher there). NitroEDB is a relational database that supports huge volume, VLDB applications as well as extremely fast in-memory processing. This is the core reason why Nitro SIEM is able to have a High Ingest Rates and extremely fast query speed. This is a killer benefit compared to the other products like ArcSight with its below par implementation of MySQL and PostgreSQL and IBM QRadar with its proprietary EDB (updated based on comments from JC). Splunk is the closest in competition to Nitro with its GFS like implementation.
  3. High Ingest Rates: As mentioned above, NitroEDB enables SIEM to have a high event ingestion rates @ 300K EPS. We don’t think any SIEM in the market today scales up to this number. ArcSight SIEM is the closest with a 100K maximum with its Logger platform and a pure play Syslog-NG server can do 300K EPS.
  4. Network Based Threat Detection: As with QRadar Intelligence Platform, the Nitro platform also uses Network Packet Analysis for DBM and ADM (as mentioned in the components) to perform Database monitoring and Application monitoring. Both QRadar and Nitro are comparable in the Application monitoring space  but when it comes to Database Monitoring, Nitro wins it hands down. ArcSight and the others are poor in this space, something they will have to start looking at.
  5. Database Monitoring: As mentioned above, the DBM is the stand out as it provides excellent auditing capabilities for DB auditing and log collection. This is irrespective of DB version, OS, Auditing capability etc. The monitoring can be done off-box using a sensor in the network or using an agent. Again, this is one of the differentiators compared to ArcSight or QRadar as both of them rely only on JDBC connectivity to pull audit logs (provided Auditing is enabled on DB)
  6. Historical Correlation: Nitro has the ability to perform historical correlation better than the others in the market. One of the reasons for that is the capability to run complex queries and computations (for risk score correlation) against a large data set. This is primarily attributed to the NitroEDB as mentioned above which is really powerful in terms of query performance. QRadar and ArcSight are not as good at historical correlation and pale in comparison with NitroEDB performance for historical queries. Splunk is better at historical queries, but correlation is not as mature in Splunk as the others.
  7. SCADA Device Support: Apart from ArcSight, arguably the only other product in today’s market that has extensive support for SCADA is Nitro SIEM. This is definitely useful in penetrating the Utilities industry, Manufacturing industry etc. and is one of the key differentiators compared to the others.

Weak points for Nitro SIEM:

  1. Stability: In our testing and real-life deployments, one of the recurring problems we have faced with Nitro SIEM is stability. It is rare to have all the components working without issues at any given point in time. One of the reasons for this we think is the integration tier that has to interact with the various components to perform Security monitoring. There are just too many points of failure and troubleshooting is a nightmare. This is essential in organizations where in-house monitoring is performed. In case of outsourcing, even though this is still an issue, the risk is transferred to the outsourced vendor. Hopefully, McAfee realizes this and fixes these teething issues of stability in future releases.
  2. Correlation: Even though Risk based correlation is a great value add in Nitro, the overall capabilities fall short when compared with the others in the market. We might be a bit biased with this piece as we always compare Correlation capabilities of any SIEM we evaluate against HP ArcSight. In our opinion, ArcSight Correlation is by far the best in the industry and no product can match it in terms of flexibility, power of customization and advanced computing. That said, Nitro does compete hard and we would definitely be keen to see them take the Risk/Rules based correlation to the next level.
  3. Event Parsing & Custom Event Support: Even though the support for Events generated by Third Party vendors is excellent, we feel that more devices and vendors can be supported as does ArcSight. However, custom parsers or receivers are not intuitive to create in Nitro SIEM as with QRadar.  Nitro is not as good as the Super-Easy QRadar Custom Mapping feature or Splunk with its Field Extraction where it’s a breeze to develop any custom connector. Nitro, thus has some room for improvement in this area.
  4. User Interface: Although the UI reminds you of all things McAfee (EPO, NSM etc), we feel that a flash driven UI is not the best for SIEM. This is not to take away anything from the capabilities of the product in terms of data presentation, but Flash driven UI proves to be a dampener on the overall experience.  As a general opinion, we are keen to see anything other than a Java or Flash UI because we feel that both of them are the most vulnerable software out there and both are clunky when it comes to event analysis, visualization etc. This is where we feel QRadar has a refreshing interface. It does use Java for some parts of the console, but otherwise, the Browser console is so light and so simple that working with QRadar is a delight. Even Splunk has a wonderful UI and is really easy to use compared to ArcSight and Nitro which feel clunky and heavy.

Conclusion:

Overall, McAfee Nitro SIEM is a very good product that scales up against the Industry leaders – ArcSight and QRadar toe to toe. However, as with all acquisitions, they have a few chinks to work out before they truly are ready to lead the pack. Gartner ratings, if anything to go by, consistently rate McAfee in the leaders quadrant but they have been in the 3rd position for quite some time now. With HP ArcSight not doing anything new in the last two releases, QRadar is the only competitor to look forth and emulate. Hope McAfee rises above the competition with a more stable and mature SIEM product thereby shaking the Industry up.

So that’s it folks. Feel free to comment on what you feel about McAfee Nitro SIEM and what its benefits and weakness are.

12 thoughts on “Punching Hard – McAfee Nitro SIEM”

  1. Really??, Not agree at all. This sounds like some marketing crap. Nitro does not meet up with mature products like Arcsight in any way. They have a very long way to go. Take a good look under the hood and you’ll see its just a bunch of perl/ java script code on top of a db2 kind of datastore. Decompile the java classes and you will be surprised whats in there… a bunch of loosely written parsers, stolen, or aqcuired code from a pre-nitro vendor… This is really not an enterprise product but a bought, Mcafee rebranded marketing product…. Did you take a serious look at their correlation, or customization capabilities? Are you kidding me?? Its crap all aver the place, maybe an ignorent small company will fall for it but you cannot take this product seriously as a SIEM.

    Thats why you should’nt trust Gartner research quadrants. Its biassed and marketing from a commercial oriented company without any decent technical reviews.

    1. It’s fine to not agree. But Nitro SIEM has been in the industry for long. They may not be a great product, but one thing to note is that all the issues you have highlighted has been listed in the CONS section. We are not marketing any product as we just provide our views on the product once we get to implement it or play with it. We have seen a lot of major enterprise customers in Europe, and Asia-Pacific who are really impressed with the product. Calling everything about the product crap is not right and does not serve the benefit of anyone. ArcSight is a great product, but we can list down a ton of negatives about that product too if put to task. Same thing applies to all the products in the industry.If you can provide constructive feedback to the posts, please do so. Else, refrain from making such comments.

    2. I can confirm “A.” first impression about this article, at a first look this sounds like a marketing advice, so I decided to read it twice 🙂

      Honestly I don’t know if you had the opportunity to test the product also in big environment like Telco, or to have some data from the ones that choose to use this product, but in a couple of situation I had the confirm that this product still have to work to became a good one.

      It’s really bad that a SIEM that should handle tons of data/logs have such big stability problems, in addiction correlation engine/rules of other products are definitely better.

      The UI at a first look could seems really user friendly, but after you can check that “it’s a trap”, really simple tasks or activities that other siems can permit, here are not allowed (probably because of the choiche to use a flash web interface)

      In my opinion Nitro it’s still long far away to compete with better products, I’m not saying that’s totally crap, but that cannot be put on the same level of other products like Arcsight, maybe could be the right choiche for a small company.

      Anyway thanks for your article, it was really interesting.

      1. Agree on all the points and rightly so, I have mentioned them in the cons section. We have not implemented in telco, but have had the opportunity to do so for government agencies, stock exchanges, financial organisation and the like. They are definitely functional albeit with issues and the clients seem to be fine with it. But yeah, the idea was to provide a neutral view on what the product can and can not do!!!
        Thanks for the comments though

  2. Overall a good review. Thanks. Although I appreciate the comments regarding QRadar’s easy to use interface, I have to let you know that the comments about the databases QRadar uses are completely incorrect. We do not use DB2 or MySQL for the purpose of dealing with high volumes of event and flow data. For that we leverage our own embedded database which can also be distributed in nature. Thanks

  3. Hello,
    An interesting read, have to add some points:
    3) High Ingest Rates – plz check blog entry by Anton Goncharov where he did benchmark ESM6’s CORRE using FusionIO. I think CORRE can go above 100k EPS. As far as I understand in reality the scalability of any SIEM will still go down to IOPS & CPU power.
    5) – about DB monitor, you are missing that IBM has acquired Guardium that has native support for LEEF & CEF, so does Imperva. IMHO both these DAM’s are stronger than McAfee. McAfee just wins with price here.

    Once again thx for a nice post!
    p.s. how does one write private message in here??

    1. Andrey,
      CORRE is definitely a better performer, but I guess the problem in scale lies with the inherent architecture flaws in ArcSight. But IOPS and CPU Power is definitely a factor in any SIEM implementation.
      True, McAfee wins with price and simplicity
      Private messaging will be available soon. Thanks

  4. It’s been a long time since this has been posted but I think it’s worth to mention that this 300k max EPS promise applies to logs before aggregation and McAfee assumes 10:1 aggregation in their calculations which might be too optimistic. This means that having 300k hitting receivers actually 30k is forwarded to ESM (ELM gets it all but searching through it is basic at best). As aggregation is not a bad idea the fact that it’s enabled by default might rip you of some really crucial events.

    1. Nitro receivers are far better than several other market leading SIEM solutions with 300K Input and 30K output. But I agree with your observation on the aggregation. Loss of crucial events when needed is definitely an operational flaw than the product I would think

  5. I’m on a team in a large energy company that uses maybe a dozen Receivers, a couple ESMs, ELMs, ACEs, etc. I can confirm all the negative stuff you’ve heard.

    Everything is horribly slow and cannot withstand the hundreds of millions of events we get per day (even after drastically reducing load by eliminating what kinds of logs we can gather, in hopes it improves performance), the system is unstable (will silently fail correlation, or alarming, etc.), does not scale well and with the proprietary DB you cannot throw your own hardware at it, the rules are too limited, the Flash interface is really bad, and the worst part is that their support cannot do anything useful. They have no debugging tools to know why watchlists aren’t working properly, or gauge database performance, or anything. We’re paying millions for a crappy product we can’t use effectively and they can’t fix.

    We have gone through a few iterations of re-architecting solutions, to include breaking out the ESM into multiple ESMs (there goes your “single pane of glass” which you needed multiple tabs for in the first place anyway due to crappy Flash interface) and are always up-to-date with the latest version per McAfee / Intel Security support (that plus rule updates are their only advice). Just stay far away from this product.

    1. Hello Jon, I’ve read your comment and would like to have further feedback on McAfee/Intel security since our company is considering it and I need to provide a full feedback. I’ll be thankful if you can mention all the pain areas your’re facing with this product. Thank you.

Leave a Reply to Abeer Cancel reply