ESM 11 Product Overview

Question 1

What are the 7 components of a Trellix SIEM ESM 11.0?

Answer 1

The components of Trellix ESM 11.0 SIEM are:
* Enterprise Security Manager (ESM)
* Advance Correlation Engine (ACE)
* Application Data Monitor (ADM)
* Database Event Monitor (DEM)
* Entreprise Log Search (ELS)
* Enterprise Log Manager (ELM)
* Event Receiver (ERC)

Question 2

What is the purpose of the ESM?

Answer 2

The ESM collects and aggregates data and events from security devices, networks infraestructures, sytems and applications. Available as hardware or VM.

Question 3

What is the purpose of the ERC?

Answer 3

The ERC collects 3rd party logs, events and flow data for correlation and analysis by the ESM. Available as hardware or VM.

Question 4

What is the purpose of the ELM?

Answer 4

The ELM provides compliant log management functions, this can be tought as cold storage. Available as hardware or VM.

Question 5

What is the purpose of the ELS?

Answer 5

The ELS search for events in any part of the log by creating indexes in data

Question 6

What is the purpose of the ACE?

Answer 6

The ACE provides correlation to identify and score threat events using rules or base risk logic. Available as hardware or VM.

Question 7

What is the purpose of the ADM?

Answer 7

The ADM monitors more than 500 known applications. Available as hardware only due to cluster configuration and mirror port needed to monitor the traffic.

Question 8

What is the purpose of the DEM?

Answer 8

The DEM automates the collection, management, analysis, visualization, and reporting of database access. Available as hardware only due to cluster configuration and mirror port needed to monitor the traffic.

Question 9

In relation to architectural design of the ESM to what refers the Databus (Kafka Stream Bus)?

Answer 9

This component refers to the data streaming of the ESM solution, now provides scalability to 2M+ transactions/second

Question 10

All the devices that produces alert data like ERC and ACE have a kafka instance implemented which is connected to the DEM via Snoflex? True or False?

Answer 10

True

Question 11

In relation to architectural design of the ESM to what refers the concept of sharding and what components are related to this?

Answer 11

Sharding is a method of horizontal data partitioning that is used to separate very large data models into smaller, faster, more easily managed pieces called data shards. The components related into this are the Databus (Kafka Stream Bus) and the databases.

Question 12

In relation to the new architectural design of the ESM how the ACE works?

Answer 12

Alerts collected by the ESM are published to the databus, this data is not send by the ESM to the ACE anymore. The ACE gets it directly from the Databus afeter generating the correlated events the alerts are stored into the alerts database and then published again into the Databus.

Question 13

What are some advantages of Snowflex Replication - HA?

Answer 13

• Increases performances through load balanced queries
• Allows to use Standby ESM instead of Active ESM in case of failure
• Support for ESMs in separate datacenters or replication in a single datacenter
• More than one replica possible if required

Question 14

What are some advantages of Snowflex Scalability?

Answer 14

• Increased performance of ingestion and query speed by combining load balancing with data distribution using shards
• New data is load balanced automatically as nodes are added
• Optimal shard configuration determined automatically