2018 03 21 Think2018 Sizing and Scoping Your QRadar Deployment-8947 PDF

Sizing and Scoping your QRadar SIEM
—
Adam Frank
Chief Client Success Architect
Robert McGinley
SWAT Security Intelligence Architect
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation
Please note
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice and at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general

product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment,

promise, or legal obligation to deliver any material, code or functionality. Information about
potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for
our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks

in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve results similar to those stated here.
2
Notices and disclaimers
© 2018 International Business Machines Corporation. No part of this Performance data contained herein was generally obtained in a
document may be reproduced or transmitted in any form without controlled, isolated environments. Customer examples are presented as
written permission from IBM. illustrations of how those
U.S. Government Users Restricted Rights — use, duplication or customers have used IBM products and the results they may have
disclosure restricted by GSA ADP Schedule Contract with IBM. achieved. Actual performance, cost, savings or other results in other
Information in these presentations (including information relating to operating environments may vary.
products that have not yet been announced by IBM) has been reviewed References in this document to IBM products, programs, or services
for accuracy as of the date of initial publication and could include does not imply that IBM intends to make such products, programs or
unintentional technical or typographical errors. IBM shall have no services available in all countries in which IBM operates or does
responsibility to update this information. This document is distributed business.
“as is” without any warranty, either express or implied. In no event, Workshops, sessions and associated materials may have been prepared
shall IBM be liable for any damage arising from the use of this by independent session speakers, and do not necessarily reflect the
information, including but not limited to, loss of data, business views of IBM. All materials and discussions are provided for
interruption, loss of profit or loss of opportunity. IBM products and informational purposes only, and are neither intended to, nor shall
services are warranted per the terms and conditions of the agreements constitute legal or other guidance or advice to any individual participant
under which they are provided. or their specific situation.
IBM products are manufactured from new parts or new and used parts. It is the customer’s responsibility to insure its own compliance
In some cases, a product may not be new and may have been previously with legal requirements and to obtain advice of competent legal counsel
installed. Regardless, our warranty terms apply.” as to the identification and interpretation of any relevant laws and
Any statements regarding IBM's future direction, intent or product regulatory requirements that may affect the customer’s business and
plans are subject to change or withdrawal without notice. any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its
services or products will ensure that the customer follows any law.
Think 2018 / March 21, 2018 / © 2018 IBM Corporation 3

Notices and disclaimers
continued
Information concerning non-IBM products was obtained from the IBM, the IBM logo, ibm.com and [names of other referenced IBM
suppliers of those products, their published announcements or other products and services used in the presentation] are trademarks of
publicly available sources. IBM has not tested those products about this International Business Machines Corporation, registered in many
publication and cannot confirm the accuracy of performance, jurisdictions worldwide. Other product and service names might
compatibility or any other claims related to non-IBM be trademarks of IBM or other companies. A current list of IBM
products. Questions on the capabilities of non-IBM products should be trademarks is available on the Web at "Copyright and trademark
addressed to the suppliers of those products. IBM does not warrant the information" at: www.ibm.com/legal/copytrade.shtml.
quality of any third-party products, or the ability of any such third-party .
products to interoperate with IBM’s products. IBM expressly disclaims
all warranties, expressed or implied, including but not limited to, the
implied warranties of merchantability and fitness for a purpose.
The provision of the information contained herein is not intended to, and
does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 4
Introduction to QRadar Deployment Sizing Text or image Lorem ipsum dolor sit
amet, consectetur
adipiscing elit.
It is important to have your QRadar

deployment sized properly to avoid the
following conditions
– Performance Problems
– Inability to satisfy compliance requirements

– Limits security posture and limits threat
Text or image
detection
– Failure to capture critical security data
Introduction to QRadar Deployment Sizing
Analogy Time
Imagine the QRadar Platform as a bucket
Volume
• How wide does the bucket need to be?
• How may hoses are filling the bucket at
once?
• How much overall do we need to hold?
Retention
• How deep must the bucket it go?
• How long must we keep the contents?
Introduction to QRadar Deployment Sizing
Analogy Time (Cont.)
How many buckets do you need?

• Will a few big buckets do the trick?
• Or many distributed buckets?
Where do we need to keep the buckets?

• Data privacy, GDPR, etc.
Choose your QRadar Features
What would your like your QRadar to do?
QVRM – QRadar QNI & Flows QRadar Apps QRadar Incident

Vulnerability & Risk Requires additional AppNode should be
Forensics
Manager hardware appliances for considered for environments
Requires additional
QNI, Flow Collection utilizing UBA and/or multiple
hardware
Requires additional QRadar apps
hardware appliances May require additional Flow
Requires PCAP collection
Processors AppNode required for UBA
appliance
Optional additional Machine Learning plugin
vulnerability scanner
appliances
QRadar Deployment Must
Gathers
What do you need to Where do you need to How much do you How long do we need
collect? collect it? need to collect? to keep it?
• Event Sources • Geography • EPS • Days?
• AD, Proxy, A/V, IPS • DMZ • FPM • Weeks?
• Flow Collection Points • “Crown Jewels” • Months?
• Years?
QRadar Deployment Must
Gathers
Where must your data What is your How many users? What is your backup
reside? bandwidth strategy?
• Concurrent searches
availability?
• Data Privacy • SAN/Attached Storage
• Remote sites
• GDPR • NFS
• Mobile collection
• CSL • Full-blown DR
• Network latency
Estimate your EPS and FPM Average Event Size is QFlow captures the
around 750 bytes first 64 bytes of the
payload
• May not be
representative of
your environment
– POC of environment
• Estimating average
– Log samples from your environment event size for
YOUR environment
• Estimator from sales team is important
• Estimator from internets
• Understanding the accuracy of your estimation
– Logcaliper Estimation Tool
is critical to correct sizing for current needs and
– Manual estimation future growth
• Gathering a sample of all your planned log

sources for a specified period and averaging
them can be very accurate
Logcaliper – iTunes AppStore -
https://itunes.apple.com/us/app/logcaliper/id381096276
Estimate Your EPS and FPM
Additional Resources
– Developerworks Event FAQ – SANS Benchmarking Security Information Event
Management (SIEM) Whitepaper
• https://developer.ibm.com/qradar/2017/08/2
2/1775/ • https://www.sans.org/reading-
room/whitepapers/analyst/benchmarking-
– IBM Event & Storage Calculator (QRadar 7.2.7) security-information-event-management-
• https://developer.ibm.com/qradar/wp- siem-34755
content/uploads/sites/89/2017/08/qradar-
727-storage-calculator-v2016.10.xlsx_.zip
QRadar Console – Event Collector – 15xx Event/Flow Processor Data Node – 14xx
31xx – 16xx/17xx
– CPU & network heavy role – Disk & CPU heavy role
– CPU & Memory heavy role – Disk & CPU heavy role
– Can be virtualized – Stores Event/Flow data
– Can be virtualized, but VM – Parses & normalizes
– Collects and receives – Provides not only
costs may be prohibitive incoming event/flow data
event data, buffers and additional event/flow
– Core component of forwards to Event – Stores normalized storage but additional
QRadar Processor event/flow data to search threads
respond to searches
– Must be paired with event • Not JBOD J
processor
– Scales without effort,
need more search or
storage?
• More Data Nodes!
QRadar Console
31xx
xx48 xx29 xx05 xx99

• ~13TB SSD event/flow • 48TB Raid 6 HDD • 5.6 TB Raid 6 HDD • Virtual
storage event/flow storage event/flow storage
• Depends
• 128Gb RAM • 128gb RAM • 64Gb RAM
• 2x 8Gb FC • 15,000 EPS (as AIO) • 5,000 EPS (as AIO)
• 30,000 EPS (as AIO) • 300,000 FPM (as AIO) • 200,000 FPM (as AIO)
• 1,000,000 FPM (as AIO)

Event Processors
16xx
xx48 xx29 xx05 xx99

• 2x 8Gb FC • 40,000 EPS • 20,000 EPS
• 80,000 EPS
Flow Processors
17xx
xx48 xx29 xx05 xx99

• ~13TB SSD flow storage • 58TB Raid 6 HDD flow • 5.6 TB Raid 6 HDD flow • Virtual
storage storage
• 128Gb RAM • Depends
• 128gb RAM • 64Gb RAM
• 2x 8Gb FC
• 40,000 EPS • 20,000 EPS
• 80,000 EPS
Data Node
14xx
xx48 xx29 xx05 xx99

• Depends
• 2x 8Gb FC
Choose your hardware When selecting SSD or
traditional magnetic
disks note the speed
versus capacity
Pick your console tradeoff.
– 3148 (SDD), 3129 (HDD), 3105 (HDD) Which is most

important to you?
Do you need Processors?

– If you need EPS/FPM Processing
Consider growth in sizing your QRadar
deployment
Do you need additional storage (Retention)? Ex. You currently have 10 devices you plan to
integrate into QRadar however once deployed, any
– Disk space calculator new projects/devices/deployments will likely
impact your SIEM utilization.
– Pair Up with Data Nodes
Place your hardware HA appliances should Flow collectors should
be linked via crossover be strategically
cable, preferably 10G positioned for
maximum value
– Place your Event Collectors • Near edge devices
• Ingress/egress
– Plan your QNI Boxes points to DMZ or
crown jewels
• Where they live
• How to handle SSL

One or more Event Collectors may be utilized in
remote collection over slow WAN links
– Where does our vulnerability information come
For query performance, try to place Processor
from?
appliances close to the console
• QVM Integration
You can place Processors at remote sites with high-
• 3rd party scanners (Nessus, Qualys, etc.) bandwidth connections back to the console
Common Deployment Patterns
QRadar All In One

A single appliance, QRadar All-in-One solution
Event Collector and processor are on-board and
utilize resources otherwise dedicated to the
Console in a full distributed QRadar deployment
QRadar Full Deployment

Represents a logical QRadar Deployment
Architecture utilizing each major deployment role
Event & Flow collectors receive incoming data, then

pass to the appropriate processor for parsing &
normalization
Both Event & Flow Processors have an associated
Data Node for additional search threads, CPU and
storage capacity
The QRadar Console is the focal point for this data
QRadar Events Only

Specialized QRadar deployment for event collection
and parsing only
QRadar on Cloud
A cloud hosted QRadar console communicates with
your on-prem QRadar Data Gateway via persistent
VPN tunnel.
Bandwidth availability is very important in this kind

of deployment.
Other Considerations
Additional factors that can affect your High Availability

deployment
• Useful for Event Processors and Console
• HA Data Nodes are useful if expensive

compared to a good backup solution
Disaster Recovery
• Requires double the hardware

• QRadar configs replicated between Console
environments
• Do you really need it?
Other Considerations
Additional factors that can affect your Appliance Disk Types

deployment
• Mixing HDD and SDD Processors and Data
Nodes causes performance issues
Load Balanced Event Collection
• Come special considerations required when

writing rules
• Disable sticky session support

QRadar on Cloud
• Place one or more on-prem data gateway
appliances
• Hosted QRadar Console on VM or Bare Metal
Thank you
Adam Frank
Chief Client Success Architect
—
adam.frank@ca.ibm.com
Robert McGinley
SWAT guy
—
mcginley@us.ibm.com

2018 03 21 Think2018 Sizing and Scoping Your QRadar Deployment-8947 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

2018 03 21 Think2018 Sizing and Scoping Your QRadar Deployment-8947 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Sizing and Scoping your QRadar SIEM

Information regarding potential future products is intended to outline our general

The information mentioned regarding potential future products is not a commitment,

Performance is based on measurements and projections using standard IBM benchmarks

Think 2018 / March 21, 2018 / © 2018 IBM Corporation 3

It is important to have your QRadar

– Inability to satisfy compliance requirements

– Failure to capture critical security data

Imagine the QRadar Platform as a bucket

Analogy Time (Cont.)

How many buckets do you need?

Where do we need to keep the buckets?

What would your like your QRadar to do?

QVRM – QRadar QNI & Flows QRadar Apps QRadar Incident

• AD, Proxy, A/V, IPS • DMZ • FPM • Weeks?

• Flow Collection Points • “Crown Jewels” • Months?

• Gathering a sample of all your planned log

• More Data Nodes!

xx48 xx29 xx05 xx99

• 2x 8Gb FC • 15,000 EPS (as AIO) • 5,000 EPS (as AIO)

• 1,000,000 FPM (as AIO)

xx48 xx29 xx05 xx99

• 128Gb RAM • 128gb RAM • 64Gb RAM

• 2x 8Gb FC • 40,000 EPS • 20,000 EPS

xx48 xx29 xx05 xx99

xx48 xx29 xx05 xx99

– 3148 (SDD), 3129 (HDD), 3105 (HDD) Which is most

Do you need Processors?

• How to handle SSL

QRadar All In One

QRadar Full Deployment

Event & Flow collectors receive incoming data, then

The QRadar Console is the focal point for this data

QRadar Events Only

Bandwidth availability is very important in this kind

Additional factors that can affect your High Availability

• HA Data Nodes are useful if expensive

• Requires double the hardware

Additional factors that can affect your Appliance Disk Types

• Come special considerations required when

• Disable sticky session support

• Hosted QRadar Console on VM or Bare Metal

Das könnte Ihnen auch gefallen