Beruflich Dokumente
Kultur Dokumente
—
Adam Frank
Chief Client Success Architect
Robert McGinley
SWAT Security Intelligence Architect
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation
Please note
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice and at IBM’s sole discretion.
The development, release, and timing of any future features or functionality described for
our products remains at our sole discretion.
2
Notices and disclaimers
© 2018 International Business Machines Corporation. No part of this Performance data contained herein was generally obtained in a
document may be reproduced or transmitted in any form without controlled, isolated environments. Customer examples are presented as
written permission from IBM. illustrations of how those
U.S. Government Users Restricted Rights — use, duplication or customers have used IBM products and the results they may have
disclosure restricted by GSA ADP Schedule Contract with IBM. achieved. Actual performance, cost, savings or other results in other
Information in these presentations (including information relating to operating environments may vary.
products that have not yet been announced by IBM) has been reviewed References in this document to IBM products, programs, or services
for accuracy as of the date of initial publication and could include does not imply that IBM intends to make such products, programs or
unintentional technical or typographical errors. IBM shall have no services available in all countries in which IBM operates or does
responsibility to update this information. This document is distributed business.
“as is” without any warranty, either express or implied. In no event, Workshops, sessions and associated materials may have been prepared
shall IBM be liable for any damage arising from the use of this by independent session speakers, and do not necessarily reflect the
information, including but not limited to, loss of data, business views of IBM. All materials and discussions are provided for
interruption, loss of profit or loss of opportunity. IBM products and informational purposes only, and are neither intended to, nor shall
services are warranted per the terms and conditions of the agreements constitute legal or other guidance or advice to any individual participant
under which they are provided. or their specific situation.
IBM products are manufactured from new parts or new and used parts. It is the customer’s responsibility to insure its own compliance
In some cases, a product may not be new and may have been previously with legal requirements and to obtain advice of competent legal counsel
installed. Regardless, our warranty terms apply.” as to the identification and interpretation of any relevant laws and
Any statements regarding IBM's future direction, intent or product regulatory requirements that may affect the customer’s business and
plans are subject to change or withdrawal without notice. any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its
services or products will ensure that the customer follows any law.
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 4
Introduction to QRadar Deployment Sizing Text or image Lorem ipsum dolor sit
amet, consectetur
adipiscing elit.
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 5
Introduction to QRadar Deployment Sizing
Analogy Time
Volume
• How wide does the bucket need to be?
• How may hoses are filling the bucket at
once?
• How much overall do we need to hold?
Retention
• How deep must the bucket it go?
• How long must we keep the contents?
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 6
Introduction to QRadar Deployment Sizing
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 7
Choose your QRadar Features
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 8
QRadar Deployment Must
Gathers
What do you need to Where do you need to How much do you How long do we need
collect? collect it? need to collect? to keep it?
• Event Sources • Geography • EPS • Days?
• Years?
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 9
QRadar Deployment Must
Gathers
Where must your data What is your How many users? What is your backup
reside? bandwidth strategy?
• Concurrent searches
availability?
• Data Privacy • SAN/Attached Storage
• Remote sites
• GDPR • NFS
• Mobile collection
• CSL • Full-blown DR
• Network latency
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 10
Estimate your EPS and FPM Average Event Size is QFlow captures the
around 750 bytes first 64 bytes of the
payload
• May not be
representative of
your environment
– POC of environment
• Estimating average
– Log samples from your environment event size for
YOUR environment
• Estimator from sales team is important
• Estimator from internets
• Understanding the accuracy of your estimation
– Logcaliper Estimation Tool
is critical to correct sizing for current needs and
– Manual estimation future growth
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 11
Estimate Your EPS and FPM
Additional Resources
– Developerworks Event FAQ – SANS Benchmarking Security Information Event
Management (SIEM) Whitepaper
• https://developer.ibm.com/qradar/2017/08/2
2/1775/ • https://www.sans.org/reading-
room/whitepapers/analyst/benchmarking-
– IBM Event & Storage Calculator (QRadar 7.2.7) security-information-event-management-
• https://developer.ibm.com/qradar/wp- siem-34755
content/uploads/sites/89/2017/08/qradar-
727-storage-calculator-v2016.10.xlsx_.zip
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 12
QRadar Console – Event Collector – 15xx Event/Flow Processor Data Node – 14xx
31xx – 16xx/17xx
– CPU & network heavy role – Disk & CPU heavy role
– CPU & Memory heavy role – Disk & CPU heavy role
– Can be virtualized – Stores Event/Flow data
– Can be virtualized, but VM – Parses & normalizes
– Collects and receives – Provides not only
costs may be prohibitive incoming event/flow data
event data, buffers and additional event/flow
– Core component of forwards to Event – Stores normalized storage but additional
QRadar Processor event/flow data to search threads
respond to searches
– Must be paired with event • Not JBOD J
processor
– Scales without effort,
need more search or
storage?
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 13
QRadar Console
31xx
• 30,000 EPS (as AIO) • 300,000 FPM (as AIO) • 200,000 FPM (as AIO)
• 80,000 EPS
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 15
Flow Processors
17xx
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 16
Data Node
14xx
• 2x 8Gb FC
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 17
Choose your hardware When selecting SSD or
traditional magnetic
disks note the speed
versus capacity
Pick your console tradeoff.
Do you need additional storage (Retention)? Ex. You currently have 10 devices you plan to
integrate into QRadar however once deployed, any
– Disk space calculator new projects/devices/deployments will likely
impact your SIEM utilization.
– Pair Up with Data Nodes
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 18
Place your hardware HA appliances should Flow collectors should
be linked via crossover be strategically
cable, preferably 10G positioned for
maximum value
– Place your Event Collectors • Near edge devices
• Ingress/egress
– Plan your QNI Boxes points to DMZ or
crown jewels
• Where they live
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 19
Common Deployment Patterns
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 20
Common Deployment Patterns
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 21
Common Deployment Patterns
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 22
Common Deployment Patterns
QRadar on Cloud
A cloud hosted QRadar console communicates with
your on-prem QRadar Data Gateway via persistent
VPN tunnel.
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 23
Other Considerations
Disaster Recovery
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 24
Other Considerations
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 25
Thank you
Adam Frank
Chief Client Success Architect
—
adam.frank@ca.ibm.com
Robert McGinley
SWAT guy
—
mcginley@us.ibm.com
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 26
Think 2018 / Sizing and Scoping Your IBM Security QRadar SIEM Deployment / March 21, 2018 / © 2018 IBM Corporation 27