IBM Security QRadar

 View Only

  • 1.  QRadar SIEM sizing estimate

    Posted Fri July 19, 2019 09:15 AM
    Good day security gurus,
    I have a query on correctly sizing a QRadar SIEM installation.

    As an example, IBM typically budgets a factor of 25x EPS per DNS server, 10x FPM for a workstation and 120x FPM for a server.

    Are these numbers reasonable and a fair reflection of how resources consume EPS and FPM licenses?  

    The reason for the question is that we have a customer that is claiming they consume ~600x EPS for a DNS server, and their workstations and servers are using roughly 5x the FPM quotas.

    I can't believe that IBM gets these estimates out by such a large factor as they have been sizing QRadar installations for years and have many customer installations to base these factors from.

    Your experiences please? 
    Could there be something specific to my customer's network environment that is triggering these large EPS and FPM counts?

    Let me know if you need further info.

    ------------------------------
    Geoff Bosman
    Senior IT Consultant
    Silverfern IT
    Perth
    ------------------------------


  • 2.  RE: QRadar SIEM sizing estimate

    Posted Mon July 22, 2019 10:50 AM

    We get some DNS events through the standard Windows events collection mechanisms by checking the 'DNS Server' checkbox in the log source configs for any of the WinCollect, WMI ('Microsoft Security Event Log') or MSRPC ('Microsoft Security Event Log over MSRPC') protocol config types, as we always could.  If the client is trying to get DNS debug log and all the DNS request. then depending on the nature of the business this could be chatty. 

    25x EPS per DNS server is a good starting point to ESTIMATE. depending on the nature of the environment this could vary.



    ------------------------------
    IKHTEAR BHUYAN
    ------------------------------

    Original Message


  • 3.  RE: QRadar SIEM sizing estimate

    Posted Mon July 22, 2019 02:24 PM
    Exactly correct, the factors are estimates that can/should be modified based on many factors including the size of the environment and the numbers of systems. For example many organizations using Windows for DNS would have 10's or 100's of servers in their environment. If an organization has fewer servers with the same number of users, they will logically be busier.
    Long and short - this is an art and there is no situation where we tell a client what their EPS rates will be. We simply estimate what they may be based on 100's or 1000's of historical samples.

    ------------------------------
    Sterling Jones
    ------------------------------

    Original Message


  • 4.  RE: QRadar SIEM sizing estimate

    Posted Mon July 22, 2019 11:04 PM
    Hi Sterling,
    Thanks for your input.
    So 600x EPS for a DNS server is not necessarily unusual dependent on the environment?
    In your experience, are you aware of other scenarios that would skew the standard IBM factors used to a large degree?

    ------------------------------
    Geoff Bosman

    ------------------------------

    Original Message


  • 5.  RE: QRadar SIEM sizing estimate

    Posted Tue July 23, 2019 09:19 AM
    Correct, not necessarily. DNS and Flow are two of the components that relate to the size of the environment more than the number of systems. Now that we do not license on log sources it likely makes more sense to change those factors to be based on the number of employees working concurrently (more for regional organizations than global/WW for example). An organization that has many employees/users accessing web resources concurrently would drive up DNS and flow significantly. Universities are a classic example of that scenario.
    Feel free to message me directly if you'd like assistance with this specific client.

    ------------------------------
    Sterling Jones
    ------------------------------

    Original Message


  • 6.  RE: QRadar SIEM sizing estimate

    Posted Wed July 24, 2019 09:40 AM
    Though I agree with Sterling I would take out the work "employee" and add looking at function.   I once did a deployment in a company that had very few employees but blew the EPS calculations out of the water.  Turned out it was an online dating site.   I still think looking at concurrent connections is a good idea but have to consider where they are coming from.

    ------------------------------
    Ray Meanrd
    Sr. Security Architect
    IBM
    -
    ------------------------------

    Original Message


  • 7.  RE: QRadar SIEM sizing estimate

    Posted Wed July 24, 2019 09:08 PM
    Hi Ray,
    Thanks for your response.
    I'm learning that pinning down reasonably accurate EPS/FPM figures (even +-20%) is difficult and dependent on a number of factors which are not always apparent at the early stages of scoping a QRadar environment.
    Are there no tools, from IBM or elsewhere, that can be used in the scoping stages to measure vital network stats to support the regular IBM sizing spreadsheet?

    ------------------------------
    Geoff Bosman

    ------------------------------

    Original Message


  • 8.  RE: QRadar SIEM sizing estimate

    Posted Thu July 25, 2019 08:42 AM
    Hi Geoff,
    It has always been a little more art than science for sure as there are so many variables.  2 organizations with the exact same firewall, roughly the same number of employees can very drastically because of a different logging level.  One might log accepts, the other deny.   That said, with some exceptions, the sizing spread sheet we used has not generally been all that far off.  I would however be interested in finding out how invested in the cloud the network you are working with is.  I suspect we need to start gathering data for yet another variable that was not taken into account with the current sizing calculator.  I am speculating some here but expect the more an organization is bought into the cloud the higher their EPS/FPM rates are going to be.  JUst a theory at this point but something we probably need to look into and adjust accordingly.



    ------------------------------
    Ray Meanrd
    ------------------------------

    Original Message


  • 9.  RE: QRadar SIEM sizing estimate

    Posted Mon July 22, 2019 11:32 PM
    Hi Ikhtear,
    Thanks for your input.
    I'm learning that the standard factor is an estimate and that it can vary dramatically in a real world deployment, but wasn't expecting such a large diversion from the standard. 
    I'll see if there is a way to adjust the settings to hopefully trim back the EPS count experienced.
    The FPM experienced is also unexpectedly high for the environment so there may be a correlation and/or other reasons why the figures experienced are much higher than expected.
    Any extra input on the case would be appreciated.

    ------------------------------
    Geoff Bosman
    ------------------------------

    Original Message