Expand all | Collapse all

Q&A about MSSP model and design

  • 1.  Q&A about MSSP model and design

    Posted Wed August 14, 2019 12:02 AM
    I'm going to implement a SOC in MSSP model to provide service for customer. 

    - Multi-tenant and HA are needed 
    - collect event from customer (10 customer - total is about 3000EPS)
    - Virtual appliance prefers 

    1. I will deploy two of virtual console as primary and standby on VMware ESXi in Datacenter. VEEAM backup is exist. HA license is needed? such as JSA-TMFPHA. Is there any concerns If I use virtual appliance instead hardware appliance for doing HA?

    2. I have no idea about event processor. Shoud it be at customer site? or we can provide a centralized event proccessor. Can we expand when number of EPS increase? Shoud I design a primary and standby for redundancy same as console?

    If anything are useful, Please recommend me.
    Thank you 

    MAC Strater

  • 2.  RE: Q&A about MSSP model and design

    Posted Thu August 15, 2019 03:26 AM
    "All in One" option can scale up depending on the resources assigned to it - so, it is possible it supports over 3000 EPS. Bear in mind that the EPS rate and performance does not only depend on CPU and RAM but very much on the performance of underlying storage. In addition, when sizing storage space, you should also consider the retention required.
    Backup of the virtual machine is fine, but you should probably consider another storage mount for the backup of config and data (for offline retention).
    QRadar can be implemented in HA mode - either using shared storage or DRBD - the latter is also possible for virtual machines. You can also opt to use native recovery options provided by VMware - such as HA restart on alternative host (but choice depends if you can afford that downtime).
    If you go with distributed deployment, you would need to use event processors and dedicated console instances. Event processor should be kept close to the console to maintain proper performance. On customer's side you may use e.g. the DLC or event collector instances.

    Dusan VIDOVIC

  • 3.  RE: Q&A about MSSP model and design

    Posted Thu August 15, 2019 12:33 PM
    HI @MAC Strater

    on question 1. If you are using VEEAM backup you should not require a HA license.  You will not get a seemless cut over like if you are using a proper HA setup but if a little downtime is not a worry for you while you reconfigure the failover box then this solution will be fine. 
    I'm following up here to make sure this is correct.

    As for your question 2:

    You should only deploy event collectors at the customer site. The event processor should be located in a location as close as possible to your console. This will help with search speeds across the deployment. As your Event processor will store data and you are planning on deploying your console in HA, I would recommend doing the same for your EP.
    Yes you can expend easily then by adding data nodes to your EP which will give you extra CPU/Memory and storage if you decide to bring on extra customers and also you can bring on another EP if load is too much also. Hope this helps?


  • 4.  RE: Q&A about MSSP model and design

    Posted Fri September 06, 2019 01:08 PM
    I would also add that at present, the QRadar app framework is not multi-tenant capable - so apps like UBA, etc won't work in a multitenant deployment.  This will be addressed in coming months but just be aware as you get started.  (Interestingly enough, because the dashboards are tied to user authentication they end up filtering out only the data that user can see so they present as tenant-specific).

    Where are you located?  There are IBM technical and services resources available to help our emerging MSSPs with SOC design, service definition, etc.