QRadar

Expand all | Collapse all

Q&A about MSSP model and design

  • 1.  Q&A about MSSP model and design

    Posted 9 days ago
    I'm going to implement a SOC in MSSP model to provide service for customer. 

    Requirement 
    - Multi-tenant and HA are needed 
    - collect event from customer (10 customer - total is about 3000EPS)
    - Virtual appliance prefers 

    Design 
    1. I will deploy two of virtual console as primary and standby on VMware ESXi in Datacenter. VEEAM backup is exist. HA license is needed? such as JSA-TMFPHA. Is there any concerns If I use virtual appliance instead hardware appliance for doing HA?

    2. I have no idea about event processor. Shoud it be at customer site? or we can provide a centralized event proccessor. Can we expand when number of EPS increase? Shoud I design a primary and standby for redundancy same as console?

    If anything are useful, Please recommend me.
    Thank you 


    ------------------------------
    MAC Strater
    ------------------------------


  • 2.  RE: Q&A about MSSP model and design

    Posted 8 days ago
    "All in One" option can scale up depending on the resources assigned to it - so, it is possible it supports over 3000 EPS. Bear in mind that the EPS rate and performance does not only depend on CPU and RAM but very much on the performance of underlying storage. In addition, when sizing storage space, you should also consider the retention required.
    Backup of the virtual machine is fine, but you should probably consider another storage mount for the backup of config and data (for offline retention).
    QRadar can be implemented in HA mode - either using shared storage or DRBD - the latter is also possible for virtual machines. You can also opt to use native recovery options provided by VMware - such as HA restart on alternative host (but choice depends if you can afford that downtime).
    If you go with distributed deployment, you would need to use event processors and dedicated console instances. Event processor should be kept close to the console to maintain proper performance. On customer's side you may use e.g. the DLC or event collector instances.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Q&A about MSSP model and design

    Posted 7 days ago
    HI @MAC Strater

    on question 1. If you are using VEEAM backup you should not require a HA license.  You will not get a seemless cut over like if you are using a proper HA setup but if a little downtime is not a worry for you while you reconfigure the failover box then this solution will be fine. 
    I'm following up here to make sure this is correct.

    As for your question 2:

    You should only deploy event collectors at the customer site. The event processor should be located in a location as close as possible to your console. This will help with search speeds across the deployment. As your Event processor will store data and you are planning on deploying your console in HA, I would recommend doing the same for your EP.
    Yes you can expend easily then by adding data nodes to your EP which will give you extra CPU/Memory and storage if you decide to bring on extra customers and also you can bring on another EP if load is too much also. Hope this helps?

    ------------------------------
    SHANE LUNDY
    ------------------------------