Многие конкурирующие инструменты управления журналами и SIEM, представленные на рынке в настоящее время, используют ту или иную вариацию метрики Events Per Second (EPS) для определения требований к лицензированию, размерам и хранению данных для масштабируемого решения.
Содержание
- Планирование SIEM на основе EPS
- Определение размеров SIEM на основе EPS
- Серверы / настольные компьютеры
- Сетевая инфраструктура
- Инфраструктура безопасности
- Приложения
К сожалению, ни одно из устройств, подлежащих мониторингу, не имеет спецификации, связанной с объемом регистрации, который будет генерироваться устройством в секунду (или в день). Более того, многие устройства одного и того же типа от одного и того же производителя будут ежедневно генерировать разное количество логов, и определение общего объема, который все корпоративные устройства будут генерировать ежедневно, — это скорее искусство, чем наука.
Определение EPS не является проблемой для существующих заказчиков систем управления журналами или SIEM, желающих перейти на новое решение, поскольку они могут генерировать отчеты из старого инструмента управления журналами/SIEM и предоставлять разбивку по типам устройств и ежедневным объемам, генерируемым каждой категорией устройств. Однако те, кто ищет предложение по созданию нового решения, сталкиваются со следующими задачами по правильному проектированию системы управления журналами или SIEM-решения:
- Полная инвентаризация всех активов, которые планируется контролировать
- Определение средней, устойчивой частоты событий, выраженной в виде метрики EPS
- Понимание того, как уровни регистрации влияют на объем генерируемых журналов.
- Периоды хранения, варианты хранения, сценарии использования, нормативные требования и т. д.
К счастью, как только вы определите количество устройств и сможете определить среднее количество EPS, генерируемое каждой из различных категорий устройств, которые вам нужно контролировать, математика легко определит потребности в лицензировании, хранении, производительности системы и архивировании.
Не имея представления об объемах журналов, генерируемых устройствами, уникальными для каждой среды, мы должны придумать систему определения EPS для различных классов устройств и использовать ее в качестве отправной точки для расчета ежедневного хранения (EPS * Размер события* 84600 / Степень сжатия).
Определение размеров SIEM на основе EPS
Серверы / настольные компьютеры
| Тип устройства | Средний EPS на устройство |
| Серверы Windows — высокий EPS (~50 eps) | 50.0 |
| Серверы Windows — средний EPS (~3 eps) | 3.0 |
| Серверы Windows — низкая EPS (~1 eps) | 1.0 |
| Рабочие станции Windows | 1.0 |
| Серверы Windows AD | 10.0 |
| Серверы Linux | 1.0 |
| Серверы HP-UX Unix | 2.0 |
| Серверы IBM AIX Unix | 2.0 |
| Серверы Sun Solaris Unix | 2.0 |
Сетевая инфраструктура
| Тип устройства | Средний EPS на устройство |
| Сетевые маршрутизаторы | 1.0 |
| Сетевые коммутаторы | 2.0 |
| Сетевые коммутаторы (Netflow) | 30.0 |
| Сетевые беспроводные локальные сети | 5.0 |
| Сетевые балансировщики нагрузки | 5.0 |
| Ускоритель WAN | 14.0 |
| Другие сетевые устройства | 10.0 |
Инфраструктура безопасности
| Тип устройства | Средний EPS на устройство |
| Сетевые брандмауэры (Check Point — внутренние) | 10.0 |
| Сетевые брандмауэры (Cisco — внутренние) | 10.0 |
| Сетевые брандмауэры (Check Point — DMZ) | 50.0 |
| Сетевые брандмауэры (Cisco — DMZ) | 30.0 |
| Сетевые IPS/IDS | 15.0 |
| Сетевые VPN | 2.0 |
| Сетевой антиспам | 10.0 |
| Network Web Proxy | 15.0 |
| Other Security Devices | 10.0 |
Приложения
Количество устройств предполагается с учетом приведенных выше цифр
| Тип устройства | Средний EPS на устройство |
| Веб-серверы (IIS, Apache, Tomcat) | 1.0 |
| Базы данных (MSSQL, Oracle, Sybase — количество экземпляров) | 1.0 |
| Серверы электронной почты (Exchange, Sendmail и т.д.) | 2.0 |
| Антивирусный сервер (укажите количество AV-клиентов) | 5.0 |
| Другие приложения (электронная почта, БД, антивирус и т. д.) | 5.0 |
Devo Technology delivers a real-time security data platform that serves as the foundation of your security operations and includes data-powered threat detection, automated case management, autonomous investigations and threat hunting. AI and intelligent automation help your SOC work faster and smarter so your team can proactively make the right decisions in real time. Headquartered in Boston, Massachusetts, with operations in North America, Europe, and Asia Pacific, Devo is backed by Insight Partners, Georgian, TCV, General Atlantic, Bessemer Venture Partners, Kibo Ventures and Eurazeo.
Personal Information
DataSources
DataSources
Calculated Estimated EPS 0
| Data Source Type * | Additional Information | Quantity * | Total DS Types | Calculated |
|---|---|---|---|---|
| — |
Additional Questions
Additional Questions
What are your Data Retention Requirements?
How many collection location will you have?
For Raw log storage, do you prefer ISA Storage or your own storage (Not applicable to ISA’s Hosted Siem/SaaS customers)
What kind of Annual Event gowth do you expect over the next 2-3 years?
Customer Variables
Customer Variables
Custom EPS
Daily Event Distribution
Average Event Size
Events less Index
Event / Flow Mix %
Event / Flow Mix %
Flows
Estimated Bandwidth Consumption
The ISA Cybersecurity Inc. SIEM EPS Estimator is designed to assist in determining the events per second (EPS) of a given customer’s environment depending on the types of devices involved, the number of these devices and characteristics describing the customer’s business environment. We strive for accuracy, but there is room for interpretation and an ISA SE or ETS should assist in completing this spreadsheet. Results from this tool are for planning ONLY; your actual requirements may vary. ISA disclaims all liability from the uses of this tool. This tool is confidential and proprietary information of ISA Cybersecurity Inc. and may not be distributed to third parties without the prior written consent of ISA Cybersecurity Inc..
Review the below Explainer video and accordingly please fill in the number of Devices for each of the sections and this calculator will automatically calculate its EPS (Events Per Second) and Storage Requirements
Note: We do not store or track any of this data on our server, this is all stored on your local browser cache.
Network Firewalls (Layer 7 Internal)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Firewalls (Layer 7 — DMZ)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Firewalls (Internal)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Firewalls (DMZ)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Windows Servers — HIGH EPS (Event Log)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Windows Servers — MED EPS (Event Log)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Windows Servers — LOW EPS (Event Log)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Switches
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Other Network Devices
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Windows Clients (PCs / Tablets / POS)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Linux Servers
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Routers
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Flows (NetFlow/S-Flow)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Wireless LAN
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Load-Balancers
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Other Security Devices
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network IPS/IDS
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network VPN / SSL VPN
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Network Web Proxy
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
HyperVisor (ESXi, Hyper-V etc)
Number: 0
Utilization in hours —
High
Medium
Low
EPS: 0
GB/Day: 0
Azure Activity Logs (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Azure AD Identity Protection (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Office 365 (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Azure Defender (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Azure Defender for IoT (Direct Connect)
Devices: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Microsoft 365 Defender (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Microsoft Defender for Endpoint (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Microsoft Defender for Identity (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Microsoft Cloud App Security (Direct Connect)
Users: 0
EPS: NA (Free — Unlimited)
GB/Day: NA
Some of the data connectors, such as Microsoft 365 Defender and MCAS, include both free and paid data types. Read this Document to know more.
Total Devices:
Total EPS:
Total GB/Day:
Estimated Bandwidth:
Weekly:
Monthly:
90 Days:
180 Days:
Yearly:
Please click here to download this data.
To download this data please use a PC.
By viewing and utilizing the Azure Sentinel Sizing Calculator, you acknowledge that you have read, understood and agreed to this Disclaimer.
Last Updated: 03 Feb 2022
Often when I engage with a prospect their first question is “How many events per second (EPS) can EventTracker handle?” People tend to confuse EPS with scalability so by simply giving back an enormous-enough number (usually larger than the previous vendor they spoke with) it convinces them your product is, indeed, scalable. The fact is scalability and Events per Second (EPS) are not the same and many vendors get away from the real scalability issue by intentionally using the two interchangeably. A high EPS rating does not guarantee a scalable solution.If the only measure of scalability available is an EPS rating, you as a prospect should be asking yourself a simple question. What is the vendor definition of EPS? You will generally find that the answer is different with each vendor.
- Is it number of events scanned/second?
- Is it number of events received/second?
- Is it number of events processed/second?
- Is it number of events inserted in the event store/second?
- Is it a real time count or a batch transfer count?
- What is the size of these events? Is it some small non-representative size, for instance, 100 bytes per event or is it a real event like a windows event which may vary from 1000 to 6,000 bytes?
- Are you receiving these events in UDP mode or TCP mode?
- Are they measuring running correlation rules against the event stream? How many rules are being run?
- And let’s not even talk about how fast the reporting function runs, EPS does not measure that at all.
At the end of the day, an EPS measure is generally a measure of a small, non-typical normalized event received. Nothing measured about actually doing something useful with the event, and indeed, pretty much useless.
With the lack of definition of what an event actually is, EPS is also a terrible comparative measure. You cannot assume that one vendor claiming 12,000EPS is faster than another claiming 10,000EPS as they are often measuring very different things. A good analogy would be if you asked someone how far away an object was, and they replied 100. For all the usefulness of the EPS measure the unit could be inches or miles.
EPS is even worse for ascertaining true solution capability. Some vendors market appliances that promise 2,000 EPS and 150 GB disk space for log storage. They also promise to archive security events for multiple years to meet compliance. For the sake of argument let’s assume the system is receiving, processing and storing 1000 windows events/sec with an average 1K event size (a common size for a Windows event). In 24 hours you will receive 86 million events. Compressed at 90% this consumes 8.6GB or almost 7% of your storage in a single day. Even with heavy compression it can handle only a few weeks of data with this kind of load. Think of buying a car with an engine that can race to 200MPH and a set of tires and suspension that cannot go faster that 75MPH. The car can’t go 200, the engine can, but the car can’t. A SIEM solution is the car in this example, not the engine. Having the engine does not do you any good at all.
So when asked about EPS, I sigh, and say it depends, and try to explain all this. Sometimes it sinks in, sometimes not. All in all don’t pay a lot of attention to EPS – it is largely an empty measure until the unit of measure is standardized, and even then it will only be a small part of overall system capability.
–Steve Lafferty