ESM 7 Distributed Correlation Paul MacGyver Carman Global Technical - - PowerPoint PPT Presentation

esm 7 distributed correlation
SMART_READER_LITE
LIVE PREVIEW

ESM 7 Distributed Correlation Paul MacGyver Carman Global Technical - - PowerPoint PPT Presentation

Oct 29, 2023 27 likes •268 views

ESM 7 Distributed Correlation Paul MacGyver Carman Global Technical Security Sales Engineer #MicroFocusCyberSummit Confidential information This is a rolling (up to three year) Roadmap and is subject to change without notice Confidential

slide-1
SLIDE 1

#MicroFocusCyberSummit

ESM 7 Distributed Correlation

Paul MacGyver Carman Global Technical Security Sales Engineer

slide-2
SLIDE 2

Confidential information

This is a rolling (up to three year) Roadmap and is subject to change without notice

2

Confidential information. This Roadmap contains Confidential Information of Micro Focus and/or its affiliates (“Micro Focus”), and is subject to change without notice. If you have a valid Confidential Disclosure Agreement (“CDA”) with a Micro Focus entity, use of the Roadmap is subject to that CDA and allowed solely for the purpose of evaluating purchase decisions from Micro Focus. If not, it is subject to the following terms. For 3 years after disclosure, You may use the Roadmap solely for the purpose of evaluating purchase decisions from Micro Focus. You must use a reasonable standard of care to prevent disclosure. You will not disclose the contents

  • f the Roadmap to any third party with Micro Focus’ prior written approval unless it first

becomes publically known or is rightfully received by you from a third party without duty of confidentiality.

slide-3
SLIDE 3

Why Distributed Correlation? Distributed Correlation Architecture

  • Components and Relationship
  • What gets processed where?

Deployment and Sizing Examples

  • Tips and Requirements

Monitoring the ESM Cluster Next Steps

3

Agenda

slide-4
SLIDE 4
  • Massively scales up to 100,000

correlated events per second per cluster

  • Easily add nodes to scale out
  • No more multi-tier configurations

needed to scale out

  • No more forwarding connectors

required between layers

  • Write more content, support

heavier content

Why distributed correlation?

Split data stream to parallel processes across multiple nodes in a cluster Clustered correlation Centralized Alerts and Content building

HPE Confidential, under NDA use only

slide-5
SLIDE 5

Architecture

slide-6
SLIDE 6

The ESM 7 Distributed Correlation Architecture

6

Persistor

UI Interaction

ACC Console Connectors / EB Legend

Data Exchange Event Intake and Persistence Repo Information Exchange

Isolate persistence

CORRE DB

slide-7
SLIDE 7

The ESM 7 Distributed Correlation Architecture

7

Persistor

UI Interaction

ACC Console Connectors / EB Legend

Data Exchange Event Intake and Persistence Repo Information Exchange

Correlators Correlators Correlators: filter evaluation

CORRE DB

slide-8
SLIDE 8

The ESM 7 Distributed Correlation Architecture

8

UI Interaction

Legend

Data Exchange Event Intake and Persistence Repo Information Exchange

Aggregators Aggregators Aggregators: grouping Persistor ACC Console Connectors / EB Correlators Correlators

CORRE DB

slide-9
SLIDE 9

Aggregators Aggregators Persistor ACC Console Connectors / EB Correlators Correlators

CORRE DB

The ESM 7 Distributed Correlation Architecture

9

UI Interaction

Legend

Data Exchange Event Intake and Persistence Repo Information Exchange

Message Bus: events, data M e s s a g e B u s

slide-10
SLIDE 10

Aggregators Aggregators Persistor ACC Console Connectors / EB Correlators Correlators

CORRE DB

M e s s a g e B u s

The ESM 7 Distributed Correlation Architecture

10

UI Interaction

Legend

Data Exchange Event Intake and Persistence Repo Information Exchange

Distributed Cache: lists, resources D i s t r i b u t e d C a c h e

slide-11
SLIDE 11

Aggregators Aggregators Persistor ACC Console Connectors / EB Correlators Correlators

CORRE DB

M e s s a g e B u s D i s t r i b u t e d C a c h e

The ESM 7 Distributed Correlation Architecture

11

UI Interaction

Legend

Data Exchange Event Intake and Persistence Repo Information Exchange

Repository: global settings Repository

slide-12
SLIDE 12

Event Flow … In a Nutshell

12

Aggregators Correlators Persistor Aggregators Correlators Connectors, EB, ESM, ...

Persisted & Enriched Correlation, Audit Rule Data Monitor Audit Correlation, Audit Audit

Where correlation happens

Pre-persistence Rules Light-weight Rules Standard Rules, Data Monitors

slide-13
SLIDE 13

Deployment and Sizing

slide-14
SLIDE 14

14

Sample 3 Node Configuration

Persistor Mbus_control Repo Correlator Aggregator Mbus_control Mbus_data Repo Correlator Aggregator Mbus_control Mbus_data Repo

ESM Node 1 ESM Node 2 ESM Node 3

Includes DCache)

  • Persistor deployed to single node
  • Number of correlator, aggregator, mbus, distributed cache and repository can be adjusted as needed

across nodes

  • Actual layout of services may be changed based on capacity requirements
  • 2 Correlators are recommended if the number of cores is 24 or greater, and the network is 10 Gbit or greater.
slide-15
SLIDE 15

15

Sample 4 Node Configuration - PREFERRED

ESM Node 1 ESM Node 2 ESM Node 4 ESM Node 3

Persistor Repo Correlator Aggregator DCache Mbus_data Mbus_control Correlator Correlator Repo Mbus_data Mbus_control Aggregator Aggregator DCache Mbus_data Mbus_control Repo Includes DCache)

  • Message Bus control deployed to three nodes due to need for odd number deployment requirement
  • Persistor deployed to single node
  • Number of correlator, aggregator, distributed cache and repository can be adjusted as needed across nodes
  • Actual layout of services may be changed based on capacity requirements
  • 1 Correlator and 2 Aggregators are recommended if the number of cores is 32 or greater
slide-16
SLIDE 16

16

Sample 5 Node Configuration

ESM Node 1

Persistor Repo

ESM Node 2

Correlator Correlator Aggregator DCache Mbus_cont Mbus_data

ESM Node 3

Correlator Correlator Aggregator Repo Mbus_cont Mbus_data

ESM Node 4

Correlator Correlator Aggregator DCache Mbus_cont Mbus_data Repo

ESM Node 5

DCache Mbus_data Includes DCache) Correlator Correlator Aggregator

  • Message Bus control deployed to three nodes due to need for odd number deployment requirement
  • Persistor deployed to single node
  • Number of correlator, aggregator, distributed cache and repository can be adjusted as needed across nodes
  • Actual layout of services may be changed based on capacity requirements
slide-17
SLIDE 17
  • Isolate persistor as much as

possible

  • Do not put mbus data on persistor node
  • 3 or 5 mbus data nodes is best

for redundancy

  • Correlators and Aggregators

make a good pair for a node, usually 2C:1A

  • Persistor includes embedded

DCache

  • Aggregators and Mbus_Data are

very memory intensive – no more than 3 total on a node

  • Multiple Repos for redundancy

is a good idea

  • Cluster supports one persistor

instance

17

Deployment Tips

slide-18
SLIDE 18
  • No need for hardware homogeneity
  • Must be same network protocol
  • No direct connection required
  • Must be in the same data center
  • Same time zone for all nodes
  • Same OS and same OS version

18

Cluster Requirements

slide-19
SLIDE 19

7.0 Cluster Monitoring Features

slide-20
SLIDE 20
  • Dashboard in ACC to

monitor cluster

  • “check engine light”

in the console

  • Manage connectivity

to MB and DC

  • Manage lags for

correlator and aggregators

  • Manage.jsp is

updated

20

Monitoring the ESM 7 cluster

slide-21
SLIDE 21

Next Steps

slide-22
SLIDE 22

Next Steps

Download ESM 7

  • Available to all customers

under maintenance

  • Can be deployed in Compact and

Distributed Modes

Download and Review the Documentation

  • Available from Protect 724

Review your Requirements with SE and/or PS

  • Find out if distributed correlation

is right for you

slide-23
SLIDE 23

Thank You.

#MicroFocusCyberSummit

slide-24
SLIDE 24

#MicroFocusCyberSummit