The core is an essential component and can be installed as a single instance or as a cluster to provide a higher level of resilience.<\/p>\n
Event collection subsystem.<\/strong> As the name suggests, this subsystem collects data from various sources and converts it into a unified format through parsing and normalization. To calculate the required capacity of this subsystem, one must consider both the event flow intensity and the log format in which events arrive from sources.<\/p>\n The server load depends on how the subsystem processes logs. For example, even for structured logs (Key Value, CSV, JSON, XML), you can use either regular expressions (requiring significantly more powerful hardware) or the vendor\u2019s built-in parsers.<\/p>\n Correlation subsystem.<\/strong> This subsystem analyzes data collected from logs, identifies sequences described in correlation rule logic, and, if necessary, generates alerts, determines their threat levels, and minimizes false positives. It\u2019s important to remember that the correlator\u2019s load is also determined not only by the event flow but by the number of correlation rules and the methods used to describe detection logic as well.<\/p>\n Storage subsystem.<\/strong> An SIEM system must not only analyze but also store data for internal investigations, analytics, visualization and reporting, and in certain industries \u2014 for regulatory compliance and retrospective alert analysis. Thus, another critical question at the SIEM system design stage is how long you want to store collected logs. From an analyst\u2019s perspective, the longer the data is stored, the better. However, a longer log retention period increases hardware requirements. A mature SIEM system provides the ability to strike a balance by setting different retention periods for different log types. For example, 30\u00a0days for NetFlow logs, 60\u00a0days for Windows informational events, 180\u00a0days for Windows authentication events, and so on. This allows data to be optimally allocated across available server resources.<\/p>\n It\u2019s also important to understand what volume of data will be stored using hot storage (allowing quick access) and cold storage (suitable for long-term retention). The storage subsystem must offer high performance, scalability, cross-storage search capabilities (both hot and cold), and data viewing options. Additionally, the ability to back up stored data is essential.\n<\/p>\n \nSo, we\u2019ve laid out the ideal requirements for an SIEM system. It probably won\u2019t surprise you that our Kaspersky Unified Monitoring and Analysis Platform meets these requirements. With its built-in capability to scale for data flows reaching hundreds of thousands of EPS within a single instance, our SIEM system isn\u2019t afraid of high loads. Importantly, it doesn\u2019t need to be split into multiple instances with correlation results reconciled afterwards\u00a0\u2014 unlike many alternative systems.<\/p>\n The event collection subsystem of the Kaspersky Unified Monitoring and Analysis Platform system is equipped with a rich set of parsers<\/a> optimized for processing logs in each format. Additionally, the multi-threading capabilities of Go mean the event flow can be processed using all available server resources.<\/p>\n The data storage subsystem used in our SIEM system consists of servers that store data, and servers with the clickhouse-keeper role, which manage the cluster (these servers don\u2019t store data themselves but facilitate coordination among instances). For data flows of 20\u00a0000 EPS with a relatively low number of search queries, these services can operate on the same servers that store the data. For higher data flows, it\u2019s recommended to separate these services. For instance, they can be deployed on virtual machines (a minimum of one is required, though three are recommended).<\/p>\n The Kaspersky Unified Monitoring and Analysis SIEM storage system is flexible \u2014 allowing event flows to be distributed across multiple spaces, and specifying the storage depth for each space. For example, inexpensive disks can be used to create cold storage (where searches are still possible, just slower). This cold storage can house data that is unlikely to require analysis but must be stored due to regulatory requirements. Such information can be moved to cold storage literally the day after it\u2019s collected.<\/p>\n Thus, the data storage approach implemented in our SIEM system enables long-term data retention without exceeding the budget on expensive equipment, thanks to hot and cold storage capabilities.\n<\/p>\n \nThe Kaspersky Unified Monitoring and Analysis Platform supports multiple deployment options, so it\u2019s important first to determine your organization\u2019s architecture needs. This can be done based on the estimated EPS flow, and the particularities of your company. For simplicity, let\u2019s assume the required data retention period is 30\u00a0days.\n<\/p>\n \nFor a small organization, the SIEM system can be deployed on a single server. For example, our SIEM system supports the All-in-One installation option. In this case, the required server configuration is 16\u00a0CPUs, 32GB of RAM, and a 2.5TB of disk space.\n<\/p>\n \nFor larger organizations, separate servers are needed for each SIEM component. Dedicating a server exclusively for storage ensures that search queries don\u2019t affect the processing of events by the collector and correlator. However, the collector and correlator services can still be deployed together (or separately, if desired). An approximate equipment configuration for this scenario is as follows:\n<\/p>\n \nFor large enterprises, additional factors must be considered when defining the architecture. These include ensuring resilience (as the substantial data-flow increases the risk of failure) and the presence of company divisions (branches). In such cases, more servers may be required to install the SIEM system, as it\u2019s preferable to distribute collector and correlator services across different servers for such high EPS flows.\n<\/p>\n \nAs EPS flows grow and the infrastructure divides into separate independent units, the amount of equipment required increases accordingly. Additional servers will be needed for collectors, storage, correlators, and keepers. Moreover, in large organizations, data availability requirements may take precedence. In this case, the Kaspersky Unified Monitoring and Analysis Platform storage cluster divides all collected events into shards. Each shard consists of one or more data replicas. And each shard replica is a cluster node, meaning a separate server. To ensure resilience and performance, we recommend deploying the cluster with two replicas per shard. For processing such large EPS volumes, three collector servers may be required, installed in the offices with the highest event flows.\n<\/p>\n \nIn large enterprises, the cost of implementing an SIEM system increases not only with the volume of data, but also depending on the usage profile. For example, in some cases (such as MSP and MSSP environments, as well as large holding companies with multiple subsidiaries or branches), multi-tenancy is required. This means the company needs to maintain multiple \u201cmini-SIEMs\u201d, which operate independently. Our solution enables this through a single installation at the head office, without the need to install separate systems in\/at each branch\/tenant. This significantly reduces equipment costs.<\/p>\nArchitectural features of Kaspersky SIEM<\/h2>\n
SIEM architecture deployment using our SIEM as an example<\/h2>\n
Data flow: 5000\u201310\u00a0000 EPS<\/h3>\n
Data flow: 30\u00a0000 EPS<\/h3>\n
\n
Data flow: 50\u00a0000\u2013200\u00a0000 EPS<\/h3>\n
Data flow: 200\u00a0000 EPS<\/h3>\n
Kaspersky SIEM in holding companies<\/h2>\n
![\"SIEM](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/12\/21001209\/SIEM-hardware-1.png\")
<\/a><\/p>\n![\"SIEM](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/12\/21001226\/SIEM-hardware-2.png\")
<\/a><\/p>\n