Most SIEM environments rely on a plethora of different servers, storage arrays, hypervisors and network interconnects to support their rapidly growing SOC environments. Likewise, most SIEMs also all have the same issues and concerns about performance, costs and time required to provision and manage storage growth. The primary problem is, the entire infrastructure the SIEM relies on is not integrated or even truly virtualized under a single unified architecture. As a result, administrators are stuck in a never ending battle of upgrading and adding more traditional technology for the same problems, and security analysts are constantly waiting for searches to complete until more resources are made available. The definition of “crazy” comes to mind.
The solution? A hyperconverged infrastructure! You should consider and investigate all players in the
HCI market place, but this article will be focusing on the proven leader,
Nutanix. The Nutanix HCI for Enterprise Cloud can provide SIEM security analysts many times faster search results and administrators with a more scalable and economical infrastructure to grow a SIEM with minimal capex expenses. All SIEM deployments have three key bottlenecks to constantly monitor that affect event log ingestion, searching and retention. This article will explain the advantages of using
Nutanix HCI Enterprise Cloud for Splunk, and addresses the common performance and cost issues that affect all SIEMs.
Nutanix virtualizes all aspects of the hardware, delivering the most efficient use of all system resources that other VM solutions cannot provide for Splunk SIEM environments. The Nutanix HCI solution has a distributed architecture that shares all infrastructure resources and prevents any workload from depleting another node’s resources. It does not need or rely on expensive SAN, NAS storage, RAID groups or network switches. Nutanix Distributed Storage Fabric enables SIEM indexers and collectors to process data locally, monitors data access paths and places data in the optimal location and automatically moves hot, warm, cold and frozen data to the appropriate internal and external storage resources. The most frequently used data is access from the local node of VM memory and flash, providing maximum performance. Unlike other storage systems that will experience significant I/O bottlenecks, Nutanix’s Distributed Storage Fabric prevents the I/O blender effect from affecting the SIEM’s performance.
A small 4-node, 2U Nutanix cluster can deliver 3 GB/s throughput, capable of ingesting 500,000 events per second and store terabytes of event logs every day. This small SIEM deployment running on Nutanix can effortless and dynamically scale existing clusters or add new clusters in minutes simply by adding more nodes when event logs and network flows exceed your SIEM’s threshold. Every node running on Nutanix provides predictable performance for the SIEM collectors, indexers, analytics and other shared workloads.
In this entry 4 node Nutanix example, a company can deploy a small SIEM very affordably with only 20 TB, and have the ability to add up to 240 TB (on the fly), add up to 176 cores in eight Intel CPUs, and 2 TB of memory. An entry Nutanix HCI server can provide 250,000 or more random read IOPS and up to 5 GB per second of sequential throughput. Factor in data archiving and compression, a Nutanix HCI solution can reduce a SIEM hardware footprint by up to 400 percent.
Nutanix HCI solutions use radical compression policies that extend beyond the LUN level used by most storage solutions, going deeper into the VM and file levels which significantly increases efficiency and performance on a sub-block level. By using both inline and post-process compression, Nutanix maximizes performance and efficiency of event log storage. Even more importantly, Nutanix HCI solutions also allow both NAS and cloud-based storage targets to be used in conjunction with the local server storage for colder event logs and archiving frozen event logs. Nutanix HCI will use the same automatic tiering logic for network attached storage and cloud-based storage resources as the internal SSD and HDD.
Data protection and availability is provided by erasure coding replication, which requires additional storage capacity to keep a full copy of data on different nodes. By replicating the data using EC-X, Nutanix customers enjoy the highest degree of protection and availability. If any failure were to occur, Nutanix could use the parity to restore the data blocks and workloads would be automatically restored and restarted without operator intervention. The number of data and parity blocks can be configured to adjust for the number of failures deemed acceptable.
Nasdaq is a Enterprise Splunk customer that relied on bare metal and traditional VM technology to host their SIEM, and decided it was time for a change and do a POC with Nutanix. Here is the assessment from Nasdaq:
“Our test results we very impressive,” Yang reported. “We were extremely happy with the performance gains we received. All types of queries ran at least two times faster on Nutanix versus our traditional systems. From an operational perspective, we really liked the deployment agility—how quickly and easily Nutanix scales. By moving to a Nutanix-based solution, we have improved our service delivery for compute, memory, and storage.”
“Our IT infrastructure team (which is my team that manages all of our hardware systems and OS), our security team (the biggest user of Splunk, with very high data retention and performance requirements), and our tools team that manages the actual Splunk deployment, all weighed in on the decision,” noted Yang. “There was unanimous agreement among all three groups that Nutanix Enterprise Cloud Platform was the best solution for our needs.”
“We wanted to virtualize Splunk, but our existing technology wasn’t scalable or fast enough. We went from a five physical node platform with Splunk, to a three-node POC on Nutanix. Our new systems are outperforming our previous platform, even with just three nodes. We are now increasing that environment from three to ten nodes of Nutanix, knowing it will far outperform our non-virtual production platform.”
Jake Yang
Senior Director of Global Systems and Storage
Nasdaq
Nutanix HCI Enterprise Cloud solution enables Splunk Enterprise SIEM customers to deploy and manage a SIEM with minimal requirements, provide very flexible scaling options for event log ingestion and retention growth, and ensure optimal performance for security analysts to search and analyze incidents. Nutanix Enterprise Cloud is a hyper converged infrastructure with native web-scale capabilities and designed specifically for VM and cloud environments. The Nutanix Enterprise Cloud Platform for SIEM includes Nutanix Acropolis, Prism and Calm. The Acropolis manages the virtualization of data services and include the following components: the Distributed Storage Fabric, the App Mobility Fabric, and Nutanix hypervisor (which also supports ESXi, Hyper-V and XenServer hypervisors). Prism enables single click infrastructure management of the virtual machines.