VM Resource Requirements (Production)
This section outlines the resource requirements for server components for Cybereason On-Prem deployments in product environments.
Important
Cybereason recommends that you deploy at least two Detection servers for recovery scenarios. The additional requirements listed in this topic are general guidelines only. Exact requirements vary depending on several factors, such as the number and type of endpoints, number of Detection servers, network traffic, and more. Consult with your Customer Success team for exact requirements for your deployment.
In this topic:
Virtualization Software Requirements
For Cybereason On-Prem deployments, Cybereason provides pre-built VMs for you to deploy.
Before you begin the installation, review the following requirements and recommendations:
- The Cybereason On-Prem server installation supports VMware vSphere ESXi version 6.5 or above.
Important
For each ESXi server, when calculating sizing requirements, keep in mind that 8GB of memory needs to be set aside for ESXi software.
For each ESXi instance:
We recommend that you enable VMWare hyperthreading on the physical host. If hyperthreading is disabled, multiply the CPU on each ESXi.
We recommend that you use an Intel/AMD processor with 64-bit support, specifically a 2.2 GHz or faster processor.
You must disable all BIOS power management options. For more information and best practices, see the VMWare documentation.
The vCPU/pCPU ratio per ESXi server ratio must be 2:1 or lower.
VM Hardware Requirements
Detection server VM
General requirements
Topic |
Requirement/Note |
|---|---|
Total CPU |
The Detection server’s total CPU must not exceed the number of logical cores per socket when VMWare hyperthreading is enabled. |
Number of Detection servers |
Consult with Customer Success to determine how many Detection servers you require to support your endpoints, to ensure optimal performance. Customer Success makes this calculation based on various factors, such as endpoint type (server/PC) and operating system. Cybereason recommends that you deploy at least two Detection servers for recovery scenarios. |
Memory reservation |
The Detection servers require full memory reservation and a set of advanced configuration settings and parameters for optimal performance (see Advanced configuration settings). These settings and parameters are automatically applied to each of the virtual machines as part of the deployment procedure. |
Resource consumption |
Important: Resource requirements may vary according to the environment. We recommend that you monitor resource consumption on a regular basis to ensure system performance. For more details on monitoring resource consumption, refer to the VMware documentation. |
Sizing requirements The number of sensors in the table below is an estimate based on Windows sensors. Other endpoint types (e.g. Windows servers, Linux, and Mac machines) require additional resources. Contact your Customer Success team for details.
For the root disk sizes, the 50 GB storage enforces a log rotation of up to 50 MB per log, storing 30 log files backward. The data disk enables saving approximately 21 days of recordings (of the sensor metadata). This is an estimated amount, and should be evaluated according to the specific environment and retention prior to deployment. For assistance, contact Customer Success.
The data disk implementation includes automatic deletion according to the retention policy. In addition, a backup utility backs up all Cybereason components to the shared NFS repository. Cybereason takes daily snapshots of the entire memory graph backup every day at 12:00 AM UTC. Two backup copies are available per Detection server.
Number of sensors |
vCPU |
RAM |
Root Disk |
Data Disk |
|---|---|---|---|---|
0 - 500 |
4 |
32 GB |
50 GB |
256 GB (added later, see description above). |
500 - 1000 |
8 |
64 GB |
50 GB |
512 GB (added later, see description above). |
1000 - 1600 |
16 |
128 GB |
50 GB |
756 GB (added later, see description above). |
1600 - 2500 |
22 |
252 GB |
50 GB |
1024 GB (added later, see description above). |
Advanced configuration settings
Parameter |
Description |
|---|---|
CoresPerSocket |
For performance optimization, the value is set to a number that is less than or equal to the physical cores of the physical CPU socket. |
TotalCpu |
For performance optimization, the value is set to a number that is less than or equal to the physical cores of the physical CPU socket. |
Full memory reservation |
The Memory > Reservation > Reserve all guest memory (All locked) setting is automatically applied in VMWare for all servers. |
WebApp server and Private Threat Intel server VM
General requirements
Topic |
Requirement/Note |
|---|---|
Number of servers |
The WebApp server and Private Threat Intel server are on the same VM. Only one WebApp server and Private Threat Intel server VM is required for the deployment, regardless of the number of Detection servers. |
Memory reservation |
The WebApp server and Private Threat Intel server require full memory reservation and a set of advanced configuration settings and parameters for optimal performance (see Advanced configuration settings). These settings and parameters are automatically applied to each of the VMs as part of the deployment procedure. |
Resource consumption |
Important: Resource requirements may vary according to the environment. We recommend that you monitor resource consumption on a regular basis to ensure system performance. For more details on monitoring resource consumption, refer to the VMware documentation. |
Sizing requirements The number of sensors in the table below refers to the total number of sensors in the deployment. This number is based on sensors on Windows workstations. Other endpoint types (e.g. servers, other operating systems) may require additional resources.
Number of sensors |
vCPU |
RAM |
Storage |
|---|---|---|---|
0 - 500 |
4 |
32 GB |
50 GB |
500-3000 |
4 |
64 GB |
50 GB |
3000+ |
8 |
128 GB |
50 GB |
Registration server VM
Number of sensors |
vCPU |
RAM |
Storage |
|---|---|---|---|
0-5000 |
4 |
8 GB |
50 GB |
5000-10000 |
8 |
16 GB |
50 GB |
Note
For higher numbers of sensors, contact your Cybereason representative. Only one Registration server VM is required for the deployment, regardless of the number of Detection servers.
Microservices VM
The Microservices VM includes a number of microservices and servers. Cybereason provides your organization with a microservices VM that includes one 250 GB disk. This is preconfigured storage that is not affected by the number of sensors. Make sure to reserve resources for this storage.
For airgapped systems, contact your Cybereason representative.
Number of sensors |
vCPU |
RAM |
Root Disk |
|---|---|---|---|
0-500 |
6 |
36 GB |
250 GB |
500-5000 |
8 |
44 GB |
250 GB |
5000-10000 |
8 |
46 GB |
250 GB |
10000-25000 |
10 |
60 GB |
250 GB |
25000-50000 |
14 |
66 GB |
250 GB |
Configuration management server
The Configuration Management server is based on Ansible, an open-source software provisioning, configuration management, and application-deployment tool. Cybereason leverages Ansible to automate day 2 configuration tasks. Tasks include: connecting the Detection server to the WebApp server, changing the proxy configuration, monitoring, and more.
This server is provided with three 50 GB disks. Cybereason provides your organization with preconfigured storage, where the number of sensors does not affect the storage. Make sure to reserve resources for this storage.
vCPU |
RAM |
Root Disk |
|---|---|---|
6 |
12 GB |
3 disks of 50 GB |
Next steps
After you verify that your VMs satisfy the appropriate requirements, verify that the organization meets the Deployment Prerequisites.