Symantec™ Endpoint

Detection and Response 4.0

Sizing and Scalability Guide
Documentation version: 4.0

Legal Notice
Copyright © 2018 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

https://www.symantec.com
Symantec Support
All support services will be delivered in accordance with your support agreement and the
then-current Enterprise Technical Support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at
the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements
that are listed in your product documentation. Also, you should be at the computer on which
the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support
Web page at the following URL:
www.symantec.com/business/support/
 Contents

Symantec Support .............................................................................................. 4

Chapter 1 Introduction ........................................................................... 7

Introduction ................................................................................... 7

Chapter 2 Symantec EDR cloud support ............................................. 8

Supported sizing limitations for Symantec EDR cloud ............................ 8

Chapter 3 Appliance architecture ....................................................... 10

Symantec EDR architecture ............................................................ 11
Symantec EDR distributed topography .............................................. 12
Symantec EDR growth .................................................................. 12
Best practices for SEPM integration ................................................. 13
Considerations for selecting a network scanner .................................. 17

Chapter 4 Appliance network impact ................................................ 19

Required bandwidth ...................................................................... 19
Endpoint performance metrics ......................................................... 20
Reputation request service (RRS) rate .............................................. 21
Endpoint activity recorder network load ............................................. 21
Comparison of event traffic by source ............................................... 21
Firewall cluster bottleneck .............................................................. 22

Chapter 5 Appliances ............................................................................ 23

About Symantec EDR hardware appliances ....................................... 23

Vertical scaling ............................................................................. 24
Management console recommendations ........................................... 26
Sizing the management console ...................................................... 27
Platforms overview ....................................................................... 28
Sizing recommendations for the 8880 appliance ........................... 29
Sizing recommendations for the 8840 appliance ........................... 29
Sizing recommendations for the virtual appliance .......................... 30
 Contents 6

How to set up your network scanner appliance (all-in-one vs.

management console) ............................................................. 31
Formula for endpoint activity recorder data storage size ...................... 32
Endpoint activity recorder event rate load .......................................... 32
Endpoint activity recorder load retention ............................................ 33

Chapter 6 Database ............................................................................... 35

Moving events from Symantec EDR to other data systems .................... 35

Chapter 7 Symantec EDR appliance and the endpoint activity

recorder ........................................................................... 36
Configuring the endpoint activity recorder .......................................... 36
Endpoint activity recorder considerations ........................................... 39
Sizing considerations .................................................................... 40

Appendix A Upgrading the 8880 appliance ........................................ 42

Upgrading the 8880 appliance ........................................................ 42
 Chapter 1
Introduction
This chapter includes the following topics:

■ Introduction

Introduction
This sizing guide provides guidance about which Symantec EDR appliance you should use in
your environment. It also offers information about what you need to know to set up an appliance.
The architecture, designs, and recommendations that are provided in this guide are based on
metrics from internal testing of the product. These tests are performed in an isolated
environment. Implementations in production environments may result in some performance
metrics that vary from the testing scenarios. These variations can alter the recommended
sizing and architecture. This guide references possible changes and modifications to Symantec
EDR capability, functions, metrics, and features. These changes are subject to continuous
evaluation and should not be considered as firm commitments.
For additional information about installing Symantec EDR (including system requirements,
deployment and operating modes, etc.) see the Symantec™ Endpoint Detection and Response
Installation Guide.
 Chapter 2
Symantec EDR cloud
support
This chapter includes the following topics:

■ Supported sizing limitations for Symantec EDR cloud

Supported sizing limitations for Symantec EDR cloud

Supported endpoints
Each Symantec EDR cloud instance can manage multiple Symantec EDR, up to a total of 80K
endpoints. To manage more than 80K endpoints, Symantec EDR uses multiple cloud instances.

Symantec EDR cloud network bandwidth costs

Forwarding incidents from a Symantec EDR About 1800 KB/second when submitting an average
appliance to Symantec EDR cloud: of 100 incidents per day with the Endpoint Activity
Recorder feature enabled.

Fetching events from a Symantec EDR appliance 1.6 MB for every 1000 events.
using Investigation Playbooks:

Supported Investigation Playbooks

Each Symantec EDR cloud instance supports the following run frequency for Investigation
Playbooks:
■ Agentless scanning of 500 endpoints per hour using the “Full Binary Reputation: Executable
File Types” Investigation Playbook.
■ Fetch up to 1000 events per hour from a Symantec EDR appliance(s) using Investigation
Playbooks.
 Symantec EDR cloud support 9
Supported sizing limitations for Symantec EDR cloud

Dissolvable agent server

■ Windows operating system - Windows 7/Server 2008R2 or newer (Windows 10 Home
Edition unsupported)
■ RAM- A minimum of 4GB RAM for up to two vCPU cores. An additional 2GBof RAM is
required for each additional 2 vCPU cores, to a maximum of 16 vCPU with 16GB RAM
■ Microsoft .NET Framework 4.5 or newer
■ Disk storage equal to 1MB times the number of computers in network to scan

Dissolvable agent server is typically capable of scanning 150 endpoints per hour for each
logical CPU core. For example, to scan 1200 endpoints per hour with a single vault, a CPU
with eight cores are the minimum to successfully meet that demand.
 Chapter 3
Appliance architecture
This chapter includes the following topics:

■ Symantec EDR architecture

■ Symantec EDR distributed topography

■ Symantec EDR growth

■ Best practices for SEPM integration

■ Considerations for selecting a network scanner

 Appliance architecture 11
Symantec EDR architecture

Symantec EDR architecture

 Appliance architecture 12
Symantec EDR distributed topography

Symantec EDR distributed topography

Symantec EDR growth

Year-over-year growth
When planning your deployment, be sure to consider the expected growth of the organization
during the lifetime of the appliance hardware.

Horizontal growth
Scanner/network:
■ Method: Add scanners.
■ Drivers: Network bandwidth.
Management Server:
■ Method 1: Add additional management servers.
■ Method 2: To overcome data retention limits of Symantec EDR management server, use
API to dump events to Splunk service or other bulk data analysis device or service.
■ Drivers: More SEPMs, link latency across regions. Another driver is if the sum of all
endpoints is greater than what one management appliance can handle.
 Appliance architecture 13
Best practices for SEPM integration

Best practices for SEPM integration

Symantec EDR 4.x is certified to integrate with a total of ten different SEPM sites¹ per
deployment, which is based on testing and certification limitations. To support more than ten
SEPM sites, deploy multiple appliances instead. If multiple domains are used in a given site,
then one Symantec EDR can be connected to each domain.

Note: When a SEPM is added to an EDR appliance console, it's defined as SEPM/Domain.
So if there were ten domains running on a single SEPM, there would be ten entries that are
defined on Symantec EDR.

Factors to be considered when you choose the deployment approach:

■ Number of endpoints and where they are located
The number of endpoints is the determining factor in how many Symantec EDR appliances
you need.
■ Network bandwidth and latency between sites
Are there serious bandwidth limitations between corporate sites?
See “Required bandwidth” on page 19.
■ Administrative areas
Is there a Security Operations team per site or globally? Are the policies managed centrally?
■ Is centralized reporting required?

Basic architecture
Symantec EDR contains the following main architectural components:
■ EDR appliance console – The management server that is used for network appliance
management, policy management, investigation, and remediation.
■ Symantec EDR network scanner – Scans network traffic.
Other required components in the architecture, but not deployed as part of Symantec EDR:
■ SEPM
■ SEPM databases
We currently do not support connecting to multiple SEPMs that the same database backs.
■ SEP clients
External cloud services:
■ Email Security.Cloud
■ Web Security.Cloud
 Appliance architecture 14
Best practices for SEPM integration

Deployment architecture
The site design begins with the choice of the basic site design architecture. This choice normally
follows the same site design as for SEPM sites. The reason for this parallel site design is so
that the EDR appliance console can communicate with the SEPM server, SEPM database,
and SEP clients. The following content describes how SEP recommends deploying sites and
how Symantec EDR can be deployed into that environment.
Single-site design | Multi-site design

Single-site design
An organization with one data center can generally use a single-site design with the following
attributes:
■ Two instances of SEPM for redundancy and load balancing
■ Database clustering to support high availability

Note: The following diagrams assume the total number of endpoints that a single Symantec
EDR instance can support. If this number is greater than 50K endpoints for ECC 2 and 100K
for ECC 1, then you still have options. See Figure 3-4 and Figure 3-6.

Figure 3-1 Single SEP site

One Symantec EDR connects to one database and one SEPM per SEP site.
Each Symantec EDR appliance has its own embedded database. This deployment configuration
allows for full visibility into events, command status, and policy. This deployment configuration
does not support high availability or load balancing. Configure EDR appliance console to
connect with one SEPM per site and one connection to the database cluster.
 Appliance architecture 15
Best practices for SEPM integration

Figure 3-2 Single SEP site (shortcut iconography)

One Symantec EDR connects to one database and one SEPM per SEP site.

Figure 3-3 Single SEP site (using the new iconography)

Figure 3-4 More endpoints than one Symantec EDR can handle - scenario 2

If each SEP site is greater than what one Symantec EDR can handle, you must run Advanced
Threat Protection 3.0.5 or later or Symantec EDR 4.x or later. The reason is because these
versions support multiple Symantec EDR instances for a single SEP site. The only restriction
is how many endpoints are in a given SEP group.
 Appliance architecture 16
Best practices for SEPM integration

Multi-site design
Figure 3-5 Multi-site SEP design

One Symantec EDR connects to one database and one SEPM per SEP site. One Symantec
EDR can connect to up to ten SEP sites. The only other limitation is the total number of
endpoints.
Assume that no SEP site is greater than what one Symantec EDR can handle but two or more
are. In this scenario, deploy multiple Symantec EDRs in the single SEP site deployment. Use
a SIEM to centralize events.
 Appliance architecture 17
Considerations for selecting a network scanner

Figure 3-6 More endpoints than one Symantec EDR can handle

¹ A SEP site is based on one or more SEPMs that are connected to a single database cluster.
A SEP site can choose to replicate policy, commands, and logs between sites.

Considerations for selecting a network scanner

Symantec Advanced Threat Protection 3.x and Symantec EDR 4.x network scanners use the
same physical hardware and have the same network scanning performance profile as Advanced
Threat Protection 2.3. Each network scanner form factor (large, small, virtual) is certified to
inspect a specified amount of network throughput (Gbps). You can achieve increased capacity
by adding the additional scanners that the EDR appliance console manages. Additional
scanners can also be used to accommodate for multiple ingress points and egress points,
such as remote offices. An EDR appliance console can support up to 50 Symantec EDR:
Network appliances.
Several factors determine the number of recommended network scanners:

Use hardware or virtual If you have an extensive VMware investment, you might want
to use virtual appliances. If you have little or no VMware
investment, use the hardware.

Hardware solutions have bypass NICs. So on failure, Symantec

EDR continues to pass traffic when deployed inline. Therefore,
physical hardware is recommended for inline deployments.

Available bandwidth
Total endpoints in the organization
Symantec EDR features intended to be If the deployment is to use mostly network scanning, then a
used
Appliance architecture 18
Considerations for selecting a network scanner
The hardware solutions have higher throughput than virtual
solutions.
The 8840 appliance has a throughput of 500 Mbps. The 8880
appliance has a throughput of 2.0 Gbps. The VM appliance
has a throughput of 300 Mbps.
See “Required bandwidth” on page 19.
8840 has a capacity of ~10K simultaneous connections. 8880
can support twice that with 25K simultaneous connections.
These numbers are for inline mode. In TAP mode, hardware
can support approximately twice the number of connections as
inline. VMs can handle 2K simultaneous connections.
separate scanner and management platform deployment
provides room to increase scanning capacity. The number of
scanners would depend on the number of ingress and egress
points in the network and the amount of traffic at those points.
 Chapter 4
Appliance network impact
This chapter includes the following topics:

■ Required bandwidth

■ Endpoint performance metrics

■ Reputation request service (RRS) rate

■ Endpoint activity recorder network load

■ Comparison of event traffic by source

■ Firewall cluster bottleneck

Required bandwidth
Table 4-1 provides the estimated bandwidth usage.

Table 4-1 Bandwidth requirements

Communication channel Bandwidth requirements

SEPM and Symantec EDR
■ Symantec EDR queries each SEPM hourly to get Group and endpoint
information. The breakdown is roughly as follows:
■ 500 B/Group
If you have 20 Groups, then Symantec EDR generates 20 Groups
* 500 B/Group = 10KB each hour.
■ 4 KB / endpoint
If you have 50K endpoints, then Symantec EDR generates 50K
endpoints * 4 KB/endpoint = 200 MB each hour.
■ Summary: 4.8GB / day (for organizations with 50K endpoints and
20 SEPM Groups)
(200 MB + 10 KB) / hour * 24 hours per day = 4.8GB / day for
50K endpoints and 20 Groups.
 Appliance network impact 20
Endpoint performance metrics

Table 4-1 Bandwidth requirements (continued)

Communication channel Bandwidth requirements

SEP endpoint and Symantec ■ Live Response:

EDR See “Endpoint activity recorder network load” on page 21.
■ Full Dump: 10% of endpoint recording size
If endpoint recording size = 1GB then 0.1 * 1 GB = 100MB
■ Process Dump: Depends on what the process did. This number is
likely close to a couple KB’s.
■ ECC 1.0: ~1 GB / day / 50K endpoints
17.6 KB / sec per endpoint

Symantec EDR and Negligible.

ServiceNow

Symantec EDR and Splunk Similar to Symantec EDR to SEP endpoints.

Server

Symantec EDR and mail server Negligible.

Symantec EDR and Symantec Updating of definitions requires 1 - 2 MB a day. When a new Symantec
Cloud EDR release is available, you must download 2 GB of data.

Endpoint performance metrics

Table 4-2 shows the effect to SEP endpoints with ECC enabled and without ECC enabled.

Table 4-2 Endpoint performance metrics

Endpoint activity recorder Endpoint activity recorder

NOT enabled enabled

CPU ~.2% ~.5%

Memory 128 MB 150 MB

IO Reads 2.5 Ops/sec 12 Ops/sec

IO Writes 3.2 Ops/sec 3.7 Ops/sec

Network 0 1 MB/day/endpoint
 Appliance network impact 21
Reputation request service (RRS) rate

Reputation request service (RRS) rate

The volume of events that the endpoint agent generates increases dramatically from SEP
version 12 to SEP version 14. Symantec recommends that you upgrade Symantec EDR to
the latest version before you upgrade all of the clients beyond version 12.

Table 4-3 RRS event rates

SEP version Events per second, per endpoint

SEP endpoint 12.x 0.00050 - 0.00090

SEP endpoint 14.x 0.00175

Endpoint activity recorder network load

Table 4-4 Endpoint activity recorder network load

Endpoints Events per Data on the wire Connections per Maximum

second (bits per sec) second concurrent
connections

1 .04 112 b/s .035 2

10K 400 1.23 Mb/s 70 20K

50K 2,000 5.6 Mb/s 350 100K

Note: Expect spikes to double these numbers. Batching size affects the network load. Endpoints
can send batches at a minimum of 1 event a minimum of every minute and a maximum of 100
events every 24 hours. Expect that an average client sends about two events per minute. Less
than this amount (fewer than ten events per 5 minutes) can back up the clients. More than this
rate (greater than 15 events per 5 minutes) increases the load on your server during peak
performance. Ensure that your system isn't already fully loaded if you increase the batch size
significantly.

Comparison of event traffic by source

Table 4-5
Source Events per second, per endpoint

Reputation requests (RRS) 0.001750

 Appliance network impact 22
Firewall cluster bottleneck

Table 4-5 (continued)

Source Events per second, per endpoint

Endpoint activity recorder with all events enabled 0.040000

Endpoint activity recorder without process events 0.000692

Endpoint activity recorder without process launch 0.019200

events

Endpoint activity recorder without process terminate 0.019200

events

Firewall cluster bottleneck

If you have an active/passive firewall cluster, you need either of the following:
■ Two (2) 8880s as an all-in-one
■ Two (2) 8840s as scanners with either one (1) 8880 or one (1) VE as the management
server

Note: Your organization might be able to accept Symantec EDR as a single point of failure in
your environment. However, the 8840 appliance typically does not have enough bandwidth to
service a network protected by dual firewall cluster.
 Chapter 5
Appliances
This chapter includes the following topics:

■ About Symantec EDR hardware appliances

■ Vertical scaling

■ Management console recommendations

■ Sizing the management console

■ Platforms overview

■ How to set up your network scanner appliance (all-in-one vs. management console)

■ Formula for endpoint activity recorder data storage size

■ Endpoint activity recorder event rate load

■ Endpoint activity recorder load retention

About Symantec EDR hardware appliances

Table 5-1 lists the Dell appliance hardware that Advanced Threat Protection (ATP) 3.x and
Symantec EDR 4.0 supports.

Table 5-1 Supported appliances for ATP 3.x and Symantec EDR 4.0

Appliance hardware Version Dell Model No.

8880 1 Dell 720

8880 2 Dell 730

8880-30 3 Dell 730

8840 1 Dell R220

 Appliances 24
Vertical scaling

Table 5-1 Supported appliances for ATP 3.x and Symantec EDR 4.0 (continued)

Appliance hardware Version Dell Model No.

8840 2 Dell R230

See “Platforms overview” on page 28.

See “Sizing recommendations for the 8880 appliance” on page 29.
See “Sizing recommendations for the 8840 appliance” on page 29.

Vertical scaling
Table 5-2 Appliance upgrade requirements

Appliance Upgrade requirements

8880-30 v3 Ready for endpoint activity recorder feature. No upgrade required.

OEM technical specifications

8880 v2 - Dell 730 OEM XL ■ Upgrade parts available from Dell permit use of 8880 v2 as a
management server with the endpoint activity recorder feature.
■ For each appliance being upgraded, you need to order the following:
■ 4x: R730XL Drives 400-AJQP 1.8TB 10K RPM SAS 512e 2.5in
Hot-plug hard drive, Cus Kit 13G
■ 12x: R730XL Memory 370-ACNU or A8711887 Dell 16GB RDIMM,
2400MT/s, Dual Rank, x8 Data Width
■ The specific installation steps that are required to build RAID10 array,
replace memory, and get Symantec EDR to detect the newly-installed
physical components.

OEM technical specifications

 Appliances 25
Vertical scaling

Table 5-2 Appliance upgrade requirements (continued)

Appliance Upgrade requirements

8880 v1 - Dell R720 OEM XL ■ Upgrade parts available from Dell permit use of Symantec EDR 8880
v1 as a management server with the endpoint activity recorder feature.
■ For each appliance being upgraded, you must order the following:
■ 4x: R720XL Drives 400-AJQM 1.8TB 10K RPM SAS 512e 2.5in
Hot-plug hard drive, Cus Kit 12G
■ Optionally, to maximize performance for 12x: R720XL Memory
A7187318 Dell 16GB Certified Memory Module - 2Rx4 DDR3
RDIMM 1866MHz SV
■ The specific installation steps that are required to build RAID10 array,
replace memory, and get Symantec EDR to detect the newly-installed
physical components.

Symantec Advanced Threat Protection 3.0 Upgrade Guide

OEM technical specifications

8840 v2 - Dell R330 OEM XL ■ No vertical upgrade path

■ Not supported for use with the endpoint activity recorder
■ Not recommended for use as a management server in a production
environment

OEM technical specifications

Note: Dell R330 supports up to 64-GB RAM and comes with 32 GB
installed.

8840 v1 - Dell R220 OEM XL ■ No vertical upgrade path

■ Not supported for use with endpoint activity recorder
■ Not recommended for use as a management server in a production
environment

OEM technical specifications

 Appliances 26
Management console recommendations

Table 5-2 Appliance upgrade requirements (continued)

Appliance Upgrade requirements

VMware Symantec EDR 4.x does more than Advanced Threat Protection 3.x/2.x,
so it consumes a larger footprint of resources. ESXi resources must be
reserved. If you have outdated or insufficient hardware in your ESX
environment, you might experience performance issues. Symantec
recommends at least 10K RPM or SSD disk drives.

■ Approved for use as a management server with the endpoint activity

recorder feature, with expanded resource assignments
■ Add disks size up to 2 TB
■ If upgrading from Advanced Threat Protection 2.3, Advanced Threat
Protection 3.x requires increase in resources before upgrade:
■ Increase CPUs from 4 cores to 12 cores
■ Increase memory from 32 GB to 48 GB

See the Symantec™ Endpoint Detection and Response Installation Guide

for minimum system requirements for the virtual appliance.

Management console recommendations

A management console can support up to 50 managed network scanners. But a single
management unit can manage a scanner.

Endpoint Communications Channel 1.0

EDR appliance console with non-ECC and distributed deployments can support up to 50
managed network scanners or 100,000 protected endpoints (8880 appliance type). One EDR
appliance console can manage up to:
■ 7- 8880 appliances inspecting 2 Gbps [7*13,333 = ~100K endpoints] OR
■ 15 - 8880 appliances inspecting 1 Gbps [15*6,667 = ~100K endpoints] OR
■ 50 virtual appliances inspecting 300 Mbps [50*2,000 = ~100K endpoints] OR
■ 50 virtual appliances inspecting 150 Mbps [no more than 50]

Endpoint Communications Channel 2.0

EDR appliance console with ECC and distributed deployments support up to 25 managed
network scanners or 50,000 protected endpoints (8880 appliance type). One EDR appliance
console can manage up to:
■ 4- 8880 appliances inspecting 2 Gbps [7*13,333 = ~50K endpoints] OR
■ 8 - 8880 appliances inspecting 1 Gbps [15*6,667 = ~50K endpoints] OR
 Appliances 27
Sizing the management console

■ 25 virtual appliances inspecting 300 Mbps [25*2,000 = ~50K endpoints] OR

■ 25 virtual appliances inspecting 150 Mbps [no more than 25]
Symantec EDR communicates with SEP on an hourly schedule. If SEPM is running on an
under-provisioned host, then this process can cause a delay in how long it takes to retrieve
endpoint information.
See “Best practices for SEPM integration” on page 13.

Sizing the management console

Each appliance supports a different number of endpoints in ECC or non-ECC deployment.
ECC 2.0 features are supported on selected appliances. Each ECC 2.0-supported appliance
requires additional hard disk storage based on:
■ Average event size
■ Events rate supported
■ Event category selections
■ Number of days ECC data is to be retained
Each ECC-supported appliance is certified for a different number of EPS (events per second)
and CPS (connections per second).
Table 5-3 reflects the number of endpoints that are supported with ECC disabled. The hardware
configuration for these appliance types is without extended hard disk.

Table 5-3 ECC disabled or not supported

Appliance types ECC disabled or not supported

All-in-one Management server Endpoints only

only

Virtual 2K 30K 50K

8840 3K 15K 40K

8880 13K 100K 100K

Table 5-4 reflects the number of endpoints that are supported with ECC 2.0 enabled.
 Appliances 28
Platforms overview

Table 5-4 ECC enabled

Appliance types ECC enabled

All-in-one Management server,

Endpoints only

Virtual + HD 2K 10K

8880: R720, R730 v2 Demo - 1K Demo - 1K¹

8880: R720/R730 v2 + HD 13K 50K¹

8880-30: R730 v3 13K 50K¹

¹ Symantec recommends that you enable the endpoint activity recorder but disable the collection
of Process Launch and Process Terminate events. In this scenario, the total supported endpoints
on 720 appliance and 730 appliance increases from 50K to 100K.
Enabling ECC on VM with less than 12 CPU cores or 48-GB RAM results in the following
warning message. If you ignore this message, expected performance is not guaranteed: "To
enable ECC on a virtual machine, it is recommended that you have 12 or more cores and 48
GB or more memory”.
The 8880-30 HDD is 4 disks of 1.8 TB, as directed by the Symantec EDR Hardware Guide.
You can select specific SEPM groups for which you enable ECC. This feature lets you limit
the number of endpoints that use the ECC feature. However, Symantec EDR still has a
maximum number of endpoints that it can support. If your SEPM has more than 200K endpoints
in a single instance, Symantec EDR begins to experience significant performance issues.

Platforms overview
Table 5-5
Parameter VMware 8840: R220 8880: R720 8880: R730 8840: R330 8880-30:
v2 R730 v3

RAM 48GB 32GB 96GB 96GB 32GB 192GB

CPU 12 x 1 1x4x2 2 x 12 x 2 2 x 18 x 2 1x4x2 2 x 18 x 2

(processors x
cores x HT)

Total Disk 500GB + 1TB 558GB 558GB + 931GB 558GB + 3.6TB

372GB (SSD)

Event storage 541GB 188GB 127GB 127GB 188GB 1586GB

 Appliances 29
Platforms overview

Table 5-5 (continued)

Parameter VMware 8840: R220 8880: R720 8880: R730 8840: R330 8880-30:
v2 R730 v3

Support ECC Yes No Yes with Yes with No Yes

2.0 extended HD extended HD

Sizing recommendations for the 8880 appliance

Table 5-6 Sizing recommendations for the 8880 appliance

Role Mode Storage Total endpoints Transfer rate per

second per
endpoint

All-in-one TAP 500 GB 13,333 150 KB

TAP with endpoint 500 GB + 2 TB 13,333

activity recorder

All-in-one Inline monitor/block 500 GB 13,333 150 KB

Inline monitor/block 500 GB + 2 TB 13,333

with endpoint activity
recorder

Management server Management server 500 GB 100,000 150 KB

only only
500 GB + 2 TB 50,000
Management server
only with endpoint
activity recorder

Scanner only TAP 500 GB 13,333 150 KB

Inline monitor/block 13,333

Sizing recommendations for the 8840 appliance

Table 5-7
Role Mode Storage Total endpoints Transfer rate per
second per
endpoint

Cores 4 500 GB 3,333 150 KB

Not available
 Appliances 30
Platforms overview

Table 5-7 (continued)

Role Mode Storage Total endpoints Transfer rate per

second per
endpoint

Memory 24 GB 500 GB 3,333 150 KB

Not available

All-in-one TAP 500 GB 3,333 150 KB

TAP with endpoint Not available

activity recorder

All-in-one Inline Monitor/block 500 GB 3,333 150 KB

Inline monitor/block Not available

with endpoint
activity recorder

Management Management 500 GB 15,000 150 KB

server only server only
Not available (no ECC 2.0 and no
Management endpoint activity
server only with recorder)
endpoint activity
recorder

Scanner only TAP 500 GB 3,333 150 KB

Inline monitor/block

Sizing recommendations for the virtual appliance

Symantec EDR has increased the default configuration for the virtual image. The virtual
appliance OVA is built with 48 GB of RAM and hard disk of 500 GB with 12 CPU cores. The
primary reason for the increase is to support the endpoint activity recorder functionality. But
we also recommend the increase because of the challenges in supporting deployments with
only 4 cores. As a general recommendation, we suggest that you increase the VM resource.
And resources should not only be allocated, but reserved. If resources are not allocated and
reserved, the Symantec EDR management server responsiveness might be impacted by a
heavy load on a shared virtual environment.
When you upgrade from Advanced Threat Protection 2.x to 3.x, you should allocate more
resources to your VM image. Symantec recommends that you allocate more resources
regardless of whether you intend to use the endpoint activity recorder functionality or not.
See “Symantec EDR growth” on page 12.
 Appliances 31
How to set up your network scanner appliance (all-in-one vs. management console)

Table 5-8 Changes to recommended VM resources

Advanced Threat Advanced Threat Symantec EDR 4.x

Protection 2.x Protection 3.x

Memory 32 GB 48 GB 48 GB

Cores 4 12 12

Table 5-9 Sizing recommendations for the virtual appliance

Role Mode Storage Total Endpoints Transfer Rate

MB/sec/Endpoint

All-in-one TAP 500 GB 2000 150 KB

TAP with FDR 500 GB+2 TB

All-in-one Inline Monitor/block 500 GB 2000 150 KB

Note: Inline mode Inline Monitor/block 500 GB+2 TB
is not supported for with FDR
virtual appliances
except for testing
purposes.

Management Management 500 GB 50000 150 KB

server only server Only
500 GB+2 TB 10000
Management
server Only with
FDR

Scanner only TAP 500 GB 2000 150 KB

How to set up your network scanner appliance

(all-in-one vs. management console)
If you have a lot of traffic, Symantec recommends that you deploy a management console
separately. Not only does this recommendation provide more processing power, it also makes
it easier and more flexible to deploy (you can have multiple network scanners). With multiple
scanners, you are better able to deploy across multiple locations. What's more, multiple
scanners let you have a central configuration and event management location.
When the management console is separate, you need at least two separate appliances: one
for the management console and the other one for the server.
 Appliances 32
Formula for endpoint activity recorder data storage size

Formula for endpoint activity recorder data storage

size
Storage size for given days
Size = (a * b * c) + (d * e)

8880: a = 50K, c = 30: size = (50,000 * 1.7 MB * 30) + (10 * 7.5GB) ~2.4 TB
VM: a = 10K, c = 30: size = (10,000 * 1.7 MB *30) + (10 * 7.5GB) ~ 0.5 TB

Data retention for fixed storage

No. of days (c) = {Size – (d * e) }/ (a * b)

8880v3 Event data storage size – 1.7 TB

Number of days = {1.7TB – (10 * 7.5GB)} / (50,000 * 1.7 MB) ~ 20 days

a Number of endpoints

b Endpoint activity recorder size per endpoint per day

This number represents the size of events on Symantec EDR when all events are enabled.

c Number of days

d Number of endpoints' dumps

e Dump size

This number is the amount of disk space that you allocated on the endpoint.

Endpoint activity recorder event rate load

Symantec EDRanticipates an event rate of .04 EPSPE (event per second, per endpoint),
spiking to .08 EPSPE. This event rate can be high, but improved processing pipelines should
be able to hand the load if the server is properly sized. However, these rates can fill up a hard
drive very quickly. These rates can also put a strain on networks, depending on how they are
configured.
Symantec performed extensive testing on the endpoint activity recorder event rate load.
Estimates in this sizing guide are based on those findings. However, those numbers might
vary given differing environments and the activity levels on their endpoints.
The following are our recommendations of supportable event loads:
■ 8880 appliance
2000 EPS (approximately 170 million events per day)
 Appliances 33
Endpoint activity recorder load retention

■ VM
400 EPS (approximately 35 million events per day)
Symantec EDR has numerous levers for controlling the event rate. You can exclude specific
file paths and specific hashes. They can also select the general categories of events that are
sent to Symantec EDR as follows:¹.

Table 5-10
Event types that are sent to Symantec EDR Percentage of ECC events

Core (always enabled) <0.05%

Load point changes <0.1%

Suspicious system activity <1.5%

Heuristic detections <1%

Process launch activity¹ ~ 49%

Process terminate activity¹ ~ 49%

¹ These event types account for the majority of the traffic that is sent to Symantec EDR. They
are enabled by default, but are also considered an important part of the endpoint activity
recorder feature.
Aggregated overhead per day:
■ ~ 33 GB/day for 10K endpoints
■ ~165 GB/day for 50K endpoints

Endpoint activity recorder load retention

Retention is typically less critical to organizations that use public API/SIEMs. Low retention is
not only ineffectual for the usefulness of data, but it also puts a strain on the system. Retention
rates that fall under 3 days should be considered a red state.

Table 5-11 Endpoint activity recorder load retention per form factor

Conditions Virtual + 1 TB HD 8880

400 EPS/10K endpoints 2000 EPS/50K endpoints
70 CPS 350 CPS

ES partition size 541 GB 1,586 GB

 Appliances 34
Endpoint activity recorder load retention

Table 5-11 Endpoint activity recorder load retention per form factor (continued)

Conditions Virtual + 1 TB HD 8880

400 EPS/10K endpoints 2000 EPS/50K endpoints
70 CPS 350 CPS

Effective ES partition (75%) 405 GB 1,189 GB

before purging

All categories enabled ~ 12 days ~ 7 days

Process terminate disabled ~ 25 days ~15 days

Process terminate and launch ~ 710 days ~ 417 days

disabled (default)

Event rate per second (EPS) is inclusive of ECC 2.0 live response data, commands execution
overhead, etc., along with endpoint traffic and network traffic. Connection rate per second
(CPS) is inclusive of all ECC 2.0 data connections. It is also inclusive of all control connections
along with endpoint traffic and network data connections and control connections.
Per event - average size on Symantec EDR is ~1K byte.
The number of events that are generated and the data related to those events affects Symantec
EDR performance, such as follows:
■ Data such as file information, endpoint IPs, user and host identity, URLs visited, external
domain data, etc.
■ Command execution rate.
■ Environments vary, so you should watch for the number of events that are generated rather
than the absolute number of endpoints managed.
■ Symantec EDR certifies an average of 150 non-endpoint activity recorder events per second
flowing into the management console from different control points.
 Chapter 6
Database
This chapter includes the following topics:

■ Moving events from Symantec EDR to other data systems

Moving events from Symantec EDR to other data

systems
GetIncidentEvents API
Using APIs to retrieve only the events that are related to an Incident is the best way to move
events from Symantec EDR to another data system. APIs transfer copies of incident-related
events, in batches of up to 1000, and the batch sequencing is the responsibility of the partner’s
API connector. The rule of thumb for expected impact: Symantec EDR management server
event per second number drops by approximately one-tenth.

GetEvents API
Using APIs to retrieve all events is the next least performant way to move events from Symantec
EDR to another data system. APIs transfer copies of ALL the events in batches of up to
1000/batch. The batch sequencing is the responsibility of the partner’s API connector. The
rule of thumb for the expected impact: Symantec EDR management server event per second
number drops by approximately one-half.

Syslog
Syslog is the least performant way to move events from Symantec EDR to another data system.
Syslog transfers copies of ALL the events. The rule of thumb for the expected impact: Symantec
EDR management server event per second number drops by almost half.
 Chapter 7
Symantec EDR appliance
and the endpoint activity
recorder
This chapter includes the following topics:

■ Configuring the endpoint activity recorder

■ Endpoint activity recorder considerations

■ Sizing considerations

Configuring the endpoint activity recorder

If you are configuring an ECC 2.0 configuration, you can configure the endpoint activity recorder.
When you configure the endpoint activity recorder, you configure the global policies that apply
to the all of the groups that this SEPM manages. However, the policies do not apply to those
groups that you exclude from the policy. As endpoints are added or moved between subgroups,
the endpoints inherit the group policy. ECC commands are applied to only the endpoints that
are in the included groups.
To enable the endpoint activity recorder, you must be running Symantec Endpoint Protection
14.0 RU1 and later. An error message appears on the SEP Endpoint Activity Recorder
Configuration page if endpoint activity recorder is not supported for your version of SEPM.
To configure the SEP endpoint activity recorder
1 Do one of the following:
 Symantec EDR appliance and the endpoint activity recorder 37
Configuring the endpoint activity recorder

Initially setting up SEPM Proceed to step 2.

connection using the setup
wizard

Modifying an existing SEPM 1 Do one of the following:

connection ■ In the EDR cloud console, click Settings, select an appliance,
and then click Global.
■ In the EDR appliance console, click Settings > Global.

2 Scroll down to Endpoint Detection and Response, SEP

Policies, and Endpoint Activity Recorder.

3 Click the actions menu (three vertical dots) to the far right of the
SEPM connection that you want to update.

4 Click Recorder Configuration.

2 Check Enable Endpoint Activity Recorder to enable endpoint activity recorder on the
clients that this SEPM manages.
Checking this box enables functionality on the endpoint for recording activities for every
process on the endpoint. It also enables the logic to determine which of those events to
send back to Symantec EDR in real time.
3 If you enable the endpoint activity recorder, specify the maximum amount of disk space
(in MB or GB) on the endpoint to store recorded data.
The minimum size is 250 MB; the maximum is 20 GB. The default value is 1 GB.
This setting configures how much space to allocate to retain ECC events on the endpoint
before they are purged. The exact duration depends on the endpoint activity, but the
average is 1 GB every 7 days of events. The exact ratio depends on the activity of the
endpoint.
We recommend that you allocate enough space on the endpoint to handle the activity
that may happen while roaming.
4 Do one of the following:

To send endpoint events to Check Send events in near real time.

Symantec EDR in near
This setting manages the network bandwidth that is used when an
real-time (approximately 15
endpoint sends Live Response events to Symantec EDR. The
events every 5 minutes)
combination of frequency and batch size determines the maximum
size these events take on the network. In general, the bigger the batch
size and the longer the duration, the more compression that can happen
on that payload. However, if you make the batch size too large, then
the endpoint is unable to send all of the events that it needs.
 Symantec EDR appliance and the endpoint activity recorder 38
Configuring the endpoint activity recorder

To limit when to send Clients submit data to Symantec EDR based on a minimal time interval
endpoint events to and maximum batch size.
Symantec EDR
1 Configure the maximum frequency (in minutes or hours) that
batches of events are sent to Symantec EDR.

The maximum is 24 hours.

2 Specify the maximum batch size.

The minimum is 1 event; maximum is 100 events.

Expect that an average client sends about 2 events per minute. Fewer
than 10 events per 5 minutes can result in events accumulating on the
clients, which means you might not be getting the important event
information in a timely manner. More than that (greater than 15 events
per 5 minutes) increases the load on your SEPM server during peak
performance. Ensure that your system isn`t already fully loaded if you
increase the batch size significantly.
 Symantec EDR appliance and the endpoint activity recorder 39
Endpoint activity recorder considerations

5 Check the boxes for the types of events that you want submitted to Symantec EDR.

Load point changes This event type consists of any events that are associated with the
ability to maintain persistence on an endpoint. This event type includes
but is not limited to: Startup registry keys, services, scheduled jobs,
etc.

Suspicious system activity This event consists of expert rules such as suspicious protocol-port
usage by system processes, the system files that are launched from
unexpected locations, etc.

Heuristic detections This event type consists of the rules that match a sequence of events
that are often seen in malicious activity.

Process launch activity Sends to Symantec EDR every process launch event with parent|child
relationship and command line. Very useful for identifying what ran
in your environment, what command line arguments were used, and
under what user context. While valuable, Process Launch events
account for 49% of the events being sent up to Symantec EDR.

Process terminate activity This event type is less useful than Process Launch events, but it does
indicate if a process is still running. This category accounts for 49%
of all events being sent to Symantec EDR. If you need to reduce the
load, start by disabling this category first.

By default, PowerShell executions are automatically submitted to Symantec EDR.

You must select Process launch activity if you want to be able to see Process Lineage
events on the Incidents details page.
Tip: Limiting the events that are submitted to Symantec EDR can improve system
performance. However, the trade-off is that you run the risk that a potential threat might
go undetected.
6 If you enabled the endpoint activity recorder, click Next to configure exclusions and policy
exceptions in the wizard. Otherwise, click Save.

Troubleshooting
ATP UI shows Sepm returned non 200 HTTP response

Endpoint activity recorder considerations

When you implement the endpoint activity recorder feature, consider the following:
■ Ensure that the Symantec EDR virtual or physical appliance is ready to be compatible with
endpoint activity recorder features in terms of resources.
 Symantec EDR appliance and the endpoint activity recorder 40
Sizing considerations

■ Consider the impact of forwarding events to Symantec EDR and purchase the appliance
that is needed to support the event load.
See “Endpoint activity recorder event rate load” on page 32.
■ Enable the endpoint activity recorder feature in a way that targets separate SEPM groups.

Sizing considerations
When considering how to size the deployment, consider the following:
■ Number of SEP endpoints that the Symantec EDR management console manages
■ Volume of the network traffic that the network control point inspects
■ Number of network control points managed by the management console
■ Number of SEPMs deployed

See “Sizing recommendations for the virtual appliance” on page 30.

See “Sizing recommendations for the 8840 appliance” on page 29.
See “Sizing recommendations for the 8880 appliance” on page 29.
See “Considerations for selecting a network scanner” on page 17.
A single EDR appliance console can support between 10,000 and 200,000 clients, depending
on the appliance model and the features that are enabled. But no EDR appliance console can
support more than ten SEPM domains. Organizations with more than 200,000 clients must
deploy multiple Symantec EDR management appliances. You must also deploy multiple
 Symantec EDR appliance and the endpoint activity recorder 41
Sizing considerations

Symantec EDR management appliances if you want to enable the full ECC logging capabilities
for more than 50,000 clients.
 Appendix A
Upgrading the 8880
appliance
This appendix includes the following topics:

■ Upgrading the 8880 appliance

Upgrading the 8880 appliance

The endpoint activity recorder feature in requires additional storage and additional memory to
operate effectively.
If you have an existing 8880 (v1 and v2) appliance, you can either:
■ Use Advanced Threat Protection 3.x without an upgrade using the same feature set available
in Advanced Threat Protection 2.3.
■ Upgrade your appliance to support the endpoint activity recorder capabilities.
The endpoint activity recorder feature can run on existing hardware for demo purposes but is
not a supported configuration for production deployments. A new appliance 8880-30 is available
for sale with the required storage and memory for the organizations that want to purchase a
new appliance.

Table A-1 8880 hardware specs for v1, v2, and 8880-30

Appliance model 8880 Appliance model 8880-v2 Appliance model 8880-30

FORM FACTOR 2U Rack Mount 2U Rack Mount 2U Rack Mount

CPU 2X12 Core Intel Xeon 2X18 Core Intel Xeon 2X18 Core Intel Xeon

Memory 96 GB 96 GB 192 GB
 Upgrading the 8880 appliance 43
Upgrading the 8880 appliance

Table A-1 8880 hardware specs for v1, v2, and 8880-30 (continued)

Appliance model 8880 Appliance model 8880-v2 Appliance model 8880-30

Hard drive RAID 10 4X600GB 10K SAS RAID 10 4X300GB 15K SAS RAID 10 4X300GB 15K SAS
6Gbps 12Gbps 12Gbps

1X400GB SSD RAID 10 4X1.8TB 10K SAS

Throughput 2 Gbps 2 Gbps 2 Gbps

Network interface cards 4 - 10 Gb Ethernet ports 4 - 10 Gb Ethernet ports 4 - 10 Gb Ethernet ports

2 - 1 Gb Ethernet ports Two 1Gb Ethernet ports 4 - 10 Gb Ethernet ports

2 WAN/LAN pairs (10 Gb) 2 WAN/LAN pairs (10 Gb) 2 - 1 Gb Ethernet ports

1 Management port (1 Gb) 1 Management port (1 Gb) 2 WAN/LAN pairs (10 Gb)

1 Monitor port (1 Gb) 1 Monitor port (1 Gb) 1 Management port (1 Gb)

1 Monitor port (1 Gb)

To upgrade existing 8880 (v1 and v2) appliances

1 Purchase the appropriate upgrade kit directly from Dell or an authorized distributor of Dell.
See “Vertical scaling” on page 24.

Note: You should keep the purchase order details (number, dates, etc., for the upgrade
order). This information is required when you need hardware support or for warranty
purposes. Existing appliance support extends to the newly added components, and the
components take on the remaining support life of the appliance.

2 Upgrade to Advanced Threat Protection 3.x.

The hardware upgrade cannot be successful if Advanced Threat Protection 3.x is not
already installed on the appliance.
A connection by port 443 to *.sysmtec.com should be available for the upgrade.
See the Symantec Advanced Threat Protection 3.0 Upgrade Guide for more information.
3 Turn off the appliance.
4 Install the new components.
■ Note the service tag of the appliance being upgraded.
■ For the 8880v2, remove the SSD. The SSD is not hot pluggable and requires the
appliance to be turned off and open the chassis.
■ Install the new HDDs in the additional bays leaving the existing drive to their current
location.
 Upgrading the 8880 appliance 44
Upgrading the 8880 appliance

All HDDs are hot pluggable and can be installed from the front of the appliance.
However, Symantec EDR requires a restart after the HDDs are installed.
■ Open the chassis to swap the 12 X 8-Gb memory with the 12 X 16 memory.
You can find the steps for the component removal and installation in Dell’s manuals:
http://topics-cdn.dell.com/pdf/poweredge-r720_Owner's%20Manual_en-us.pdf
http://www.dell.com/support/home/us/en/04/product-support/
product/poweredge-r730/manuals
Important: Make sure that you follow Dell's instructions to ensure that the appliance
recognizes that the new components are properly installed.
5 Create a new RAID 10 configuration for the newly-added 4 X 1.8-TB drives.
The steps are the same for the R720XL and the R730XL. Detailed steps can be found at
the following URL. Use Option A by iDRAC.

Note: iDRAC must be upgraded as part of this process.

6 Turn on the appliance.

7 Log on to the EDR appliance console as an administrator and type:
extend_storage
8 If Symantec EDR and endpoint communication is over HTTP, ensure that port 8080 is
available.
To upgrade existing 8880-30 appliances
1 Upgrade to ATP 3.x.
See the Symantec Advanced Threat Protection 3.0 Upgrade Guide for more information.
2 Use iDRAC to configure a new RAID 10 for the 4 X 1.8 TB HDDS.

Note: iDRAC must be upgraded as part of this process. You do not need to turn off the
appliance.

3 Log on to the EDR appliance console as an administrator and type:

extend_storage