You deploy multiple Security Analytics Servers to minimize risk of a single point of failure in your deployment. Multiple Security Analytics Servers can also limit the downtime you would experience in a single Security Analytics Server deployment. Finally, a multiple Security Analytics Server deployment helps you distribute the load of Security Analytics activity resulting in improved performance.
Sample Use Cases
The following use cases improve Security Analytics performance for high-volume, multi-site, deployments that are made up of a large number of hosts and services.
Improve Investigation Efficiency - Designate one or more Secondary Security Analytics Servers to handle Investigation to speed up investigations, data export, and reporting.
Eliminate Single Point of Failure - Deploy multiple Security Analytics Servers (that is, a Primary Security Analytics Server and Secondary Security Analytics Servers) to continue some or all Security Analytics activity if a Security Analytics Server fails. For example, you can send the packets and logs you collect to multiple Secondary Security Analytics Servers and if one fails, you will not lose any data.
Segregate User Interface Functionality - Similar to the Improve Investigation Efficiency use case, designate one or more Secondary Security Analytics Servers to handle individual Security Analytics functions for which you want to improve performance.
If you deploy multiple Secondary Security Analytics Servers, you must determine which Secondary Security Analytics Server is the Primary Server and which Secondary Security Analytics Servers are the Secondary Servers.
Primary Security Analytics Server
The Primary Security Analytics Server has all the functionally including:
- Fully functional Hosts view including the version update functionality.
- Access to Health & Wellness views.
- Full use of the trusted connections feature.
Secondary Security Analytics Servers
Secondary Security Analytics Servers can be in offline and online mode. You can connect to Security Analytics through a secondary Security Analytics Server even if it is not designated as the Primary Security Analytics Server.
Secondary Security Analytics Servers improve performance (for example, Analysts can leverage designated Security Analytics Servers to improve Investigation and Reporting efficiency).
A Secondary Security Analytics Server has the following limitations:
- The version update functionality on the Hosts view only applies to hosts connected to the Security Analytics Server using the trust model. Each Security Analytics Server can update itself and any core appliances connected to it using the trust model. See. the "Apply Updates" topic in the RSA Security Analytics Host and Services Configuration Guide for detailed instructions on how update a host to a new version.
- You cannot use the following features.
- Health & Wellness views
- Trusted connections feature
- Event Source Management
- Incident Management
- You cannot modify rules.
Sample Deployment Eliminating Single Point of Failure
The following diagram illustrates how a multiple Security Analytics Server deployment that eliminates a single point of failure.
The communication connections between the:
- Primary Security Analytics Server Host and the non-SA Server Hosts are trusted connections.
- Secondary Security Analytics Server Hosts and the non-SA Server Hosts required login credentials.