ATD Sizing Guide

Advanced Threat Defense

Sizing Guide
ATD Sizing Guide

Table of Contents
I. McAfee’s Advanced Threat Defense Sizing Guide .................................................................................... 3

II. ATD Performance Numbers...................................................................................................................... 4

III. Estimating Daily Malware Samples for the McAfee Network Security Platform (IPS) ................................ 5

IV. Estimating Daily Malware Samples for McAfee Email Gateway (MEG) .................................................... 6

V. Estimating Daily Malware Samples for McAfee Web Gateway (MWG)..................................................... 8

VI. Estimating Daily Malware Samples for Threat Intelligence Exchange (TIE) ........................................... 10

2
ATD Sizing Guide

I. McAfee’s Advanced Threat Defense Sizing Guide

This guide was created to help determine which McAfee Advanced Threat Defense (ATD)
appliance, or in some cases, the number of appliances that should be used to provide the
desired level of protection.

Launching a file in a virtual environment takes time and computational resources. The basic process for
submitting a file for inspection is:

■
Identify file based on pre-configured conditions
■
Launch a new VM
■
Execute the file in the new VM
■
Observe and report all behavior to console
■
Shutdown and destroy the VM
■
Build a new VM

Performing this process manually would take several minutes. While we provide the capability to
improve performance in Advanced Threat Defense, detection of malicious files can still take up to
several minutes based on complexity of the sample being analyzed.

To reduce the time any single file may need to be inspected, the Advanced Threat Defense appliance has
added additional inspection features and can customize the Selected Engines; these are referred to as
‘down selects’. Down selects are technologies that have been included in the ATD to reduce time to
conviction and resources. Examples of a ‘down select’ would be traditional Anti-virus, McAfee’s Global
Threat Intelligence service, McAfee’s file emulation technology called Gateway Anti-Malware and even
custom Yara rules.

Because of these additional technologies the ATD is potentially able to process a high number of files per day.
However, file type, configuration, VM type, and file volume all contribute to accurately sizing the appliance for
your environment.

3
ATD Sizing Guide

II. ATD Performance Numbers

To create a baseline for number of files which can be analyzed by ATD in an hour, two scenarios were ran
on each type of virtual machine. The first scenario is with all the down select engines disabled. This should
increase performance since down selects are quicker to convict and thus allow more samples to be
processed in an hour.

The sample set used was a mix of 5,000 different files that were all free of malware. The purpose for not
including actual malware was to normalize the response and make the analysis more accurate.

Advanced Threat Defense Performance numbers

Sample Set
5K Clean Mix (1K PE, 1K PDF, 1K DOCX, 1K DOC & 1K Mix MS Office)

Advanced Threat Analysis Rate per Analysis Rate per Analysis Rate per Number of VMs
Defense Hour 8 Hours 24 Hours Supported

ATD-3000 730 5,840 17,520 30

ATD-6000 1040 8,320 24,960 60

ATD-3100 805 6,440 19,320 30

ATD-6100 1,315 10,520 31,560 60

Virtual Advanced Analysis Rate per Analysis Rate per Analysis Rate per Number of VMs
Threat Defense Hour 8 Hours 24 Hours Supported

vATD-1008 180 1,440 4,320 8

vATD-1016 350 2,800 8,400 16

vATD-3032 750 6,000 18,000 32

vATD-6064 1,200 9,600 28,800 64

4
ATD Sizing Guide

III. Estimating Daily Malware Samples for the McAfee Network Security Platform (IPS)

1. Collect malware stats for 7-14 days again longer is better.

To collect malware stats on the NSP, log into each NSP sensor and configure it to forward files
to McAfee ATD. Depending on the sensor model, different malware engines will be collecting
information about each type of file being analyzed. To access these logs, access the terminal
on each sensor via SSH and use the command “show malwarefilestats”

2. Clean up the logs and get the total number of files.

3. Divide the number of files to get files per day.

4. Divide the number of files per day by eight (assuming an eight-hour work day)

5. Assume that 15% of the files seen by ATD from IPS will require sandboxing. If you have
the NS Series, you could roll this back to 5-10%.

6. Use the ATD performance numbers for your chosen VM in this guide to determine
which ATD will meet your specific requirements.

Total Per 15% That

Malware Total for 7 Total Files hour per will require
Day 7 Day 1
statistics for Days Per day 8- hour sandboxing
Work Day per hour
PE (EXE, DLL,
SYS, COM, etc.) 82930 0 82930 3455.42 431.927 64.789063
Files
MS Office Files 67965 0 67965 2831.88 353.984 53.097656

PDF Files 153675 0 153675 6403.13 800.391 120.05859

Compressed 197880 0 197880 8245 1030.63 154.59375
(Zip, RAR) Files
APK Files 21860 0 21860 910.833 113.854 17.078125

JAR Files 10608 0 10608 442 55.25 8.2875

Total 534918 22288.3 2786.03 417.90469

Approximately 22,288 files will be analyzed by the sandbox daily. If these are Windows 7 systems,
2 ATD-3100 appliances, or 1 ATD-6100 would be recommended.

*NOTE: While knowing daily rates for the sandbox analysis is good, understanding hourly rates would be a
best practice. If hourly rates can be obtained use the above chart to determine your ATD needs.

5
ATD Sizing Guide

IV. Estimating Daily Malware Samples for McAfee Email Gateway (MEG)

Integrating McAfee Email Gateway with McAfee Advanced Threat Defense requires MEG version

7.6.3. ATD Supported Formats can give you a total number of files that could be sent to ATD

Attachments eligible for ATD before applying global filters for entire period [316742]

3% JPEG [102248]
Adobe PDF [87749]
11% Portable Network Graphics Format [63473]
32%
Compuserve GIF [34227]
Microsoft Word [8471]
Unix gzip [1899]
Zip [1439]
20% Microsoft PowerPoint [878]
Tagged Image File Format [642]
7z [208]
RAR [83]
28% Windows Executables [8]

‘Attachments eligible’ gives you the number of files that would be sent to ATD given the current policy

Attachments eligible for ATD after applying global filter for the entire period [3629]

6% 2%

Unix gzip [1899]

Zip [1439]
52% 7z [208]
40%
RAR [83]

6
ATD Sizing Guide

The email gateway gives us the numbers that would be submitted to ATD based on the ‘Attachments
Eligible for ATD’ screen. Using the number in this example, 11,100 we would have to understand the time
period in question. If this example were a single day we could assume that an ATD-3100 would suffice.

It should also be noted that email often has fluctuating rates and knowing hourly rates is more important
than daily rates. In the following example it may be necessary to have multiple ATD-3100 to cover the peak
email times during the day.

For example, if we assume an environment with Windows 7, we receive the following traffic of attachments
for analysis:

Time # of Emails/Hour

8:00 am 1200
9:00 am 1400
10:00 am 1100
11:00 am 1200
12:00 pm 800
1:00 pm 1300
2:00 pm 1200
3:00 pm 1100
4:00 pm 1200
5:00 pm 600
Total 11,100

If we take a look at the ATD-3100 appliance as a solution, even though its daily analysis throughput is
11,100 files, the ATD-3100’s hourly rate is only 900 files while the peak traffic is 1400 files. This means that
to handle peak traffic during the day, it would require two ATD-1000 appliances.

7
ATD Sizing Guide

V. Estimating Daily Malware Samples for McAfee Web Gateway (MWG)

Pre-work

1. Import the ATD Sizing Ruleset as the last rule in MWG

2. Enable the Ruleset.

3. Let MWG run for a few days to 2 weeks (longer is better)

4. Collect logs from customer.

8
ATD Sizing Guide

Add up the total number of files under “request mediatypes” to determine the daily files that
would be submitted to ATD. Having multiple days of data provides better analysis of the
results. In addition, understanding the peak flows can also have an effect on ATD performance
so utilizing hourly rates can also provide better results.
In our example screenshot, over 70K files were discovered for potential ATD submission.
However, tuning of file submission is possible in the web gateway.
Not every file is being sent to the ATD appliance for analysis. By default, only supported
media types and files smaller then 30MB are being sent. Our recommendation is to
maintain these settings.
In addition, there is a default rule that only allows files that have a 60% or greater probability of
being malicious (as rated by the Gateway Anti-Malware engine) to be sent over to ATD.
Depending on your environment and the type of files your end users are downloading, this can
result in very few or very many files being sent to ATD. You can adjust this value or eliminate
the condition all together depending on your needs.

9
ATD Sizing Guide

VI. Estimating Daily Malware Samples for Threat Intelligence Exchange (TIE)

Estimating files for TIE submission can be challenging because each environment can be so unique. On
average, 1 out of 30 files will be submitted to the sandbox for analysis. Based on past experiences, a general
rule of thumb is that one out of three endpoints will submit one file per day.

For example, if a customer environment has 50,000 endpoints one file per every third endpoint will submit
one file a day, they will submit 17,000 files per day.

50,000 endpoints, 1 file per every third endpoint day = 17,000 sandbox files per day. Given the performance
rates in the chart, 1 ATD appliance would be needed depending on the appliance model and the mix of
Windows 7 and Windows XP images used for analysis.

Files
Number of Files Analyzed ATD 3000
Number of ATD 6000 ATD 6000 ATD 3100 ATD 6000
a day during over an 8- Windows XP
Endpoints Windows XP Windows 7 Windows XP Windows XP
work hours hour work Windows 7
Windows 7 Windows 7
day

10000 3333 416.6666667 1 1 1 1 1

15000 5000 625 1 1 1 1 1

20000 6666.666667 833.3333333 2 1 2 2 1

25000 8333.333333 1041.666667 2 1 2 2 1

30000 10000 1250 2 2 2 2 2

35000 11666.66667 1458.333333 2 2 2 2 2

40000 13333.33333 1666.666667 3 2 3 3 2

50000 16666.66667 2083.333333 3 2 3 3 2

100000 33333.33333 4166.666667 6 4 6 6 4

Files
Number of Files Analyzed vATD 3032 vATD 3032 vATD 6064 vATD 6064
Number of
a day during over an 8- Windows Windows 7 Windows Windows 7
Endpoints
work hours hour work XP XP
day

10000 3333 416.6666667 1 1 1 1

15000 5000 625 1 1 1 1

20000 6666.666667 833.3333333 2 2 1 2

25000 8333.333333 1041.666667 2 2 1 2

30000 10000 1250 2 2 2 2

35000 11666.66667 1458.333333 2 2 2 2

40000 13333.33333 1666.666667 3 3 2 3

50000 16666.66667 2083.333333 3 3 2 3

100000 33333.33333 4166.666667 6 6 4 6

ATD Sizing Guide

McAfeeMcAfee,
LLC the McAfee logo are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other
2821 Mission
countries.
College
Copyright
Blvd. © 2017 McAfee LLC.
Santa Clara, CA 95054
USA