Elastic Endpoint Security on 150 Windows PCs

I want to deploy Endpoint Security on 150 Windows PCs, how big should my Elastic Cloud container be to support all the data coming in?

Hi @lamp123432,

Thank you for trying out Endpoint Security. We'd appreciate any continued feedback you have.

As far as sizing we estimate ~200MB/day/endpoint shipping the security relevant data. This also includes default metrics shipped from agent. We calculate this based on a blended rate across differing operating environments and would be curious to know your experience once you are up and running.

We have exciting updates coming soon for both scaling cloud deployments and agent management and would love to incorporate any feedback you have.

My business is a MSSP and we are offering Elastic stack for collecting security logs and all, and it would be great to have a tool on our Elastic portal for helping with scaling and price. It's difficult to give a price to our customers, things are very chaotic.

Quick follow-up questions: Would you consider Endpoint Security ready for "production" use or at least should I feel confident in the deployment I'm attempting?

Something not mentioned is WAN bandwidth requirements. Depending on the metrics you select will dictate the size and the bandwidth requirements. Smaller offices 1 to 10 people generally have a poor ISP connection at least where I'm at.

Endpoint only isn't to much about 512kbs to 1mbs per machine with huge changes possible depending on what's running on the machine and what logs you select. You can get north of 10mbs if your not careful "did it for testing and to piss off the network guy". That is a unrealistic amount of data transfer for workstations which if it's a normal office use emails, quickbooks, sharepoint you might be looking on the low side. If your looking at a machine doing cad/video editing it get's aggressive quickly.

From a user standpoint. Endpoint Security is good but Fleet manager is in Beta. If you are a full time all you do is admin work it's fine. If you are an MSP which is 99.9% none hands on and only answer when needed it's NOT ready and it won't be for at least 6 months maybe more. The amount of time you'll spend manually updating agents between version isn't considerable billable time and if you do bill talk about shady business practice.

1 Like

I was thinking about sticking with 7.11 with Fleet and Endpoint for a while, and all I will have to do is to enroll the endpoints as needed (I will actually let my customer do that command one command in powershell). Do you think that would work? No need to manually update agents between version, unless I'm missing something?

Work, not really. You'll end up not having customers very quickly. It's not a friendly installer and has a tendency to fail in odd ways. That and it's still in debug mode by default so in powershell you'll see the angry red letters of death before success.

The updates are essential currently. While Endpoint/Endgame has been around for awhile and is stable the way it reports to Elastic is not. That's the Fleet part with a few other not mentioned. So far between 7.9 all the way to 7.11.1 I've put in close to 130 hours of testing and installs. Keep in mind this is Beta still so it's not a production ready candidate, It act's just like a beta in every way. Endpoint will stop what it needs to stop but the bug list is as long as my arm. It's getting better quickly but it is not stable for MSP.

Wait until 8.1 before you roll it out. With the Elastic teams progression rate that should be when it's stable enough to not worry about. That's why I say at least 6 months or more. You can still use it to collect winlogs and powershell logs during the mean time. At least that way you can get a grasp on the complexities.

1 Like

Sounds like a plan, you confirm my suspicions. I was testing it heavily and noticed very strange behaviours. I was just hoping it was me who was doing it wrong (but it's not like there are many ways to do it).

I guess my customer will have to wait a few more months, but we're afraid he might have an AV/EDR solution by then, but better that than instability and doing it wrong in the first place.

Thanks for your insightful thoughts!