Detailed explanation on RAP Communication

RAP events are created by endpoint clients, triggered by various user actions (opening web page, printing a file etc.). These events are aggregated by the clients to messages before being sent to the endpoint server.

The aggregated events are sent when one of three conditions are met:

Total message size exceeds a predefined limit.

Number of aggregated events exceeds a predefined limit.

A predefined time period pass since the last message was sent.

The message is than sent to the Camel endpoint server where messages are separated to events and sent towards the UEBA stack where they are processed to update the risk levels of users.

Note: The UEBA processing and the risk level mechanisms are out of the scope of this test.

Statistics from RAP deployments in the field show that an average of 40 events are aggregated per message sent to the endpoint server.

In the test, events are sent to the endpoint server in a constant rate of messages, each containing 30 RAP events using Avalanche.

For the RAP enabled test, the same methodology apply for endpoint communication, adding RAP events injection to the test.

Event rate per endpoint client was calculated using statistics received from RAP deployments in the field. A typical figure for a single endpoint is around 60,000 events per week. For a 5 day week and 8 active hours per day, a typical endpoint creates events at a rate of 25 events per minute. Since preliminary test runs showed the event rate is the limiting factor, the endpoint capacity is estimated by the maximum supported events (e.g., if we found the event rate limit is 1,000 events per second, the endpoint count will be 40). The events are injected in a constant rate, 30 aggregated events per message throughout the RAP test.

Let R_w be the typical weekly event rate, and R be the rate per second. So , assuming an 8 hour day, 5 day work week.

Let I_max be the maximum event injection rate, and S be the calculated seat count. So, $S = \frac{I_{m a x}}{R}$ .

Since preliminary tests showed I_max to be 9,990 events per second (9,990 events per second = 330 messages per second X 30 events per message), we get:

As explained in the environment section, the UEBA stack was deployed on premise in the DLP lab.