IBM QRadar SIEM Deployment and Configuration for a 4-mln-subscriber Wireless Telecom Provider
Customer
The Customer is a telecommunication company with more than 4 mln subscribers. Having started their activities as a GSM operator providing telecommunication services based on a postpaid system, the company was among the first operators in the global telecommunications sector to offer a prepaid system. The company is also known for their commitment to social responsibility.
Challenge
With a constantly growing customer base along with the expansion of their staff, the Customer wanted to ensure permanent monitoring and analysis of all the activities performed by end users interacting with the corporate systems and applications. Having analyzed available security information and event management (SIEM) solutions, the Customer chose IBM Security QRadar SIEM, a leader in Gartner’s 2015 Magic Quadrant for SIEM. The Customer was looking for a reliable technological partner to provide SIEM deployment for their existing IT environment and customize the solution accordingly.
Solution
With 13+ years of SIEM consulting and more than 11 years of experience in delivering solutions for telecom companies, ScienceSoft delivered the solution that answered the Customer’s requirements.
The project consisted of 2 stages. The first 2-week stage was accomplished on the Customer’s premises. ScienceSoft’s experts analyzed the Customer’s existing IT infrastructure and developed a detailed architecture of the future SIEM solution that included 4 components: a console, 2 event processors and 2 flow processors.
IBM Security QRadar SIEM was deployed on the Customer’s virtual environment. All the supported log sources transmitting syslog messages were connected to QRadar. After that ScienceSoft’s consultants analyzed unsupported log sources to configure universal device support modules (uDSMs) and develop custom log source extensions (LSXs).
The second stage of the project was dedicated to customizing the deployed solution and was accomplished remotely. During this stage, ScienceSoft’s team developed uDSMs for 10 unsupported platforms and 13 custom LSXs that were delivered together with XML-files containing event normalization rules, shell-scripts for automatic event mapping and administrator manuals. The provided root ssl-certificate was converted and installed to the system.
Additionally, ScienceSoft developed custom software to enable log collection from Microsoft Exchange (as it cannot load events to log files or send them via the syslog protocol) and one more custom system that uploaded logs with multiline event format to a third-party file server.
At the final stage of the SIEM deployment and customization project, ScienceSoft’s SIEM experts carried out specialized trainings for the Customer’s QRadar administrators in order to give them the general overview of a new system, as well as to teach them basic mechanisms of developing LSXs.
Results
A full-fledged SIEM solution was implemented on time and on budget. During the SIEM deployment and customization project, ScienceSoft:
- Provided uDSMs for 10 unsupported log sources
- Developed 13 log source extensions
- Ensured the processing of more than 940 unique audit events by unsupported log sources
- Implemented 20 additional normalization fields
- Developed custom software for the systems that weren’t able to send events to QRadar automatically and had multiline event format.
The implemented solution now ensures a constant monitoring of users’ activities, consolidates log data coming from a multitude of sources, fulfills an instant normalization of events and reveals connection between them, which allows distinguishing real offences from false positives.
Technologies and Tools
IBM Security QRadar SIEM v7.2.6, QRadar API, Python, PowerShell, Regex, PostgreSQL, Oracle, Linux, Windows Server, WinCollect, VMWare vSphere.