IBM Security QRadar SIEM Implementation for a Bank in the Gulf Cooperation Council
Customer
The Customer is an international bank with headquarters in the Gulf Cooperation Council and operation centers in EMEA. The Customer provides comprehensive banking services to retail and corporate clients in more than 120 branches located in different countries of the region. As of the end of 2015, the bank’s total assets equal to $11+ billion.
Challenge
To protect its IT network from external and internal threats, the Customer acquired IBM Security QRadar SIEM as a proven security information and event management solution and deployed it with the help of the in-house IT specialists.
To double-check if the solution functioned properly, the Customer intended to carry out a deployment review by third-party SIEM specialists, as well as to perform QRadar tuning: create a network hierarchy, configure out-of-the-box features, set standard device support modules (DSMs) and develop custom log source extensions (LSXs) in order to stay resistant to possible threats.
Solution
For these services, the Customer turned to ScienceSoft’s SIEM experts who had lately accomplished a number of successful SIEM system deployment, as well as QRadar tuning projects in the field of bank information security.
The experts started their on-site activities by reviewing the QRadar deployment fulfilled by the Customer’s IT department. The review allowed ScienceSoft’s team to reveal weaknesses and fix them properly by updating the distributed QRadar installation, compiling the network hierarchy and fixing an issue with auto-updates.
To ensure the solution’s stable operation, ScienceSoft’s SIEM specialists installed a range of patches to fix security vulnerabilities, scheduled updates for the protocols and DSMs. Internal log sources were grouped to be easily manageable. The team also created custom LSXs (including sample data investigation, events parsing and mapping) to provide visibility of the bank’s specific applications.
ScienceSoft thoroughly worked on the Customer’s network hierarchy by creating 97 hierarchical objects and backups of the entire hierarchy, as well as prepared the network hierarchy framework and shared it with the Customer.
At the next stage, all the Customer’s appliances were checked for errors and synced with the QRadar Console. ScienceSoft’s team also developed search and dashboard elements to display unrecognized events.
Additionally, the SIEM experts successfully installed and tested QLean (also known as Health Check Framework), a proprietary ScienceSoft’s tool that allows performing periodical monitoring of statistical, performance and behavioral metrics of a live IBM QRadar SIEM deployment.
Upon completing the on-site activities, ScienceSoft’s team continued to work with the Customer and to carry out remote tasks in order to finalize the QRadar tuning as well as to:
- perform troubleshooting
- create additional Log Source Extensions for unsupported devices
- fine-tune the QRadar installation
- document all the procedures and configurations
- provide support to the Customer’s IT and information security departments
Results
The services provided by ScienceSoft’s team met the Customer’s major requirements. A grounded analysis of the QRadar’s initial deployment accomplished by the SIEM experts allowed to fix errors, tailor out-of-the-box features and create custom log source extensions to ensure the necessary protection of the Customer’s infrastructure and to guarantee its clients’ data safety.
Technologies and Tools
IBM Security QRadar SIEM, QRadar API, Python, Regex, PostgreSQL, Linux, Shell.