IBM Security QRadar SIEM Implementation for a Bank with $370 Million in Assets
Customer
One of the top 10 Azerbaijani commercial banks, the Customer holds $370+ million in assets. The bank’s network extends throughout the country with 30+ branches and 30+ ATM end-points to provide financial and consulting services for private and corporate clients. For more than ten years, the Customer maintains leading positions in securities and corporate bond markets.
Challenge
Card data security is one of the key elements that determines the loyalty of every client to a bank. Therefore, for the Customer, the compliance with Payment Card Industry Data Security Standard (PCI DSS) was a matter of crucial importance.
PCI DSS requirement 10 imposes to track and monitor all access to network resources and cardholder data. As comprehensive log monitoring is carried out by SIEM systems, the Customer needed a robust SIEM solution which would enhance the overall security of their network. Having consulted with ScienceSoft’s information security team, the Customer decided to install IBM® Security QRadar® SIEM solution with its subsequent fine-tuning to fit into the network environment. Read this case study on IBM website.
Solution
ScienceSoft’s senior SIEM consultant embarked on a 12-week project, which was divided into several stages.
Stage 1: QRadar design and deployment
The initial stage implied QRadar solution design based on the Customer’s network requirements and QRadar SIEM system deployment. Our senior SIEM consultant installed the solution with 2,500 EPS and provided its out-of-the-box configuration.
Stage 2: Out-of-the-box log source connection
During this stage, ScienceSoft’s security consultant connected the following network elements:
- A set of firewalls
- IPS/IDS systems
- Central authentication system
- Remote access control software
- Public services
- Security devices and software (Email security appliance, antivirus)
- A number of general purpose servers
Stage 3: QRadar fine-tuning.
This stage involved a number of procedures as well.
- Building blocks population with specific values (such as IPs and ports)
- Building network hierarchy
- Auto-update configuration
- Creation of user role security profiles
- Defining data retention periods in compliance with the Customer’s requirements
- Configuring backup and restore
- Unmanaged WinCollect Agent custom deployment
- Deployment and basic configuration of Risk Manager and Vulnerability Manager. The two separately installed appliances help to discover and prioritize security risks and vulnerabilities
- User behavior analytics configuration
- External vulnerability scanner integration
- Out-of-the-box correlation rules adaptation according to the existing Customer’s network environment
Stage 4: Custom rules development
During this stage, ScienceSoft’s senior SIEM consultant developed 50+ custom correlation rules to make the SIEM system completely adjusted to the network environment.
Stage 5: Security team training
The closing stage of the project was a four day training for the Customer’s security team. With the help of ScienceSoft’s senior SIEM consultant, they investigated reported offenses on their own production QRadar deployment. This experience allowed the Customer’s security team to continue operating the solution and managing new offences.
Results
The Customer obtained the solution that met the requirements of PCI DSS for effective log monitoring. ScienceSoft helped to secure the bank’s assets by providing a custom SIEM solution for 24/7 real-time APT protection, and insider threat detection.
Satisfied with ScienceSoft’s service, the Customer offered to launch another project on integration of business applications with the existing QRadar system and subsequent development and integration of customer-specific threat cases.
Technologies and Tools
IBM® Security QRadar® SIEM v 7.2.8, Python, SQL, AQL, Regex, Linux Shell, Windows.