IBM Security Solution Implementation for UK Government Agency
Customer
Child Maintenance Enforcement Commission – a UK Government agency.
Challenge
The End Customer needed a SIEM solution to provide log management capabilities, deep data analysis, and comprehensive customizable reports to be compliant with generic regulations of the financial industry and government organizations in the UK. It also needed to achieve a better visibility of internal processes. IBM Security Information and Event Manager (TSIEM) were chosen as the target implementation platform because of its stability, advanced human-understandable General Event Model and compliance reporting capabilities.
The End Customer was brought in by Customer - Eurostaff Group Ltd, a UK-based recruitment consultancies company, suppliers of specialist expertise within the Technology & Financial arenas. The Customer turned to ScienceSoft for expertise in designing, customizing and implementing TSIEM solutions. The Customer selected ScienceSoft because of its strong background in the SIEM area, and particularly, profound expertise in TSIEM.
Solution
ScienceSoft involved a TSIEM consultant to create architecture of the TSIEM solution, customize the data collection and normalization mechanisms. The TSIEM consultant needed to design a set of compliance and general reports and deploy the solution in the development environment. Due to the high level of security in the End Customer environment all the research, design and implementation tasks were performed on-site.
The project was split into several phases common for the SIEM development procedure:
- The Project started with a Requirements Clarification phase. The phase resulted in creation of Business Requirements Document (BRD) describing logging functionality of the environment components and their mapping to TSIEM terms.
- High-level solution architecture, High Level Solution Overview (HLSO) and a High Level Design (HLD) documents were created for all custom and standard Event Sources of the solution. The End Customer business processes, applications log data and databases structure were analyzed to document the recommended TSIEM architecture with reference to requirements, issues, constraints, dependencies, objectives and other considerations.
- Low-level Design Documents (LLD) were created for each custom Event Source and User Information Source, including data collection mechanism description and detailed mapping design describing how to fit every single event into TSIEM native W7 model. TSIEM reporting LLDs were also provided for each custom Event Source.
- ScienceSoft's consultant validated the designated TSIEM solution hardware, installed and configured TSIEM application components on the development environment.
- Dedicated solutions to collect and process data were created during implementation phase.
- ScienceSoft demonstrated the configuration and use of IBM TSIEM, reviewed and demonstrated the use of TSIEM report editor to the End Customer.
- Finally, ScienceSoft provided a Deployment Summary Document (DSD) to the End Customer's technical project team. The DSD summarized deployment services performed, highlighted deviations from the standard product functionality as well as the solution architectural design and detailed tasks and outstanding issues.
Results
The End Customer production environment needed to be monitored by TSIEM consisted of heterogeneous applications, databases and directory services. All the information from resources need to be monitored within environment has been consolidated with TSIEM using 5 standard and 7 custom Event Sources, implementing TDI data manipulation mechanisms to extract the data from secured network segments not accessible directly from the TSIEM server system. User information was obtained from LDAP directory services and integrated into custom Event Sources data structure.
Several sets of reports were created covering all requirements related to information visibility and compliance regulations.
The resulting solution is capable of processing up to 20 Gb of financial transaction events per day. The solution is successfully deployed, tested for performance, stability and data integrity in development environment. All information is successfully transferred to the End Customer's side.
Sizing
- Average Events per Second volume: 2500.
- Total Number of Log Sources: 15.
- Event Sources Developed: 10.
- Threat Cases Created: 35.
Technologies and Tools
TSIEM, DB2, WAS, TDI, VMWare, GSL, GML, GEM, W7, GVS, RegExp, SQL, Batch, Shell, Python.