Implementation of QLean for QRadar for a Major North American Bank
Customer
The Customer is an international company with more than a 100-year history in banking and financial services, headquartered in Canada. One of the largest banks in North America, it provides services via a broad network of branches nationally and globally to 15+ million clients. The Customer is in the top 100 on the 2016 Forbes Global 2000 list.
Challenge
The bank’s strict requirements for information security made it necessary to ensure an impeccable performance control over the IBM® Security QRadar SIEM that the bank was using for on-the-spot offense detection. Considering the Customer’s large scale and worldwide operation, only an automated tool could handle the required fine-grained health check of the QRadar deployment. Therefore, the Customer was looking for a solution that could be easily implemented into its broad security environment and carry out QRadar’s health monitoring automatically.
The bank chose ScienceSoft’s proprietary QLean for QRadar as this off-the-shelf product provides QRadar health monitoring by alerting to issues with QRadar performance and to their sources.
QLean in brief
QLean for QRadar summarizes all the important QRadar metrics, such as console summary, EPS and FPI statistics, log sources productivity, incoming log data quality, correlation rules performance and more into configurable health markers. Then the received data are sent to QRadar administrators for analysis to evaluate QRadar performance and discover aberrations, if any. Such audit determines how properly QRadar is fine-tuned and adapted to a certain IT network, hence highly efficient offense detection.
Solution
Together with the Customer, ScienceSoft coordinated the installation of QLean for QRadar within the Customer’s IT network, which involved the following:
Initial check of the Customer’s requirements for QRadar health monitoring
ScienceSoft helped the Customer to set the requirements for a QRadar health monitoring tool and showcased how QLean could address them. The consulting phase proved that the off-the-shelf QLean for QRadar version contained the required functional scope for monitoring according to the Customer’s security network parameters.
Delivery of QLean
After all initial arrangements were made, ScienceSoft delivered the off-the-shelf to the bank. Under the guidance of our consultants, the bank’s security specialists installed the tool and configured it in line with their security environment. As a result, QLean for QRadar was installed to provide the QRadar health monitoring with the following characteristics:
- 40+ hosts
- 40,000+ log sources
- 2,500,000+ assets
- 15,000+ average EPS
- 60+ QRadar users
Pre-use audit
After QLean was properly adapted to the Customer’s environment, ScienceSoft’s consultants together with the Customer’s security team ran the pre-use audit of the tool’s performance. The audit results testified that QLean for QRadar was properly tuned and would provide efficient QRadar health monitoring. Also, ScienceSoft’s team provided the bank’s security team with thorough consultation on further support and maintenance of QLean.
Results
The installation of QLean allowed the Customer’s security team to gain a regular, comprehensive overview of QRadar performance and enhance it by timely eliminating its aberrations, if any. In its turn, a reliable QRadar performance provides timely offense detection, prevents unprocessed events from consuming the product license volume and hardware space.
Technologies and Tools
IBM Security QRadar SIEM, Python, Linux, PostgreSQL, QRadar AQL, QRadar API, Shell Scripts, CentOS/RHEL.
