Integration of QRadar Disaster Recovery Synchronization Tools
Customer
The Customer is a Michigan-based life insurance company catering for retail and institutional investors. The company is included in top 10 largest US life insurance companies by total statutory assets amounting to $200+ billion.
Challenge
The Customer knows firsthand that their clients’ valuable data should be secured 24/7. Adverse impact of data breaches on clients’ loyalty and the overall company’s reputation coupled with considerable financial losses became the drives for the Customer to implement a solution that would ensure a flawless operation of their IBM QRadar SIEM system.
Solution
In addition to the primary 18.5K EPS QRadar console, the company purchased a backup Disaster Recovery (DR) console with the same architecture. Located in a different geographic environment, the backup QRadar system will substitute the primary console if the latter fails.
The previous multi-stage project, which included out-of-the-box log sources configuration, QRadar fine-tuning, custom DSM development and end-user training, persuaded the Customer to continue collaboration with ScienceSoft. So ScienceSoft’s SIEM consultants embarked on the Disaster Recovery project for the Customer’s QRadar system.
The Customer chose the DR scenario where only one console is operational at a time. Once the primary console fails, security specialists should manually switch to the backup DR console. To enable the backup QRadar console mirror the primary one, ScienceSoft’s SIEM consultants developed two tools for DR synchronization.
Tool #1: for data transfer
The tool is designed to transfer configuration backup archive from the primary QRadar console to the backup (DR) console. It runs on the primary QRadrar system, and its script is written in Shell. The tool supports local and remote (via SSH) transfer options. The first one may be used when the target network drive is mounted via NFS or similar.
Tool #2: for data extraction
The tool extracts security content (correlation rules, custom DSMs, reports, dashboards, etc.) from the primary QRadar console and applies it to the DR console. The tool runs on the DR console, and it is written in Python. Using QRadar console credentials, the tool performs the following operations:
- Executes Content Management Tool (CMT) and waits for import completion.
- Analyzes import log for errors and warnings.
- Transfers export results to a temporary folder.
- Imports security content.
- Performs a full deployment.
- Packs content export to a zip archive and copies it to a specific folder.
- Calculates statistics on imported entries (how many rules, custom properties, searches, etc. are imported).
- Removes the temporary export file.
Both tools also allow administrators to get email notifications with the status of transfer and extraction operations (success/failure), as well as security content import statistics, errors and warnings.
Results
ScienceSoft SIEM consultants provided the Customer with a disaster recovery synchronization tools and a detailed guide to its configuration. Once integrated, the DR synchronization tools will safeguard the Customer’s QRadar data and configurations to provide seamless monitoring of the network security.
Technologies and Tools
IBM® Security QRadar® SIEM, Python, Regex, Linux Shell