QRadar Deployment and Fine-tuning for a European Bank

Customer

The Customer is a commercial bank with over $500 million in assets. Its 30+ branches are located in Central Europe and serve both individual clients and legal entities. Along with usual banking operations, the Customer provides such online services, as Internet and mobile banking, and owns its own Forex Trading Platform.

Challenge

The Customer’s reputation largely depends on the security of its IT infrastructure. So, the company decided to purchase a SIEM system that could ensure a comprehensive monitoring of all the corporate log sources. The Customer chose to collaborate with ScienceSoft on a complex SIEM project.

Solution

Our security specialists deployed IBM® Security QRadar® SIEM system (QRadar), integrated it with a range of corporate services, as well as fine-tuned the solution and provided initial training to the Customer’s security specialists.

The project comprised several stages:

QRadar deployment

ScienceSoft’s SIEM consulting team deployed a SIEM system for 1,000 EPS (Events Per Second) and 25,000 FPM (Flows Per Minute).

Log source connection

Our security consulting team connected a total of 140 log sources to a QRadar solution. Along with the standard ones (such as Windows and Linux servers, databases and firewalls), QRadar was integrated with custom log sources, which included:

• PACS (Physical Access Control System)
• LDAP (Lightweight Directory Access Protocol)
• AD (Active Directory)
• Mobile and online banking (2 integrations for both individuals and legal entities)

Each custom log source was supported by a custom DSM (Device Support Module).

Correlation rule creation

All in all, ScienceSoft’s SIEM consulting team wrote and implemented 200+ correlation rules, including Anti-fraud. This rule is recognized as a highly effective security monitoring tool. It detects suspicious transactions with different currencies according to deviations from the normal number and volume of transactions within a period of time.

QLean integration

The Customer’s QRadar was upgraded with ScienceSoft’s proprietary SOC automation solution QLean. The tool allows monitoring SIEM health and proactively improves its performance and maintenance.

Health check report generation and fine-tuning

After a month-long exploitation in a test mode, the SIEM system underwent a comprehensive health check with QLean. On the basis of the health check report, our security consulting team fine-tuned ill-performing correlation rules to suit the Customer’s network environment.

Acceptance tests and training

The one-year-long project rounded up with a series of acceptance tests, followed by launching the customized QRadar solution in full operation. ScienceSoft’s SIEM consultant also conducted a series of training sessions with the Customer’s security department to give useful insights into the principles of QRadar operation.

Results

The fine-tuned QRadar solution gives the Customer a bird’s eye view on the activities of all end users, who interact with the company’s systems and applications. Effective event and flow collection, their analysis and seamless correlation rule performance allow the Customer’s security team to get timely notifications about incidents, as well as generate insightful reports to conduct threat investigations.

Technologies and Tools

IBM® Security QRadar® SIEM v7.2.8, Linux, Windows, Python, Jython, Oracle, SQL.