IBM QRadar SIEM Consulting and Implementation for a US Public University
The Customer is a public university in the US that offers a wide range of undergraduate and graduate programs in numerous fields, from accounting to music and sports.
The Customer needed to improve the performance of their IBM QRadar SIEM. In particular, they were interested in eliminating an enormous number of false-positive offenses they got, as well as in ensuring that their QRadar SIEM covers the company’s security policies. The Customer commissioned ScienceSoft to perform the audit and subsequent tuning of the SIEM solution.
ScienceSoft’s SIEM specialists carried out the audit using QLEAN designed for the quick assessment of the QRadar SIEM solution’s functioning. During the audit of the QRadar SIEM, the SIEM team found the following problems:
- Improper working of several correlation rules.
- Incorrect log source types configuration for 70 log sources.
- Existence of 50 redundant log sources.
- Presence of unnecessary reports.
To resolve the revealed issues, the SIEM specialists took the following steps:
1. Eliminating false-positive offenses and tuning the improperly working correlation rules
In order to fix multiple login failures for a single username correlation rule, ScienceSoft’s SIEM specialists created a reference map for username-workstation name mapping, aiming to eliminate false-positive offenses. Moreover, ScienceSoft’s SIEM specialists installed a user-friendly Reference Data Management application to relieve the Customer from the necessity to fill in this reference map from CLI or API.
The tuning performed by ScienceSoft’s SIEM specialists resulted in eliminating about 50% (14 types) of false-positives. The screenshots below show the significant reduction of the number of events in offenses and the number of certain types of false-positive offenses.
The SIEM specialists created and applied two more correlation rules based on the Customer’s requirements and designed to indicate brute force attacks
2. Fixing log sources configurations and removing redundant log sources
ScienceSoft’s SIEM specialists fixed the configuration of log source types for 70 log sources. They also removed approximately 50 log sources that had not been seen for about two months. The above actions led to decreasing the number of events per day, which significantly improved log data quality characteristics.
3. Disabling unnecessary reports
Scienesoft’s SIEM specialists identified about 20 unnecessary default reports. On the basis of the QLEAN report, they determined four of them to be the most resource-consuming. Upon the agreement with the Customer, ScienceSoft’s SIEM specialists disabled four redundant reports to improve the system performance.
4. Defining further steps to increase QRadar efficiency
ScienceSoft’s SIEM team provided the Customer with a list of recommendations based on the SIEM audit and tuning results. These steps will help to ensure that the QRadar SIEM solution covers the Customer’s security policies and will significantly increase the efficiency of a security operations center (SOC):
- Updating the QRadar version from 7.2.8 to 7.3.1.
- Applying automatic offense assignment.
- Installing and configuring QRadar Vulnerability Manager.
- Building rules covering the Customer’s security policies.
- Tracking fired employees and their access attempts.
- Integrating physical access control, etc.
ScienceSoft’s SIEM specialists successfully performed the audit and tuning of the Customer’s QRadar SIEM solution. The Customer got a fine-tuned system with improved log data quality characteristics, properly configured correlation rules and log sources. The SIEM specialists also provided the Customer with a list of recommendations on how to further increase the efficiency of QRadar SIEM.
Technologies and Tools
QRadar 7.2.8, QLEAN, Linux, RegEx