IBM Security QRadar SIEM Fine-tuning for a Top 30 US Bank

Customer

The Customer is an American bank with more than $100 bn in total assets. The Customer provides banking, insurance, investments, mortgage and commercial financial services to more than 3 million consumer, business and government clients. The bank runs over 500 branches and 1500+ ATMs throughout the United States.

Challenge

The Customer was using an out-of-the-box version of IBM Security QRadar SIEM (QRadar). The out-of-the-box correlation rules and building blocks, as well as the default QRadar configuration settings had to be adapted to the Customer’s network infrastructure and security monitoring requirements. ScienceSoft was requested to perform QRadar fine-tuning according to the Customer’s network topology, data communication flows and regulatory compliance.

Solution

ScienceSoft’s experts carried out QRadar fine-tuning in the following stages:

Initial deployment checkup

During this stage, our SIEM team verified if QRadar’s initial deployment had been carried out correctly, checked schedules of the system backups, reviewed and corrected Network Hierarchy definitions, and helped the Customer to create user roles (Security Administrator, Security Analyst, etc.).

ScienceSoft provided the WinCollect deployment package that enabled auto detecting of all the available Windows logs, as well as Log Source Enhancements (LSEs) to ensure the collection and processing of Windows logs and Linux generic events that were not supported with QRadar out-of-the-box.

ScienceSoft’s team also helped the Customer to define the approach to registering log sources in QRadar, started creating Log Source groups and assign the corresponding Log Sources to the groups so that the Customer’s security team could accomplish the task without assistance.

Server discovery

ScienceSoft’s experts set the Server Discovery function, demonstrated how to perform it and how to approve assets being identified as certain Server Types. Our team successfully verified configuration, schedules and results imported to QRadar Assets database.

Offenses investigation

ScienceSoft’s team guided the Customer on the offense purpose and logic in QRadar. Our team demonstrated how QRadar offenses should be investigated by drilling down to the root cause of an offense and discovering its possible prerequisites. After that the SIEM experts demonstrated how to write correlation rules to create offenses with specific names (along the naming convention) and how to include the required information into the offense.

A detailed investigation of 5+ severe offenses was conducted, including the fine-tuning of appropriate correlation rules. This allowed the Customer to close nearly 200 related offenses that were previously identified as false-positives and to reduce the list of offences from 7 to 3 pages.

False-positives elimination

Our experts showed various techniques of false-positives elimination based on 5 real examples from QRadar. Each of 5 offenses was broken down into the rules that contributed to the offense. Each rule was analyzed and the logic of the rule was updated to reflect the Customer’s current security policy, topology, naming convention within the actual event context to exclude false-positives.

Correlation rules fine-tuning and optimization

Our SIEM team demonstrated how to fine-tune correlation rules by adding/removing rule conditions. Seven rules were fine-tuned using offense analysis. Additionally, our experts showed how correlation rules can be optimized through an advanced filtering technique and by adding or removing additional search conditions, which directly impacts QRadar’s performance.

Event severity update

ScienceSoft demonstrated the technique of updating event severity for critical assets. With the severity being increased within the corresponding offense rule, generated offenses for critical assets now have a higher magnitude.

Custom Properties optimization

The Customer was taught to create and extract Custom Properties to be used in search, rules, and reports. ScienceSoft’s SIEM consultant created 4 Custom Properties by extracting various values from different platform events and explained the importance of the naming convention in creating Custom Properties.

Search and reporting performance improvement

Our team demonstrated how the search and reports can be optimized via an advanced filtering technique that allow security administrators to improve QRadar’s performance. This way, 5 searches were created using the advanced filtering technique and indexed Custom Properties.

Performance checkup

At the end of the project, ScienceSoft installed the HealthCheck framework, ScienceSoft’s proprietary tool providing 60+ performance and behavioral metrics, as well as 25+ Health Markers for quick assessment of the solution’s functioning, to monitor QRadar and generate the report on its operability and performance.

Results

ScienceSoft successfully accomplished the task by fine-tuning IBM Security QRadar SIEM according to the Customer’s requirements. After fine-tuning, the system is now fully adapted to the Customer’s network and is able to detect offences that previously were overlooked or identified as false-positives in the absence of appropriate custom settings.

The Customer’s security team also got a comprehensive training on the solution’s functionality and effective ways of its fine-tuning, so that now the Customer’s security administrators can support the solution without assistance.

Technologies and Tools

IBM Security QRadar SIEM, Python, Regex, Linux Shell.