IBM Security QRadar SIEM Implementation for a Telecom Provider
The Customer is a part of one of the leading Information Technology groups in the UAE and the Middle East, the leading IT solutions provider in Jordan. As an authorized Business Partner of IBM, CISCO, Diebold and Lenovo in Jordan, the Customer utilizes the latest and most innovative technologies in the marketplace.
The End Customer is a telecommunications provider, offering local and international telephone services and Internet, as well as data communications. The Customer employs over 3,000 people.
Being a well-known telecommunication company with a mobile subscriber base of almost 3 mln people and with over 3,000 employees, the Customer possess a large database of sensitive data and, therefore, is a top target for fraudulent activities (both internal fraud and cyber-crime).
Moreover, as the national telecommunications provider, the Customer should pay great attention to the stability of its services.
To successfully meet the challenges mentioned above, the Customer decided to implement a top-notch security information system and commissioned ScienceSoft to deploy IBM Security QRadar SIEM (hereinafter QRadar) and perform a high-level tuning of the solution.
The QRadar needed to be installed for 6 data centers in 2 cities.
ScienceSoft team of 2 SIEM specialists started working on this project. First of all, the initial installation of QRadar appliances for each data center was performed (installation of Event Processor, Flow Processor and QFlow Collector, combined Event/Flow Processors, etc.). During the deployment stage, recent QRadar patches were downloaded, QRadar software were installed for the main office appliances, basic system configuration were performed and documented, the network hierarchy was created.
Our team developed a set of correlation and offense rules for 12 Customer’s platforms. In addition to that, threat cases were developed and implemented (for MySQL, Apache HTTP Server, etc.). These works ensured an automatic and real-time analysis of the collected security events and a timely detection of suspicious activities. Thanks to the adjusted event correlation, the installed solution separates true threats from false alarms (false positives).
During the QRadar integration stage, 19 network devices were connected. ScienceSoft team created 10 custom Log Source Extensions (LSX) to integrate the Customer’s applications (e.g. Apache for Windows, FreeRADIUS, SIEBEL Audit Trail, MySQL).
The active stage of the project lasted for 3 months (both onsite and offsite works). All the Customer’s appliances and applications were connected to the QRadar using both out-of-the-box templates and customer specific ones developed by ScienceSoft. The Customer can now increase the information security and investigate incidents in the shortest time possible.
The project is now in the support phase, so that when new security threats appear or a new system needs to be connected, the system is enriched with further scenarios or new LSXs are developed. In addition, ScienceSoft team consults the Customer on all arising questions and provide the necessary recommendations on security information management.
Technologies and Tools
IBM Security QRadar SIEM 7.2.4; Python, Regex, Linux Shell