Phase 2 QRadar SIEM tuning for a Top 30 US Bank

Customer

The Customer is an American bank with $100+ bn in total assets that provides banking and financial services for both individuals and businesses. For more than 150 years, the bank has developed a wide network of branches and ATMs in several US states.

Challenge

During Phase 1, ScienceSoft’s consultants made an initial check-up of how the Customer deployed the out-of-the-box IBM® Security QRadar SIEM, made offense investigation and performance check-up, as well as started developing basic correlation rules. Phase 1 kicked off QRadar configuration, while deep customization wasn’t intended.

Still, there were log sources that weren’t connected to QRadar or generated events it could not process. Consequently, the Customer's security specialists didn't have a comprehensive overview of their security system. To settle this, further QRadar SIEM tuning, so that it could monitor the events, was requested. So the Customer turned to ScienceSoft to proceed with QRadar fine-tuning to align it with the bank’s IT network.

Solution

ScienceSoft's team took the following steps to further adjust QRadar to the Customer’s network environment:

Planning of log source connection to QRadar

First, ScienceSoft’s team consulted the Customer on how to develop the roadmap of log sources (devices, systems, services), which was the strategy of their connection to QRadar. This included log source classification and identification that further allowed to analyze how well the sources were connected to QRadar and if they could report events to it. Also, the team came up with adjustments that could be made in QRadar, including the choice of log sources to be connected to it.

Developing log source enhancements and extensions

With the help of the log sources roadmap, ScienceSoft’s team got a comprehensive overview of platforms that were both properly connected to QRadar and those that were not. Therefore, for the platforms that QRadar didn’t support the team created 7 log source extensions (uDSM/LSX). The extensions ensured that these platforms could be now connected to QRadar and send events it could process. In other words, ‘unknown’ and ‘stored’ events were eliminated, and QRadar was provided with high-quality, actionable data.

For the platforms that were properly connected to QRadar but still sent events that QRadar could not process, 5 log source enhancements (uDSM/LSE) were created. After that, QRadar could read these events.

Creating correlation rules

After the required enhancements and extensions were created, ScienceSoft’s team continued with QRadar SIEM tuning and developed 60 correlation rules. Such rules enabled event analysis based on custom sets of search conditions. These rules provided much more comprehensive detection of offenses, as additional search conditions were included. Also, the correlation rules ScienceSoft developed for the Customer could detect both common types of attacks that could arise in any domain, and those specifically geared towards banking.

Training of the Customer’s SIEM team

The final step of Phase 2 was a training program for the Customer’s SIEM team. During the training, our consultants made an overview of what had been done during QRadar Phase 2 fine-tuning. Also, they trained the Customer’s team how to support QRadar after it underwent adjustments and consulted on how to make such fine-tuning without outside help.

Results

ScienceSoft’s consultants helped the Customer with QRadar SIEM tuning, which provided the Customer’s security specialists with a proper overview of the bank’s security system. Therefore, now formerly unsupported log sources could send events to QRadar for further processing. Also, QRadar was enabled to convert events that were previously unprocessed. After these aberrations were fixed, the team developed correlation rules in accordance with the Customer’s IT network requirements that assured better offense detection. ScienceSoft’s team conducted training for the bank’s security team to improve their understanding of the QRadar functionality and data received from QRadar’s analyses.

Phase 2 resulted in a higher data quality, as well as in the ability to detect offenses that were previously dropped out or considered as false-positives. ScienceSoft’s consultants together with the Customer drew up the plan for Phase 3 QRadar fine-tuning.

Technologies and Tools

IBM Security QRadar SIEM, AQL, Regex, Python, Linux Shell Scripting, Linux Networking Tools.