QRadar Performance Optimization with QLean for an Electric System Operator
The Customer is a U.S. non-profit electric system operator. The Customer operates the state’s bulk electrical grid with 10,000+ miles of high-voltage transmission and 500+ electric power generators. The Сustomer also acts as an advisory body, providing unbiased technical information on energy issues.
Every day the Customer’s network processes large volumes of valuable data. To enhance security protection of its extensive network, the Customer purchased two IBM® Security QRadar consoles that handle 8K EPS (events per second) each. As the SIEM systems had to operate data from multiple log and flow sources, they risked to suffer from security event omission, low performance and heavy reports. Urged to maximize the ROI from the solutions, get the most of their QRadar systems’ operability and performance, and build up network protection, the Customer’s security department decided to purchase ScienseSoft’s QLean for QRadar – an automated, off-the-shelf tool to monitor the operability and performance of the SIEM deployment.
Satisfied with the demonstration of the tool, the Customer required a license key for a two-week trial. During the trial period, the Company’s security specialists generated a Health Check report that highlighted a number of QRadar performance, log quality and insufficient tuning issues.
To address the issues in due time, the security team took advantage of the offer to send health check report over to ScienceSoft’s security consultants. Based on this report, our information security specialists outlined the problems that needed particular attention to boost the efficiency of the two QRadar systems:
- Large execution time of certain custom rules due to their faulty logic
- Data integrity issues caused by disabled event log hashing
- Lack of free memory on the QRadar consoles
- Error/inactive state of log sources
- Insufficient audit configuration. A great deal of servers and switches generate too low amount of event types that can indicate insufficient audit configuration
- A large number of uncategorized events that come via SIM Generic log source
- 12-13k EPS spikes exceeding license limits.
Positive experience in the use of QLean during the trial period persuaded the Customer to purchase two licenses with EPS amounting to 16K in total.
Furthermore, as a part of 12 months support package, ScienceSoft is planning to provide two custom features:
- an additional Health Marker that indicates inactive or error state of certain log sources
- the ability to set up the threshold value for the percentage of devices that are in inactive or error state (for example, QRadar generates an alert when 10% of log sources in question are in error state).
Technologies and Tools
QLean for IBM® Security QRadar® SIEM system.