SIEM Consulting for an Oil Company

Customer

The Customer is one of the biggest petroleum and chemicals enterprises. The Company operations across the Globe and is involved in exploration, production, refining, distribution, shipping and marketing.

Challenge

A malicious virus that originated from external sources spread throughout the Company’s network and infected many workstations. Having recovered from the incident, the realization of the danger of malicious activities prompted the Customer to decide to define what had gone wrong and what changes should be implemented to avoid massive damage from future attacks. Customer chose Juniper STRM as a SIEM solution to collect, log, correlate and analyze security events within its vast enterprise networks. Information security experts brought in by the Customer turned to ScienceSoft, an expert in SIEM consulting with a strong background in the QRadar SIEM/ Juniper STRM area and a provider of custom security solutions for SIEM architecture enhancement.

Solution

After a thorough analysis, ScienceSoft team defined a number of vulnerabilities in the system's architecture. The initial deployment of the system resulted in a number of invalid and useless correlation rules and damaged the correlation rules editor. Therefore, there was a need to adjust the SIEM product and design correlation rules capable of detecting threats in the network infrastructure behavior. There was also a need of connecting all log sources including unsupported ones in order to realize the full potential of the SIEM solution.

For SIEM architecture enhancement, ScienceSoft consultants recommended to extend security policy which will allow a better coverage of the company infrastructure. They have also assessed the incident management process, analyzed correlation rules and provided relevant recommendations for SIEM product customization. These conclusions were presented to the Customer for approval.

During the second phase of the project, ScienceSoft consultants designed advanced threat cases for the Unix and Linux platforms, including an audit baseline for each platform.

Along with many other automation tools, a tool for importing and exporting asset database was developed to allow the Customer to perform easy massive updates to the assets identified in the network infrastructure.

An extended enterprise-wide security policy was converted into a set of correlation rules, which were successfully implemented. For a better response to malicious activities, consultants developed and connected new Log Sources. Security events were parsed, normalized and mapped.

In addition, a dedicated framework was created for integration with Vulnerability Scanners not supported out of the box.

SIEM solution was customized with a number of scripts/tools.

Finally, ScienceSoft provided the Customer with recommendations for audit configuration as a part of information transfer.

Results

The Customer was presented with a set of detailed reports covering the company infrastructure, business processes and dependencies as well as recommendations for SIEM architecture enhancement. ScienceSoft’s consultants successfully carried out SIEM product customization. The Customer was provided with a set of connected Log sources, including those which were not previously supported. New correlation rules were developed and implemented. Consultants made valuable recommendations about audit configuration and operation systems configuration.

The project’s length is 9 months, and it was mostly performed on the Customer’s side.

Sizing

• Average Events per Second volume: 11000.
• Total Number of Log Sources: 1200.
• Log Sources Developed: 25.
• Threat Cases Created: 250.

Technologies and Tools

RegExp, Python, Perl, SQL, Shell, Batch.