The end customer is the government of one of the US states that comprises 70+ state agencies.
The end customer was looking to create a centralized SIEM solution that would replace scattered security systems operating at the state agencies and connect them to the unified security operation center (SOC) in order to provide all the agencies with the needed level of security monitoring stipulated by the state administration. Since 5 agencies had already been using IBM Security QRadar SIEM, the Customer decided to develop the future solution using the same platform. Taking into consideration the scope of the project, the Customer was looking for a highly professional SIEM team that could implement the system according to the provided requirements.
ScienceSoft was selected to participate in the project as one of IBM Advanced Partners holding a Gold Accreditation in IBM Security QRadar SIEM in the world and having more than 13 years of expertise in SIEM solutions development and customization for companies in Banking and Finance, Telecommunication, Healthcare and Public Sector.
The 6-month project was completed fully on the Customer’s site. The project started with the deployment of IBM QRadar SIEM according to the architecture provided by the Customer. The deployment included configuration of the existing and newly acquired appliances, software upgrading and patching in order to ensure the stable functioning of the platform.
Once the platform was deployed, ScienceSoft’s experts passed to the analysis, configuration and connection of log sources to IBM QRadar SIEM. This stage was the most complicated since it was required to install and configure event and flow collectors at more than 70 independent agencies and then to ensure the transmission of all events to the event processors’ clusters in the SOC.
During this stage, ScienceSoft’s team configured in total over 5,000 log sources and developed 30+ log source extensions (uDSMs/LSXs) for unsupported log sources as well as 20+ log source enhancements (LSEs) that allowed to normalize data coming to IBM QRadar SIEM. All the log sources that previously had been sending log events to agencies’ local systems were reconfigured, all the data was migrated to the new system.
To facilitate the connection of the state agencies to the SOC and improve event transmission, ScienceSoft’s SIEM specialists developed the whole range of custom tools. Among them, there are:
ScienceSoft’s experts additionally delivered 10 user guides that included recommendations on the developed custom solutions and IBM QRadar SIEM usage and customization.
ScienceSoft’s SIEM team successfully completed IBM Security QRadar SIEM deployment and configuration in accordance with the Customer’s architecture. More than 70 state agencies were connected to the unified security operation center that gathers and analyzes events from thousands of supported log sources and tens of unsupported ones due to log extensions. The provided solution now allows the Customer to process about 10,000 events per second and more than 300,000 flows per minute.
IBM Security QRadar SIEM, QRadar API/AQL, Python, SQL, Regex, Shell, Batch, Linux network tools.