SIEM Solution for 70+ US State Agencies

Customer

The end customer is the government of one of the US states that comprises 70+ state agencies.

Challenge

The end customer was looking to create a centralized SIEM solution that would replace scattered security systems operating at the state agencies and connect them to the unified security operation center (SOC) in order to provide all the agencies with the needed level of security monitoring stipulated by the state administration. Since 5 agencies had already been using IBM Security QRadar SIEM, the Customer decided to develop the future solution using the same platform. Taking into consideration the scope of the project, the Customer was looking for a highly professional SIEM team that could implement the system according to the provided requirements.

Solution

ScienceSoft was selected to participate in the project as one of IBM Advanced Partners holding a Gold Accreditation in IBM Security QRadar SIEM in the world and having more than 13 years of expertise in SIEM solutions development and customization for companies in Banking and Finance, Telecommunication, Healthcare and Public Sector.

The 6-month project was completed fully on the Customer’s site. The project started with the deployment of IBM QRadar SIEM according to the architecture provided by the Customer. The deployment included configuration of the existing and newly acquired appliances, software upgrading and patching in order to ensure the stable functioning of the platform.

Once the platform was deployed, ScienceSoft’s experts passed to the analysis, configuration and connection of log sources to IBM QRadar SIEM. This stage was the most complicated since it was required to install and configure event and flow collectors at more than 70 independent agencies and then to ensure the transmission of all events to the event processors’ clusters in the SOC.

During this stage, ScienceSoft’s team configured in total over 5,000 log sources and developed 30+ log source extensions (uDSMs/LSXs) for unsupported log sources as well as 20+ log source enhancements (LSEs) that allowed to normalize data coming to IBM QRadar SIEM. All the log sources that previously had been sending log events to agencies’ local systems were reconfigured, all the data was migrated to the new system.

To facilitate the connection of the state agencies to the SOC and improve event transmission, ScienceSoft’s SIEM specialists developed the whole range of custom tools. Among them, there are:

  • A tool that automatically mounts and runs patches, checks and configures NTP settings, enables routing for the event collector and iptables configuration for both event collector and flow collector
  • An FPI Reporter that automatically scans all the servers and builds up charts of server load
  • A tool that enabled a simultaneous patching of all QRadar supported systems in just several hours (versus native consecutive patching that took up to one week)
  • WinCollect stand-alone deployment script and toolbox that allowed to automatically detect and connect all the log sources running on Windows servers to QRadar including Windows Event Logs, MS ISS, MS SQL, DHCP logs, debug DNS logs and any number of logs from unsupported applications (with pre-configured log paths in configuration file)
  • A syslog-ng daemon configuration checker
  • A tool to upload a Log Source list to an Excel spreadsheet (to easier sort and filter log sources) with search and renaming suggestions, as well as a log source extension (LSX) misconfiguration checker, working remotely through HTTPS
  • Tools for massive log source renaming and deletion working remotely through HTTPS
  • A server-side tool to verify Event Collectors’ availability and notify immediately if any of them went offline
  • Various tools enabling remote information queries from IBM QRadar SIEM (e.g. Custom Properties, WinCollect plugins versions, etc.)

ScienceSoft’s experts additionally delivered 10 user guides that included recommendations on the developed custom solutions and IBM QRadar SIEM usage and customization.

Results

ScienceSoft’s SIEM team successfully completed IBM Security QRadar SIEM deployment and configuration in accordance with the Customer’s architecture. More than 70 state agencies were connected to the unified security operation center that gathers and analyzes events from thousands of supported log sources and tens of unsupported ones due to log extensions. The provided solution now allows the Customer to process about 10,000 events per second and more than 300,000 flows per minute.

Technologies and Tools

IBM Security QRadar SIEM, QRadar API/AQL, Python, SQL, Regex, Shell, Batch, Linux network tools.