Professional SIEM Services
Security Information and Event Management (SIEM) is a set of tools and services to monitor all system and network activity across all users, devices, and applications to help timely detect targeted cybersecurity attacks and data breaches. ScienceSoft offers end-to-end SIEM services to protect our clients and their sensitive data.
Over the past 16 years, ScienceSoft has built solid expertise with IBM QRadar SIEM and SOAR solutions. ScienceSoft SIEM team has performed more than a 100+ SIEM projects for the clients in banking, finance, government, energy, automotive, education, healthcare and telecom industry sectors worldwide (the US, Europe, the Gulf Cooperation Council, Africa, Japan).
Many SIEM deployments, while serving a good cause, do not realize the full value of a SIEM solution for the client and fail to address advanced targeted threats. Most typical issues with SIEM deployments include misconfiguration of the SIEM system; missing critical log sources of vulnerable business applications and other assets not supported out-of-the box; incorrect audit settings for connected devices that lead to missed security context; lack of correlation rules that address the right type of assets and/or the business context. As a result, many potential security threats relevant to client’s business pass unnoticed. This does not help mitigate security risks and leaves the SIEM ROI below its potential level.
Why Choose ScienceSoft SIEM/SOAR Services?
|
ScienceSoft has the right experience, skillset and commitment and is perfectly suited to successfully launch and lay the foundation for a successful project completion.
|
|
ScienceSoft engineers bring about two decades of expertise in SIEM/SOAR solutions development, deployment, integration, and consulting. |
|
ScienceSoft was involved in the development of IBM TSIEM/TSOM in 2006-2011. More recently (2011 – 2023), ScienceSoft has become one of the leading global implementation partners for the QRadar Security Intelligence platform. Our certified QRadar consultants carry out assessments, deployments, fine-tuning, customization, and maintenance of SIEM and SOAR solutions. |
|
Technical skills: ScienceSoft consultants have all mandatory technical skills that might be required for any kind of security consulting and development, including:
|
|
Products: ScienceSoft SIEM team has developed more than 20 unique extensions (free and commercial) for QRadar, including:
More ScienceSoft applications available at: |
SIEM Projects with ScienceSoft Stage by Stage
Turnkey SIEM projects may encompass seven core stages:
To enjoy the SIEM capabilities to the fullest, clients are strongly advised to invest in fine-tuning and training. ScienceSoft SIEM consultants are familiar with the challenges that clients face at each stage of a SIEM delivery project and know how to address them.
Commitment: Our team will work with you hand in hand to ensure that all expectations are not just met but exceeded. We will be available every day, all the way, and provide all the tools and guidance to ensure a successful implementation of your project.
1
Requirements processing
After analyzing initial requirements and network infrastructure of a client, ScienceSoft security consultants estimate project efforts and offer an optimal set of requirements depending on the scope and the client’s security policy.
2
Solution design
Together with creating solution system design documentation, ScienceSoft security consultants define project acceptance criteria and confirm them with the client to ensure full requirements coverage.
3
Implementation
During implementation phase ScienceSoft consultants perform initial solution deployment and basic system configuration:
- Deploy a SIEM solution in the client’s network environment or in the cloud (e.g., Amazon AWS)
- Perform initial SIEM system configuration
- Develop audit baseline documentation for target systems
- Connect out-of-the-box log sources
4
Customization and development
ScienceSoft ensures that a deployment is optimally configured to address the client needs. Our engineers develop custom SIEM integrations, extensions, and tools to address all possible security and SIEM functionality gaps.
The first task in typical customization roadmap is connecting log sources that are not supported by SIEM solution out-of-the-box. We will develop a preprocessing tool to get the log data from any source system, reformat data when required, and apply custom parsing and categorization on SIEM side to ensure total visibility for any type of log data.
Having practical hands-on experience based on a lot of SIEM projects, ScienceSoft security consultants have compiled a list of best practices for monitoring various IT environments. These best practices are implemented as set of correlation rules, or threat cases, for locking down the environments and controlling typical incidents by proper response workflow. ScienceSoft will also implement the highly customized use cases for specific client infrastructure and business applications within the target environment to address specific business needs. Clients may also be interested in MITRE ATT&CK tactics and techniques coverage within SIEM solution, and our team will be happy to assist: take a look on our MITRE Linux and MITRE Windows applications on IBM AppExchange – they are including a free limited set of correlation rules and instructions for configuration.
Unlike other integration teams, ScienceSoft consultants are also software developers with wide experience with different software development platforms, languages, APIs and frameworks. While our main development tools are Python for backend and JavaScript for frontend, depending on situation we can use any other toolchain available: update your legacy ancient Perl script, develop modern Java native interfaces, or build classical C++ libraries. When any third-party software requires an integration with SIEM – we will be able to help.
5
Fine-tuning and delivery
To maximize a SIEM system ability to detect intruders and to save time of an administrator, ScienceSoft security consultants analyze the operation of the SIEM system within the client’s network, perform a health check, and fine tune the system. Please refer to SIEM Health Check chapter for more details.
Depending on the client’s requirements and existing infrastructure, ScienceSoft can design and propose the most suitable solution in incident response workflow such that every possible incident gets properly registered in SIEM solution and gets the right attention from the right response teams, i.e. security analysts, security architects, security engineers, etc. No more uncontrolled or uninvestigated offenses!
ScienceSoft security professionals have earned their reputation for delivering SIEM services that satisfy client needs. SIEM delivery includes the following stages:
- Final check of the SIEM solution performance
- Acceptance testing by the client
- Physical handover of all the source code, access keys and other artefacts
- Detailed project documentation
6
Training
ScienceSoft SIEM consultants are ready to share their knowledge with the client’s security team about SIEM system management with a series of hands-on training sessions. Understanding the importance of the face-to-face contact between trainers and trainees, ScienceSoft offers on-site and remote training sessions using the client’s SIEM solution or our lab system.
Depending on the level of the client’s security staff experience in SIEM system management, ScienceSoft certified SIEM consultants organize and conduct tailored SIEM training sessions: Fundamentals and/or Advanced.
The Fundamentals training module includes the following highlights:
- Introduction into IBM Security QRadar SIEM
- Security data
- QRadar user interface
- Log Sources and Network Flows
- Advanced searching
- Rules and Building Blocks
- Advanced reporting
- Basic configuration and administration
The Advanced training module, targeted at more QRadar-savvy specialists features the following topics:
- Introduction to QRadar Administration features and functionality
- Security events normalization model
- Regular expressions
- Custom DSM (device support modules) development
- Building Blocks (BB) overview and specifics
- QRadar rules processing pipeline
- Creating custom correlation rules
- Tuning correlation rules
- Removing false positives
- Solution fine-tuning and optimization
- Offenses deep-dive: log data analysis and investigations
7
Support and maintenance
Please refer to Ongoing L3 Support for SIEM Solutions chapter.
SIEM-Based Specific Services
SIEM health check
ScienceSoft helps address SIEM deployment issues and identify ways to increase QRadar SIEM ROI by carrying out a Health Check of existing deployments and various other services. The Health Check includes:
- Assessment of QRadar SIEM configuration against best practices for various platforms
- Review of the coverage of network assets and business applications by QRadar SIEM
- Implementation of audit configuration best practices for various platforms
- Review of implemented threat cases and correlation rules for the client environment
- Fine-tuning of the solution (enhance data quality, decrease false positives)
- Quick troubleshooting and performance improvement recommendations
- A written report of the Health Check results and recommendations for improvement
When configured and fine-tuned properly, QRadar correlation rules allow minimizing the possibility of advanced targeted threats to be missed by security professionals. QRadar SIEM will help its users to identify high-risk threats with near real-time correlation and behavioral anomaly detection, detect vulnerabilities and high-priority incidents among billions of data points and gain full visibility into network, application, and user activity.
A standard Health Check procedure is designed to be carried out for five (5) business days and can be performed onsite as well as offsite. Some of the steps following the Health Check may include (as a separate contract):
- Threat cases design and correlation rules implementation for the specific client environment
- Custom DSM development for business systems or network assets
- Automation solutions design and development of automation tools
- Security monitoring services
- Yearly support for any kind of security services (fixed number of hours can be used for any related task)
- Onsite or offsite trainings for security specialists working with QRadar SIEM
Ongoing L3 support for SIEM solutions
Our expert team is ready to help with continuous SIEM / SOAR solution support, providing an extended SLA for all your operational needs. We are not limited with specific task list for support, but instead we are proposing to utilize support hours for any possible task, related to client security: security policy adjusting or creating from scratch, in-deep analysis for complex offenses, development of a new threat cases, SIEM and SOAR customization, software development, operational support, OS/network troubleshooting, solution upgrade and all other related tasks. We are offering a fixed number of hours per year.
SIEM-based SOC/SOAR services
For the clients, who wish to have their own SOC and a dedicated team of security operators and analysts, ScienceSoft can assist in providing the best expertise in creating such SOC based on client’s existing IBM Security QRadar SIEM solution. If required, ScienceSoft will design, deploy, and integrate SIEM solution in client’s environment. Along with that, ScienceSoft will implement all necessary correlation rules and appropriate incident response workflows for every applicable threat case. Additionally, ScienceSoft provides hands-on experience training by IBM Security certified SIEM Consultants for security operators and analysts on IBM Security QRadar as well as on how to create and investigate offenses. Within just a reasonable amount of time, client’s team will be ready to control all security incidents and take appropriate actions for reducing possible risks for client’s assets.
For the clients, who wish to use an external team of SOC security operators, ScienceSoft can provide remote SOC monitoring services, acting as MSSP for security data analysis. Our team of security operators, with secure VPN access to client’s SIEM solution, accesses client’s environment and monitors security incidents on a negotiated SLA basis. Based on the drill-down incidents’ analysis, ScienceSoft will provide guidelines for the client to lock down the cause of registered security incidents. Each incident will be handled in accordance with the designed incident response workflow.
All offenses, however, still must be followed up and processed by the client’s team of system and network administrators, to perform a last-mile operations (like disabling users or blocking activity on firewall).
SIEM-based ATM security
As ATM network attacks are becoming more and more sophisticated, SIEM-based ATM security solutions come into play. ScienceSoft information security consultants respond to the growing ATM security threat by conducting an ATM network audit, incident data collection and analysis, security assurance of ATM network design and creating custom correlation rules for the client’s SIEM system. This comprehensive approach enables security administrators to cover all the ATM threat types.
SIEM-based APT protection
ScienceSoft SIEM consultants will build up a deeply personalized security environment to ensure SIEM-based Advanced Persistent Threat protection. Our security professionals will fine-tune your SIEM solution to transform it into a handy tool for discovering APT attacks at early stages.