Case Study: QRadar SIEM Implementation | Cybersecurity
Reducing Cybersecurity Risk through the Expert Use of QRadar SIEM
Evolver’s large government client provides over 20,000 nodes including five states and were feeling the brunt of many consistent cyber attacks. The QRadar SIEM architecture was the ideal implementation for this enormous federal organization. Many large organizations will compare QRadar vs Splunk for enterprise security information and event management. In this case, Evolver and the client identified ways that QRadar was the best decision.
The Cybersecurity Problem
Due to the Federal agency client’s enormous IT infrastructure and workforce, they were experiencing cyber attacks. They wanted to reduce their cybersecurity risk.
The client has:
- a geographically distributed workforce with its primary operational site comprised of ten interconnected buildings
- one of the largest and most geographically diverse tele-workforce programs in the civilian portion of the federal government
- a system that currently provides connectivity to over 20,000 permanent nodes including five sites
- to operate multiple domestic and international wide-area networks (WAN), VPNs, and other external connections
The Cybersecurity Solution
Evolver implements IBM QRadar SIEM for their enterprise security information and event management.
Available on premises or in a cloud environment, IBM QRadar SIEM detects anomalies, uncovers advanced threats, and removes false positives.
Some QRadar features include:
- With near real-time visibility, QRadar captures log event and network flow data and applies advanced analytics to reveal security offenses.
- It reduces and prioritizes alerts by focusing security analyst investigations on a short, manageable list of suspected, high probability incidents.
- Optimizes threat detection.
- Easily manages compliance with internal organizational policies and external regulations
QRadar SIEM Benefits to Client
Fewer malicious attacks on users from foreign countries from QRadar’s:
»» advanced reporting practices
»»monitoring system settings and rules
»» data analysis
Highlights of the Evolver Implementation of QRadar SIEM Solution
QRadar Reporting and Monitoring
1. Configure QRadar reports to run after hours to reduce impact on the network resources
2. Integrated QRadar alerts to function with monitoring system, this was an ongoing project for 3 months of tuning and identifying workflow procedures:
»» The team has successfully aggregated 98% of all security events to be managed via infrastructure monitoring system for applications and devices.
»» Previously only 68% of alerts came to the team via the monitoring system, the alerts came in many formats i.e. multiple email inboxes, request from customers, different support groups.
»» Alerts are received via a single source, this improves security incident handling significantly and increases operation readiness efficiency. Email, phone, or multiple system request was an antiquated means to triage, track, and respond to security threat notifications.
»» The team has aggregated 98% of all security events, this has incurred a 129% increase in security alerts. Even though there was an increase in security alerts, the Network Analyst staff shared 38% of the Cyber Analyst workload and along with our security best practices approach to handling security incidents, the staff was still able to meet the require SLA of 95%
»» Monitoring system and QRadar are redundant to eliminate a single point of failure. This increased the CIO’s confidence that any particular security threat was minimal to the customer infrastructure
Security Incident Analysis
»» To assist our client, Evolver re-analyzed and categorized all security incidents originating from foreign countries. The security incidents that were hosted in QRadar were investigated for all possible attacks originating from foreign countries.
»» The purpose of the action was due to a false claim about client sites blocking traffic to specific foreign countries.
»» Cyber Analysts investigated the source of the addresses and the email headers to trace the traffic path which took place from a malicious proxy site from within the US, another from a foreign country, and later a valid Google proxy which was being spoofed from a translation site.
QRadar Rule Creation
»» Cyber Analysts created new QRadar rules to log an offense for users executing known, potentially malicious, and/or unauthorized files on their workstations in real time.
»» The rule will trigger an alert when users attempt to execute applications specified in the rule and another rule will trigger alerts when the users attempt to launch applications that our team has blocked via the Hostbased IDS.
»» Cyber Analysts created new QRadar rules to log an offense for failed logins, this was necessary to increase visibility into user and server failed logins throughout the infrastructure. Thresholds were set to reduce false positives based on anomalous network behavior.
User Authentication and Analysis
»» User authentication based on their geographical location type events can be co-related with users travelling outside of the country. On the other hand, detecting such events could mean un-authorized access due to password harvesting attacks or other social engineering attacks.
»» Analyzing QRadar flows for different types of user agents utilized by attackers which can result in creating customized IDP/IPS signatures in the future to prevent reconnaissance scans.
»» Creating actionable alerts based on malicious behavior detected by network appliances such IDS/IPS systems.
»» Examining QRadar Netflows for basic http traffic or decrypted https traffic for content viewed or submitted by end user, i.e., on several occasions cyber analysts detected users visiting password harvesting sites and noticed that they had actually submitted their company username and password to attackers on these sites.
Other Engineering/Administrative QRadar Tasks:
»» Create security offense rules
»» Software patches/updates
»» Log analysis
»» Multipoint system integration
»» Incorporating to DSMs (Devices Support Modules) for new technologies such as Cylance to properly categorized events in QRadar
»» Reviewing system logs for failures and/or process crashes
As their trusted information security and information technology provider, this large Federal client turned to Evolver. Evolver’s expertise in implementation of IBM QRadar SIEM improved their cybersecurity posture.
Read the entire case study about the successful implementation of the expert use of QRadar SIEM.