Monitoring the telecom operator system for IS incidents in real time and managing them; monitoring compliance with SOX requirements.
Belarusian Telecommunications Network (“BeST”, trademark “life:)”) is the mobile operator with the third highest number of service users in the Republic of Belarus. In addition to the services that relate to the brand life:), the company offers digital services, including TV+ television service, fizy music service, Apps Club (a gaming application), BiP messenger, Lifebox cloud storage and others.
In 2008, the high-profile Turkish telecom operator Turkcell became the principal shareholder in BeST. Since its capital is listed on the New York Stock Exchange (NYSE), Turkcell conducts an annual audit in accordance with the American Sarbanes-Oxley Act (SOX). This audit is mandatory for subsidiary companies such as JSC BeST.
To ensure the required level of information security (IS) at the company, IS events from a wide range of critical systems and telecom equipment from a variety of vendors need to be captured and processed. It is also important to identify, investigate, and react to IS incidents as quickly as possible. The company used a SIEM for these purposes, but the discontinuation of manufacturer support in 2015 prompted a replacement.
To select and implement a new SIEM system, JSC BeST turned to LLC Lifetech, its subsidiary organization that provides services in the fields of IT and information security. The key requirements for choosing a new system were: performance and scalability; guaranteed event source capture, including critical applications, systems and telecommunications equipment; ease of implementation and maintenance; the ability to search for event correlations to identify IS incidents; provision of reporting and dashboards with all the necessary information for monitoring and SOX audits. The implementation had to be carried out in a short time – no more than 6 months.
The products HPE ArcSight Express Virtual Appliance, IBM QRadar, and the open-source software Elasticsearch in conjunction with Kibana were considered during the selection process. ArcSight was chosen following comparison of these solutions and evaluation of how they comply with the key requirements for the new SIEM system.
“One of its main advantages was the ability to capture events from a large number of systems, more than 400 standard connectors (Smart connectors) and a configurable connector (Flex connector), the configuration design which ensures that events are captured from most systems. Using ArcSight we were able to process events from all the large-scale critical systems and telecommunications equipment at our company,” says Aleksandr Turlo, Head of IT and IS at LLC Lifetech. “Another important aspect is that the rival products could not provide sufficient performance at a significant load (2,500 events per second). This could result in the loss of individual events, which is absolutely unacceptable. To effectively secure IS and breeze through SOX audits we need to monitor even minor changes in the systems responsible for financial reporting. Turkcell and its subsidiary companies must be transparent for shareholders and auditors.”
JSC BeST has a suite of applications, systems and equipment at its disposal: billing system, CRM, ERP, DBMS, virtualization platform, various network and telecommunications equipment.
Aleksandr Turlo explains the basic requirements of the IT process. One of the key requirements is the need to monitor not only IS incidents, but also implement changes in the configuration. For example, it is necessary to check that a particular change has been approved and to check compliance with procedures in accordance with the company’s operating processes.
IT processes at JSC BeST are based on ITIL recommendations, which fully comply with SOX audit requirements.
Lifetech implemented all the ArcSight modules. It took less than four months to build the system in the existing IT landscape and configure all the necessary settings. The licenses were obtained in August 2016 and project implementation started at the end of September and completed in January 2017.
Prior to starting the ArcSight expansion, Lifetech specialists developed an architecture for the new SIEM system: they determined which of the systems, applications, and telecom equipment would be monitored and in what sequence they should be connected. Recommendations from Micro Focus experts were considered when making decisions
ArcSight was rolled out in the virtual environment and no additional equipment or software were required. First, integration with the Active Directory catalog, the email server, and SMS centers of the company was provided to send regular reports and receive notifications about incidents. Then, work began to set up the monitoring systems, applications, and telecom equipment at JSC BeST. More than 26 types of Flex connectors were developed for unique event sources during the main integration work, which enabled IP addresses to be added automatically to the quarantine list and network attacks to be blocked. The specialists then began to ‘fine-tune’ the connectors and exclude events from the stream that are not significant in terms of IS or SOX audit controls, but that create an additional load on the SIEM system. The following steps were to configure the report settings and dashboards, and integration of ArcSight with the Service Desk corporate system.
In the final stages of the project, integration with a third-party Security operation center (SOC) was achieved by rolling out additional ArcSight modules. “Because JSC BeST is small and in order to optimize its processes, Lifetech has carried out integration with SOC. The stream of events that enters our SIEM system is duplicated in the SOC center. Its analytics perform the primary processing of IS incidents and report on critical incidents, providing the information discovered during the investigation. This allows us to decide on effective solutions and actions to eliminate identified incidents,” according to Alexandr Turlo.
Before the new SIEM system based on ArcSight was launched into production, the old and new systems worked in parallel. Once Lifetech specialists were confident the new system was functioning accurately and reliably, the previous system was retired.
The new SIEM system based on ArcSight provides the required performance and data throughput. Lifetech specialists were able to ensure the guaranteed real-time collection of all events and their aggregation and normalization, despite the variety and distribution of systems by data centers and the industry specific system protocols (logs) of telecom equipment. Events are stored in the SIEM system for 90 days with instant access. Later events are backed up daily for 13 months without modification.
ArcSight is also integrated with the company’s existing IT systems (IPS, FW, antivirus, IAM) and automated response has been implemented for certain incidents, which has greatly increased the level of security for the information systems. In addition, events are entered into more than 40 reports that have been created and are scheduled to be generated regularly (daily, weekly, monthly) to ensure the implementation of SOX audit controls.
In 2017 BeST updated its existing ArcSight implementation from a virtual edition to the high-performance and scalable ArcSight Enterprise Security Manager (ArcSight ESM). Lifetech specialists updated ArcSight ESM to the latest version (version 7), which further expanded the functionality of the SIEM system.
Today, ArcSight ESM collects and analyzes events in critical systems, applications, and telecommunications equipment involved in supporting JSC BeST’s business processes.
Aleksandr Turlo – HEAD OF IT AND INFORMATION SECURITY
LLC Lifetech, subsidiary company of Belarusian Telecommunications Network
Aleksandr Turlo – HEAD OF IT AND INFORMATION SECURITY
LLC Lifetech, subsidiary company of Belarusian Telecommunications Network
Integration of ArcSight ESM with Service Desk systems: incidents that are contained in the scheduled downloads from SIEM reports are automatically registered by the Service Desk. This helps to substantially increase the effectiveness of internal control processes.
Lifetech specialists are continuing to develop the JSC BeST SIEM system. All new event sources are integrated in ArcSight ESM. Looking ahead, there are plans to use the Interset User and Entity Behavioral Analytics functionality from Micro Focus for behavioral analysis of users to identify abnormal activities.
The Lifetech team is also reviewing the possibility of acquiring other Micro Focus products. In particular, ArcSight Transformation Hub enables data to be quickly distributed from sources and transfers it not only to the SIEM system, but also to other centers to be processed and analyzed.