The SIEM System for Information Security
In 2008, the high-profile Turkish telecom operator Turkcell became the principal shareholder in BeST. Since its capital is listed on the New York Stock Exchange (NYSE), Turkcell conducts an annual audit in accordance with the American Sarbanes-Oxley Act (SOX). This audit is mandatory for subsidiary companies such as ZAO BeST.
To ensure the required level of information security (IS) at the company, IS events from a wide range of critical systems and telecom equipment from a variety of vendors need to be captured and processed. It is also important to identify, investigate, and react to IS incidents as quickly as possible. The company used a SIEM to this end, but the discontinuation of manufacturer support in 2015 prompted a replacement.
To select and implement a new SIEM system, ZAO BeST turned to OOO Lifetech, which is a subsidiary organization that provides IT and IS services. The key requirements for choosing a new system were: performance and scalability; guaranteed event source capture, including critical applications, systems and telecommunications equipment; ease of implementation and maintenance; the ability to search for event correlations to identify IS incidents; provision of reporting and dashboards with all the necessary information for monitoring and SOX audits. It was implemented in a short time – less than 6 months.
The products Micro Focus ArcSight Enterprise Security Manager (ArcSight ESM), IBM QRadar, and the open source software Elasticsearch in conjunction with Kibana were considered during the selection process. ArcSight ESM was chosen following comparison of these solutions and evaluation of how they comply with the key requirements for the new SIEM system.
“One of its main advantages was the ability to capture events from a large number of systems, more than 400 standard connectors (Smart connectors) and a dedicated connector (Flex connector), the configuration design which ensures that events are captured from most systems. Using ArcSight ESM we were able to process events from all the large-scale critical systems and telecommunications equipment at our company,” says Aleksandr Turlo, Head of IT and IS at OOO Lifetech. “Another important aspect is that the rival products could not provide sufficient performance at a significant load (2,500 events per second). This could result in the loss of individual events, which is absolutely unacceptable. To effectively secure IS and breeze through SOX audits we need to monitor even minor changes in the systems responsible for financial reporting. Turkcell and its subsidiary companies must be transparent for shareholders and auditors.”
Typical IT Landscape for a Telecom Operator
ZAO BeST has a suite of applications, systems and equipment at its disposal: billing system, CRM, ERP, DBMS, virtualization platform, various network and telecommunications equipment.
Aleksandr Turlo explains the basic requirements of the IT process. One of the key requirements is the need to monitor not only IS incidents, but also implement changes in the configuration. For example, it is necessary to check that a particular change has been approved and to check compliance with procedures in accordance with the company’s operating processes.
IT processes at ZAO BeST are based on ITIL recommendations, which fully comply with SOX audit requirements.
ArcSight: Full Functionality, Integration Capabilities, and Performance
Lifetech implemented all the ArcSight modules. It took less than four months to build the system in the existing IT landscape and configure all the necessary settings. The licenses were obtained in August 2016 and project implementation started at the end of September and completed in January 2017.
Prior to starting the ArcSight ESM expansion, Lifetech specialists developed an architecture for the new SIEM system: they determined which of the systems, applications, and telecom equipment would be monitored and in what sequence they should be connected. Recommendations from Micro Focus experts were considered when making decisions.
ArcSight was rolled out in the virtual environment and no additional equipment or software were required. First, integration with the Active Directory catalog, the email server, and SMS centers of the company was provided to send regular reports and receive notifications about incidents. Then, work began to set up the monitoring systems, applications, and telecom equipment at ZAO BeST. More than 26 types of Flex connector were developed for unique event sources during the main integration work, which enabled IP addresses to be added automatically to the quarantine list and network attacks to be blocked. The specialists then began to ‘fine-tune’ the connectors and exclude events from the stream that are not significant in terms of IS or SOX audit controls, but that create an additional load on the SIEM system. The following steps were to configure the report settings and dashboards, and integration of ArcSight with the Service Desk corporate system.
In the final stages of the project, integration with a third-party SOC was achieved by rolling out additional ArcSight modules. “To optimize its processes, Lifetech has carried out integration with the monitoring and incident response center (SOC). The stream of events that enters our SIEM system is duplicated in the SOC center. Its analytics perform the primary processing of IS incidents and report on critical incidents, providing the information discovered during the investigation. This allows us to decide on effective solutions and actions to eliminate identified incidents,” according to Alexandr Turlo.
Before the new SIEM system based on ArcSight ESM was launched into production, the old and new systems worked in parallel. Once Lifetech specialists were confident the new system was functioning accurately and reliably, the previous system was retired.
The new SIEM system based on ArcSight provides the required performance and data throughput. Lifetech specialists were able to ensure the guaranteed real-time collection of all events and their aggregation and normalization, despite the variety and distribution of systems by data centers and the industry specific system protocols (logs) of telecom equipment. Events are stored in the SIEM system for 90 days with instant access. Later events are backed up daily for 13 months without modification.
ArcSight ESM is also integrated with the company’s existing IT systems (IPS, FW, antivirus, IAM) and automated response has been implemented for certain incidents, which has greatly increased the level of security for the information systems. In addition, events are entered into more than 40 reports that have been created and are scheduled to be generated regularly (daily, weekly, monthly) to ensure the implementation of SOX audit controls.
ArcSight ESM: Everything under Control
Today, ArcSight ESM collects and analyzes events in critical systems, applications, and telecommunications equipment involved in supporting ZAO BeST’s business processes.
As Aleksandr Turlo has noted, an important achievement thanks to implementing the SIEM system based on ArcSight ESM is that the number of successfully passed SOX audit controls has nearly doubled, from 46 to 86%.
Broad Integration Capability with ArcSight ESM
“We were particularly impressed by ArcSight ESM’s extensive integration capability, flexible settings, high level of performance, and potential to scale in the event of an increased event flow and system load,” Alexandr continues. Integration of ArcSight ESM with Service Desk systems: incidents that are contained in the scheduled downloads from SIEM reports are automatically registered by the Service Desk. This helps to substantially increase the effectiveness of internal control processes.
Looking Ahead: Mastering New Opportunities with ArcSight ESM
Lifetech specialists are continuing to develop the ZAO BeST SIEM system. All new event sources are integrated in ArcSight ESM. Looking ahead, there are plans to use the Interset User and Entity Behavioral Analytics functionality from Micro Focus for behavioral analysis of users to identify abnormal activities.
The Lifetech team is also reviewing the possibility of acquiring other Micro Focus products. In particular, ArcSight Transformation Hub enables data to be quickly distributed from sources and transfers it not only to the SIEM system, but also to other centers to be processed and analyzed.