RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2017/12/11 16:08:59

Than a SIEM system is useful and how to implement it?

Content

The Pirit company, the Russian system integrator and the supplier of corporate IT solutions, started active development of the direction of the information security (IS).

It is no secret that the number of different threats and negative impacts on corporate infrastructure constantly grows in the modern world. The price of an error can cost very much therefore to the companies crucially in time to reveal weak points and quickly to react to threats.

How to analyze threats of information security

Crucial element for the analysis of a status of information security of the company is the SIEM system (Security information and event management). She like the radar can beforehand detect the attacks and weak points in a circuit of protection of information infrastructure that is very important for immediate response to critical incidents.

The Pirit company for the projects selected the SIEM solution IBM QRadar. It, according to Gartner research company, is one of leaders among the systems of a similar class.

IBM QRadar performs collecting of magazines and other data from different components of IT infrastructure: the user devices, servers, network equipment and also from means of ensuring of information security – antiviruses, firewalls, intrusion prevention systems. A system on a centralized basis analyzes collected data for identification of anomalies and rapid response to them.

QRadar allows to reveal correlations between the events received from different sources, to trace and analyze the course of the attacks to network of the company. Detailed information on the attack helps information security specialists to make decisions on necessary actions quickly.

For what companies SIEM systems are intended

The financial sector and telecommunication companies was historically main consumers of SIEM systems that was connected, first of all, with existence of the developed standards of control of information security. At the same time, recently, the need for similar solutions grows also in other areas.

However, here it is worth paying attention to one important point. For successful implementation and use of a SIEM system the customer company should have a certain level of a maturity in the field of cybersecurity with existence of profile department and understanding of the model of threats inherent for the field of activity.

Whether it is possible to examine system operation before implementation

The Pirit company suggests customers to simulate different options of events of information security and to conduct setup of a system using Qradar demo stand independently. If the customer points to any priority, for example, complex risks assessment, then the demo stand can be easily configured under this task.

Modularity of the solution allows to start expansions of partners of IBM also: Cisco, Palo Alto Networks, Fortinet, Trend Micro, CheckPoint and many others.

"Pyrite" suggests customers to simulate different options of events of information security on Qradar demo stand

The principle of work of a demo stand is simple. Information systems and hardware solutions of the customer constantly generate certain events of information security. All this flow goes to Qradar therefore the customer sees what actions, it is possible to configure interrelations and triggers and what useful information to obtain.

Besides, specialists Pyrite carry out pilot implementations where the customer on elements of the infrastructure can look at a system in work, understand what events of cybersecurity come to a system and to make decisions on its further use.

In what terms the solution and how many it can cost can be implemented

Implementation time essentially depends on project scale, to be exact on quantity of sources, topology and a set of functionality. Simple installation and connection of sources with a set of basic rules by forces of the trained professional becomes in few days. Serious big projects with the obligatory blueprint stage affecting completion of model of threats can take several months.

As for cost, it is calculated at the rate of the number of events of information security per second and costs of basic licenses.

In the table the approximate number of events per second from standard elements of IT infrastructure is included below (values are given from 20% by a stock).

| Active Directory||15
| IIS or Exchange||10
| VPN||5
Type of a source or device The number of events per second is EPS (events per second)
Basic Windows of Server
2
Standard workstations
0.5
Unix/Linux servers
0.5
DNS or DHCP
15
Antivirus server
20
Database
1
Proxy server
25
Boundary Firewall
150
Firewall for branch
20
IPS. IDC or DAM
5
Routers and Switches
0.25

Approximately such number of events per second delivers each matching component in the customer's IT infrastructure. Therefore, for determination of a total quantity of events it is necessary to increase these values by quantity of the corresponding elements and to put everything.

Further for budget assessment it is possible to use the following table:

Description Cost
The basic license, includes 100 events and 15000 network flows, including technical support on the equipment and software within 12 months $11,128.00
Expansion on 100 events per second, with support for 12 months $9,309.00
A possibility of receiving as the virtual server, with support for 12 months $1,017.00

And depending on the number of events which we received at the first stage already we consider the number of necessary licenses.

For example, for a core infrastructure from 100 workstations, 1 Active Directory, 1 Exchange, 5 Windows Server, 1 antivirus, 2 switches, 1 proxy servers, we receive:

100x0,5 + 1x15 + 1x10 + 5x2 + 1x20 + 2x0,25 + 1x25 = 120,5 EPS

Thus, one basic license of the server and one license for expansion is required that will cost $20,437.

Anyway, for exact calculations it is better to address the authorized partners of IBM company, such as Pirit company. They will help to estimate precisely costs, to prompt opportunities for optimization and to calculate required works.

Whether support of integrator after implementation is required

A system does not require special knowledge and experience of programming for its development and support. The customer can independently solve the majority of operational problems with the help of the user-friendly graphical interface.

Certainly, a certain skill will be demanded by the section of management of processing rules of events based on regular expressions, however, in general, a system is very friendly and allows to seize quickly necessary knowledge for work with it.

Besides, during implementation documentation of the user and administrator in which features of setup of data collection, a possibility of change of events and their further processing are reflected prepares.

204