"Customs card" provides business continuity using MaxPatrol SIEM

On July 26, 2018 the company Positive Technologies announced that payment system it "Customs card" traces events of security and reveals incidents through MaxPatrol SIEM LE. As a result the service CYBERSECURITY of the company can obtain the complete information about infrastructure at any time, automatically reveal troubled assets, anomalies, suspicious activities in infrastructure. It helps to provide business continuity of the company according to set SLA: all types of financial transactions are carried out in any customs authority in the territory of Russia 24/7.

Premises and project objective

Questions of business continuity and reliability of financial transactions in Customs card are given paramount value, including in terms of information security. Before implementation of a SIEM system the analysis of events of security in Customs card was carried out manually that did not allow to react to the detected threats quickly. Configurations of network points regularly change and the lack of relevant knowledge of infrastructure prevented to reveal incidents. Therefore for automation of the analysis of events of cybersecurity and identification of the attacks, anomalies and suspicious actions in infrastructure the decision to implement a SIEM system was made.

Project Progress

The department of information security of the company estimated possibilities of three systems — IBM QRadar, ArcSight and MaxPatrol SIEM. Abilities to integrate and interactions were compared to infrastructure and also price policy. According to the results of testing Customs card selected the SIEM system of Positive Technologies company of the version of LE as the most conforming to the stated requirements:

• the finished boxed solution for small infrastructures (a total quantity of network points in Customs card ― 200);
• additional sources of events are connected free of charge within technical support;
• affordable price;
• presence at the register of domestic software.

The division of cybersecurity independently implemented and configured MaxPatrol SIEM LE. All project took three months. During this time workstations and sources with the greatest number of events — domain controllers, proxy servers and the firewall (in total about 100 nodes) were connected to a SIEM system. Also infrastructure servers, the systems of protection, a business system and critically significant file servers were added to sources of events. On the basis of arriving MaxPatrol SIEM LE creates base of assets of data sources and on rules of correlation reveals incidents.

Project Results

According to the results of the pilot Customs card received completely working tool ready to commercial operation.

"In three months using consultations of specialists of Positive Technologies we independently managed to implement a system and to configure necessary sources. Thanks to it we received a detailed picture of IT infrastructure and we trace cybersecurity incidents. In further plans connection to sources of events of servers of own certification center". Sergey Gorchakov, director of cybersecurity of Customs card