MaxPatrol SIEM system introduced in the MPSC of the Kursk region

2022: Implementation of MaxPatrol SIEM

On July 13, 2022, Axoft announced that in order to strengthen cyber defense and identify attacks in real time, the MPSC of the Kursk Region decided to introduce the MaxPatrol SIEM system with the help of Axoft engineers, the project partner was SHIELD-SB LLC.

According to the company, MPSC was faced with the task of promptly optimizing the level of information security, timely identifying and responding to possible attacks on information resources. The institution previously used separate vulnerability controls that did not allow you to see a complete picture of the state of infrastructure security.

To organize centralized collection, storage and event management, the administration made a choice in favor of MaxPatrol SIEM from Positive Technologies. The solution is registered in the Unified Register of Russian Software and complies with the regulatory requirements of the customer. The system allows you to effectively manage information security events, analyze and determine abnormal behavior, as well as work with a large amount of data and automate the process using advanced filtering and correlation tools.

The system was implemented and deployed by the Axoft engineering team. The whole process took place in three stages. In the first phase, engineers developed an integration plan for SIEM. To do this, a list of sources in the infrastructure that need to be connected was compiled:

• Endpoint Security System
• Operating systems
• Directory Service
• VPN system
• Database Management Systems
• Virtualization system
• Application Protection System
• Network Monitoring System
• Intrusion Detection System
• Information Leakage Prevention System

Documentation was also sent to the technical specialists of the MPSC. It is important that the sources are correctly configured by those specialists who operate them, the effectiveness of the entire system in the future will depend on this. In parallel, the component base for medium-loaded systems was deployed.

The second step involves connecting event sources, correlating and controlling incoming incidents. Audit tasks are also configured and, based on the data received, static/dynamic groups and widgets are formed for online access to critical information. This block is the most voluminous and takes up to 90% of the time of the entire implementation, since there are many nuances when working with sources that need to be taken into account. For example, network devices mostly transmit information via Syslog, which in turn can send data in any form. Therefore, they need to be monitored and monitored what has normalized and what has not.

After all the sources were connected, the engineers moved to set up rule correlation rules. Out of the box, MaxPatrol SIEM has a fairly wide set of set rules. Therefore, it was necessary to prioritize and apply only those that are really necessary. When launching events, there were false positives, but this is a natural process, since the rule does not yet understand the infrastructure, such cases were "caught" on time and finalized.

At the final stage, the system was put into operation, engineers checked that everything worked correctly, and also trained MPSC specialists in working with the System.

The deployment of a certified version of SIEM allowed, in addition to the standard tasks of collecting logs and auditing nodes, to collect information about "cyber failures." For example, several critical nodes were found vulnerabilities that could lead to infection. malware WannaCry To monitor them in a timely manner, the engineer installed a special widget.

It is worth noting that the system was deployed on the VIPNet network. The features of the VIPNet address pool, as well as the order of access to storage databases, do not allow you to work with standard settings. But together with a team of technical specialists of the vendor, it was possible to quickly solve this problem.

In general, the introduction of the Russian MaxPatrol SIEM took place normally. Axoft's engineering team implemented the plan development and subsequent deployment. We conducted both a consultation in terms of building the correct event management process and made the necessary settings on the SIEM side. There were some nuances in network addressing, but together with vendor technical support Positive Technologies managed to solve them. noted Denis Fokin, Head of Consulting and Engineering Support at Axoft

As a result, the deployment of the SIEM system lasted about two months, it was possible to connect 19 branches of the MPSC in the Kursk region, the total volume of sources from which the events were collected amounted to about 1000 nodes.

The Axoft team implemented the product on time, connected all declared sources of events and ensured interaction with the customer. An engineer was assigned to the project, who helped set up the system to the proper level. We plan to continue cooperation with Axoft in the future. told Denis Gavrilenko, General Director of SHIELD-SB LLC