In-sourced, Co-sourced or Outsourced: Considerations for a Key Security Event Monitoring and Compliance capability
This paper considers the reasons why fully outsourced security monitoring and compliance solutions from MSSP’s may not provide the real benefits to organisations...
Read more >
Case Study: A Major UK based Telecoms Company
A major UK based Telecoms company had a requirement for improved security monitoring and management of its diverse multi-site infrastructure and to provide real time security awareness to security teams and support compliance programs...
Read more >
Case Study: A UK Blue Chip Energy Organisation
Introduction
A UK Blue Chip Energy organisation with global reach had a requirement to deliver security information internally which would drive better management decisions and help the company achieve its objectives of providing world class IT systems and processes to underpin its business and support functions.
In achieving this goal the organisation would also be able to effectively support its corporate governance and compliance standards with a real security awareness and full picture reporting capability.
The organisation enlisted the services of Zepko because of our proven knowledge and hands on expertise in Security Information and Event Management systems and process transformation to provide them with an end to end centralised solution across their global infrastructure.
The Challenge
The organisation operated a mature security policies and standards framework which governed how information security should be managed in order to reduce risk associated with IT security.
However, measures were needed to gauge and benchmark IT systems to check whether they complied with these standards. The implications of this were that there may have been systems that were exposed to security weaknesses which, if exploited, could impact the company’s business.
Management needed to satisfy themselves, regulators and auditors that policies and standards were implemented effectively and were adhered to.
A solution was required that not only provided a centralised mechanism for collecting security data from many different devices, but also one which would afford a comprehensive and clear picture of the security posture across the whole of the organisation.
The ability to provide quality management information tailored to cover different business groups and areas of responsibility, was a vital requirement.
The organisation had numerous point solutions in place for security monitoring such as Intrusion Detection Systems but these were outsourced to a number of different Managed Security Service Providers with no platform in place to be able to bring these disparate monitoring solutions together and provide the complete end-to-end understanding that was necessary.
This is a common issue with many organisations. Whilst point solutions address their own specific part of the security landscape, ultimately the approach has to be an integrated one in order to achieve proper co-ordinated success.
The Zepko Solution
In response to these needs and objectives and after due attention to capturing all of the requirements, a globally deployed SIEM solution was designated to be implemented.
Given the scale and complexity of the deployment, involving multiple instances of the SIEM to be deployed into different major data centres around the world, the organisation decided that a software based SIEM solution would be chosen for its flexibility and proven enterprise capabilities.
At this stage, Zepko acted in its advisory capacity in assisting the organisation in making this most of this fundamental, yet crucial decision. As independent SIEM solutions providers, Zepko were able to ensure that the choice made by the organisation would be implemented in the most appropriate way to meet their specific requirements.
The implementation would involve separate instances of the SIEM system to be deployed into each of the three major data centres that the organisation operated to cover the vast majority of their digital assets. Each separate SIEM instance would handle data for all of the assets within the coverage of it’s data centre deployment. The ultimate goal was to create a global picture of security by forwarding security events from the major data centre deployments to a ‘meta system’ for what is termed a ‘global rollup’ configuration.
This would provide a very comprehensive and robust approach with each data centre instance being essentially self sufficient but with the capacity to become sources of security data to the meta SIEM instance.
Thus local teams responsible for security within the local data centres into which the SIEM was deployed were able to manage their own estate very effectively and ensure their own areas of direct responsibility were provided for by the SIEM.
Zepko’s full solution began by scoping the deployments to go into each major data centre. Zepko provided the project management and implementation team which interfaced with the key stakeholders and local technical teams in order to implement the SIEM within each major data centre.
Hardware and software was procured and uniform system build specifications determined. Local teams and third party suppliers built the base systems to existing platform standards.
Once all SIEM components were fully installed, Zepko tailored each system to meet specific incident handling and reporting requirements. Zepko followed this by ensuring that the company’s own staff were able to operate the SIEM effectively and in-line with existing and new processes and procedures.
Zepko delivered benefits
The Z-SIEM solution delivered by Zepko is providing support for the centralised notification, tracking, workflow, problem resolution and key security event data across this global organisation.
It facilitates the collection of security metrics and provides management trend information and statistics, affording a true security situational awareness, improving the ability to demonstrate compliance with regulatory and best practice requirements, including Sarbanes-Oxley, DPA and ISO 17799, as well as other security and privacy regulations including internal policies and standards effectively managing risk to help present a single enterprise risk management framework.
The SIEM product provided mainstream support for regulatory compliance requirements out of the box with report templates designed specifically to extract the relevant data from the entire data set held by the SIEM.
Zepko further defined these reports to ensure all of the systems that needed to comply with these regulations were effectively included in the reporting configuration.
As well as tailored reporting capabilities Zepko also configured
appropriate security ‘dashboards’ to suit different requirements.
Crucially for Sarbanes Oxley this was the 404 audit requirement.
Both Primary (including but not limited to, Application logs; OS
logs; VA data) and Secondary data feeds (including but not
limited to, Firewall; IDS; Routers) were integrated into the SIEM.
Correlation rules, reports and dashboards were configured to highlight activities such as: log on/off; account privilege changes; administration activity; vulnerability status; attack profiles involving identified SOX assets.
Additionally real time alerts would be generated for severe vulnerabilities found during VA scans, brute force login attempts and suspicious activity relating to audit logs on SOX assets. This ensures the organisation focuses its resources on the most critical systems first.
Zepko provided support for the global SIEM implementation
and provided vital performance tuning, security device
integrations, break fixes and updates.
Zepko also provided training for the organisations in-house
staff whilst the project moved towards a more fully managed
internal/co-sourced operation.
The organisation now has a clear global picture of their security posture and is able to react in a co-ordinated manner to real time threats and vulnerabilities within its estate.
Managers have a better understanding of the risk profile at any given time and technical teams are much better able to track and remediate security issues with particular regard to systems required to adhere to both internal and external policies and regulations.
Overall the organisation has much more confidence in its visibility, understanding and management of group wide information security and was able to more effectively support its SOX program and achieve its compliance goal.