In 2011 it was decided to purchase HPE ArcSight, a tool from the world leader in SIEM technologies, within the framework of building an ISMS in the Bank. Over the years of operations, more than 1500 event sources have been connected to the ArcSight system. The types of these sources are significantly varied and represent a multitude of both OS and open source solutions. According to the internal security policies, the Bank needs to control the actions of OS, DBMS and application administrators instantly. This was not implemented at a proper level due to various reasons and complications. Also, the Bank regularly gets audited, and presence of mechanisms to detect interruption of event flow from the critical sources is one of the compliance requirements. The number of personnel for full monitoring and analysis of SIEM Health has not increased, and administration of ArcSight system became one of the additional responsibilities of the already overburdened IS officers.
The development of internal regulations, policies and procedures continually poses new challenges for the Bank. Including:
- Timely detection and response to incidents;
- Permanent operation of the ArcSight infrastructure;
- Detection of ArcSight configuration and event sources errors.
SOC Prime provides a powerful platform to monitor the “health” of a SIEM environment. This brings benefit to customers directly from the efforts of SOC Prime within the security monitoring services. Due to extensive automation of issues by SOC Prime the number of manual administrative tasks is reduced and Motiv specialists can spend more time on in-depth analysis and continuous improvement.
Predictive Maintenance evaluates SIEM Health in real-time and helps to detect the most problematic areas in the installation.
Previously, once an issue was detected our administrators would perform about 15 manual actions while PM reduced them to 3, which in turn saves up to 80% of the working time for each daily task of SIEM administration. The platform automatically builds trends and predicts an increase in consumption of SIEM resources. Access to SIEM raw logs becomes much easier. PM detects errors related to ArcSight components and identifies ‘problematic’ event sources in various areas: disruption of event flows, parsing errors on sources, etc. Previously additional time and resources were required for their detection.
Maxim Yashchenko, Head of Infrastructure Security and Training Control Unit
of Information Systems Security Department at UkrSibbank
During such a short period of Predictive Maintenance use, almost all critical problems related to ArcSight SIEM were solved. Currently, through proactive monitoring of SIEM Health, it is possible to plan system administrators’ job, as well as maintain ArcSight system in advance. Constant monitoring of parsing errors guarantees that all event logs are handled correctly, and the probability of missing IS incidents is greatly reduced.