Security Information and Event Management System (SIEM) of Raiffeisen Bank Aval – is one of the first and one of the most complex projects in the financial sector of Ukraine. By now, Raiffeisen Bank Aval has extensive experience in the use of ArcSight technologies. The system solves the tasks of information security teams, information technologies, network management, and risk management. Many talented professionals who are currently developing SIEM projects in other companies have started at ArcSight administration team in Raiffeisen Bank Aval. One of the most developed infrastructures, a huge stream and a variety of data to be processed, a large number of event sources, and a lot of self-developed parsers, active lists with millions of lines, hundreds of correlation rules, tested resilience and recovery processes – these are the features of SIEM project in Raiffeisen Bank Aval. Requirements and requests of the serviced divisions grow, importance of the SIEM system increases, errors or failures become unacceptable, and the number of experts remains the same. Such complex infrastructure needs constant monitoring and maintenance.
PM demonstrates its advantages particularly well in large and complex installations with many components and event sources, or SIEM-projects with a long history of development when the team of SIEM administrators and analysts has rotated and possibly more than once. Establishing full visibility of each component in such SIEM infrastructure is a serious challenge to information security team, and without PM this task is almost Impossible.
Vladimir Garaschenko, Senior TAM, SOC Prime.
During its PoC, Predictive Maintenance (hereinafter – PM) has proved its efficiency even at the stage of deployment of monitoring agents: the installer has revealed that the service of one of the connectors was not added to autorun. In practice this seemingly small change easily leads to unresolved questions that need to be addressed when a free moment occurs, and this question is why this connector hadn’t turn on after the server was restarted as scheduled. Within 5 minutes after the launch of the PM console, resources of the Manager, the main consumers of memory, active lists and lists of sessions became visible. We found a few excess lists, which consumed a lot of RAM, but were no longer used. Over 20 minutes after the launch of PM, several thousands of parsing errors were found at one of the Flex Connectors, which greatly affected the performance of the connector and the server as a whole. Minor changes in the parser significantly reduced the load on the connector. Using PM for a long period made it possible to analyze the behavior of each connector in the infrastructure, a task for which we often had no time previously. In addition, we were able to prioritize work to improve productivity and quality of the processed data. Total Health of the entire SIEM installation increased from 70% to 90% over 2 weeks of operation, and we spent 10-person-days of resources for troubleshooting and remediation. Without PM, just audit and prioritization ofole 2 weeks.
We can recommend Predictive Maintenance for both single but complex and geo-distributed installations of ArcSight, especially for international and global companies that have a need to ensure the security in each operating country. Also PM is a possibility to obtain a single point of monitoring of your SOC and SIEM operations…
Alexander Tymoshyk, CISO, Raiffeisen Bank Aval.