Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (13)
Similar to Qradar as a SOC core
Similar to Qradar as a SOC core (20)
Recently uploaded
Recently uploaded (20)
Qradar as a SOC core
- 1. Qradar as a SOC core: QIWI experience Svetlana Arkhipova Head of infrastructure monitoring and IT security incident response team QIWI
- 2. #WHOAMI • Head of SOC and OPS monitoring at QIWI group • Past: Security analyst at GE Capital, independent security consultant at fintech start-ups, *nix systems and network administrator • a.k.a. Mona
- 4. SOC STATISTICS Get ready for (over)size S I E M M E T R I C S 2862 log sources >11 000 events per second > 700 000 flows per minute D A I LY S TAT S 67-145 Gb raw event logs per day 37-53 Gb network communication events Q R A D A R C O R E 45 virtual servers 2 hardware servers(QFlow) 1 archive server
- 6. SIZING DEPLOYMENT 140 vCPU 232 vCPU 272 Gb vRAM 563 Gb vRAM 15 TB vHDD 103 TB vHDD
- 8. LOGGING CHALLENGES S Y S L O G Standard syslog message size (RFC 5424) W I N D O W S Security logs permissions on W7/2008+ D ATA B A S E S What to log? L O G S AT F S IIS, Exchange and so on I N - H O U S E D E V E L O P M E N T N O N - S TA D A R D L O G S Arista, 1C, Wallarm…
- 9. STANDARD SOURCES W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K • Event collectors vs. agents • Extended system audit • Non-English logs
- 10. STANDARD SOURCES W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K • Syslog as a standard • TCP syslog+network issues=pain (google: “TCP is not reliable”) • UDP syslog message size • Auditd – what to log?
- 11. STANDARD SOURCES W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K Is login history enough? Syslog vs DB connection IBM Guardium alerts
- 12. STANDARD SOURCES W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K Syslog for device-level events Qflow, Vflow, Netflow/Jflow
- 13. NON-STANDARD SOURCES N E T W O R K Exotic network devices I N T E R N A L In-house development – business applications logs C O U N T R Y- S P E C I F I C 1C and so on S E C U R I T Y S Y S T E M S DBFW, NGFW, DLP, WAF, honeypots…
- 14. INTERNAL SECURITY SCANNERS “Normal paranormal” activity inside and outside • A lot of SIEM tuning • Log or drop events? • Custom rules set for scanner nodes • Credentials monitoring • Balancers NAT/SNAThttps://f5.com/resources/white- papers/load-balancing-101-nuts-and-bolts
- 15. COMPLIANCE AUTOMATION QIWI information security is compliant to the most of standards in IT/Financial sector P C I / PA - D S S All processing systems are PCIDSS certified. QIWI ATM is PADSS certified S O X As the member of NASDAQ our company is audited every year for SOX compliance N AT I O N A L S TA N D A R D S QIWI has successfully passed audit for 152FZ and Central Bank audit for 382-P
- 18. QUESTIONS? Svetlana Arkhipova Head of infrastructure monitoring and IT security incident response team M O N A @ Q I W I . C O M Q I W I . C O M / S E C U R I T Y. A C T I O N/ M O N A A R K H I P O VA