Cilasoft & IBM Security QRadar SIEM®

SmartYou brings together companies specializing in multiple information system competencies with

one common goal: "Successfully implement your company's digital transformation." Our founders

have served customers in the Swiss market for nearly 30 years, developing an important relational

network. Abiding by ethical values and standards, our foundational principle is the satisfaction of our

clients and collaborators. This forward-looking vision makes it possible to build a successful global

strategy that meets all current and future business challenges for our customers.

SmartYou Managed Services is a business line managed by SR Operations SA (SRO) based in Gland,

Switzerland. With a focus on ease and agility, SmartYou Managed Services offers expert advice in the

design, customization, optimization and management of our customer’s IT applications. With Swiss

precision we keep your IT services ready and functional.

Up until 2013, a client of SRO within the financial sector had used a solution that provided security

and auditing control for its IBM i partitions, which also included a SIEM console. The choice of this

solution initially made sense for several reasons and it provided adequate functionality, but it

didn’t sufficiently cover the basic IBM i security needs of the organization; for instance, the

configuration of IBM i security rules was rudimentary as was the information sent to the SIEM

console. Because of this, the SRO engineer in charge of managing security for this client became

overwhelmed by too many alerts that were neither well correlated nor sufficient contextualized.

Due to these limitations, by the end of 2013, it was decided to replace its SIEM with a more robust

solution. After evaluating the leading options on the market, the choice was made to select the

IBM Security QRadar SIEM®. Once implemented, the limitations associated with the previous SIEM

were quickly eliminated. In addition, the SRO engineer overseeing the implementation of QRadar

expected significant configuration complexity, yet was surprised to find that many security rules

were already pre-configured and a majority of the devices included standard agents. In the end,

the replacement effort turned out to be a modest one, and after 3 months, all devices except the

IBM i were being monitored by QRadar.

It was natural after the implementation of QRadar that SRO initially used DSM AJLIB to manage

the audit journal portion of IBM i security within QRadar as this tool is provided free of charge by

IBM. However, it was soon discovered that implementing AJLIB was quite laborious since little

documentation was provided, requiring the consultant to rely on support from IBM, which also

struggled with the implementation. In the end, the IBM i audit journal information was sent to

QRadar, but it was soon found that the gaps and weaknesses associated with the previous SIEM

still occurred.

In the end, because the banking group's guidelines were strengthened in terms of security and

auditing for its most critical applications, SRO was compelled to look for an alternative solution

that covered IBM i security, particularly one with close integration with QRadar.

At the end of 2015, Cilasoft was chosen by SRO as it fulfilled both the customer’s auditing

requirements as well as the integration requirements with QRadar. As a bonus, it was discovered

that Cilasoft also provided additional functionality that would be useful in anticipation of future

requirements of the customer’s banking group.

«... the Cilasoft processes are very

stable, with no degradation on

performance, and up to now there

haven’t been any technical incidents.»

« The combined QRadar/Cilasoft

solution now enables SRO’s customer

to go well beyond the initial needs »

CASE STUDY

After some configuration adjustments, the transactions were cleaned of "noise" and sent to

QRadar with a level of detail that sufficiently interpreted events and also made it much easier to

create security rules. In addition, the transmission delay experienced with the previous SIEM was

considerably reduced between the occurrence of the event on the IBM i and its arrival in QRadar.

At the beginning of 2017, approximately 150 devices were being controlled by the QRadar SIEM, including network equipment (router, firewall, appliances, proxy, VPN, etc.) and servers (Windows, AIX, IBM i, and Exchange). SRO has even developed its own parsers to better integrate its client’s critical banking application events with QRadar. The combined QRadar/Cilasoft solution now enables SRO’s customer to go well beyond the initial needs of its banking group; for example, it can now monitor specific tasks carried out by SRO in connection with their help desk. SRO has also benefitted because its consultants now have expert knowledge of both QRadar and Cilasoft, which gives SRO a competitive advantage with its other customers. According to the SRO engineer in charge of the IBM i partitions: "... the Cilasoft processes are very stable, with no degradation on performance, and up to now there haven’t been any technical incidents."

Improvement projects are continuing in 2017, which will serve new needs of SRO’s financial services customer: a Cilasoft upgrade that will allow for better categorization of QRadar events, support for LEEF2, and possibilities to further enrich the payload sent to QRadar.

QJRN/400 offers the following features on

the IBM i for QRadar integration:

Powerful filtering of IBM i transactions

Multiple message formats available:

LEEF, CEF, RFC3164, RFC5424

Data transmission via Syslog or LFP

Secure transmission with SSL, TLS

www.cilasoft.com

Cilasoft & IBM Security QRadar SIEM®

2017 Copyright © Cilasoft