NAFTA A.S. IS AN INTERNATIONAL COMPANY WITH EXTENSIVE EXPERIENCE IN UNDERGROUND NATURAL GAS STORAGE AND A SLOVAK LEADER IN HYDROCARBON EXTRACTION. IN 2020, THE COMPANY DECIDED TO ESTABLISH ONE OF ITS IMPORTANT SECURITY PILLARS – SECURITY MONITORING.
The deployment of the IBM QRadar SIEM (Security Incident and Event Management) tool enabled the organization to significantly increase the visibility of security events within its infrastructure operations in a relatively short time and enhance security oversight. The solution was designed and implemented by Alanata.
KEY OBJECTIVES OF THE PROJECT
The key objective was to protect the customer from information leaks, safeguard investments and business operations, and reduce the risk of reputational damage by ensuring:
- Centralized collection and storage of audit data
- Monitoring of network and information system security
- Analysis and resolution of security events and incidents
At the same time, the implementation of IBM QRadar also fulfilled legislative requirements for dealing with cybersecurity incidents and measures related to monitoring, security testing, and security audits.
*Legislation: Act No. 69/2018 on Cybersecurity and the Decree of the National Security Authority No. 362/2018, which establishes the content of security measures, the content and structure of security documentation, and the scope of general security measures.
REQUIREMENTS
- Retention of events from predefined log sources, applications, operating systems, and network hardware
- Monitoring of security-relevant events within the operated infrastructure and information systems
- Correlation of security-relevant events
- Evaluation of security-relevant events
- Detection and resolution of security incidents
- Fulfillment of the requirements of Act No. 69/2018 on Cybersecurity and the related Decree No. 362/2018, §§ 14, 15
SOLUTION DESCRIPTION
The IBM QRadar technology, along with our competencies and services, provided a solution that met the project’s goals and legislative requirements. The solution’s architecture was based on centralized data processing and collection at multiple locations. In each location, we placed a separate data collector that gathers data and optimizes its transmission for centralized processing. SIEM was deployed on-premises at the customer’s site.
To achieve the required level of security oversight, it was essential to ensure the availability of data for event evaluation. We consider this data from two perspectives: the devices and systems from which the data is obtained and the content of logs defined by the logging level settings. Both perspectives must account for the architecture and topology of the operational infrastructure and the legislative requirements the solution must fulfill. To ensure that SIEM provided the required functionality in the shortest time possible, log sources were prioritized based on the categorization of networks and information systems.
The logging level on connected systems was set according to the customer’s security requirements and the requirements of the Cybersecurity Act. Logs were categorized into the following categories during analysis, monitoring both the success or failure of events and any potential record modifications:
- Authorization events
- Authentication
- Privileged operations
- Access to logs
- Access to system resources
- Modification of authentication data
- Modification of authorization data
- System configuration changes
- Activation/deactivation of security mechanisms
- Process start/stop
- System start/shutdown
EVENT EVALUATION
We achieve effective data utilization by configuring and tuning the parameters involved in event evaluation logic. We maximized the use of predefined rules, corresponding datasets, and thresholds to “activate” the analysis of processed events in a short time. The clear display of parameter status and trends via dashboards increases the understanding of the current state of monitored events and findings. Dashboards were tailored to display events and activities related to events identified during the analysis and primarily focus on the requirements of the Cybersecurity Act.
BENEFITS OF SIEM DEPLOYMENT
The deployment of SIEM enabled NAFTA A.S. to:
- Integrate a unified, centralized view of the existing security infrastructure
- Quickly and effectively evaluate large amounts of security-relevant events in real-time
- Take appropriate action with minimal delay
The deployed solution also enabled the creation of a unified platform for storing normalized log/audit records, their compression, and indexing. The company thus gained a comprehensive view of the security of its IT infrastructure. NAFTA A.S. recognizes that SIEM is not just about deploying a tool, but also about setting up processes and ensuring oversight.
PROJECT EVALUATION
“Our project has met all the set objectives. We have significantly increased the level of cybersecurity automation in our company and ensured full compliance with the legislation. At the same time, we protect our customers’ operations and shareholders’ investments at an even higher level. We appreciate the effective cooperation and valuable knowledge from Alanata,” says Ivan Mazáň, Head of IT at NAFTA. a.s.
“Cybersecurity is a very sensitive topic, and we are all the more grateful to the customer for their trust. To address the needs of NAFTA and current legislative requirements, we chose IBM’s QRadar technology. We have had excellent experience with it. Alanata has competent experts in almost all areas of cybersecurity,” commented Attila Fintor and Richard Beňo from Alanata a. s.