Recently a large regional healthcare organization hired VioPoint to help them optimize their QRadar System Information and Event Monitoring (SIEM) investment after their initial deployment push. Like many organizations that balance multiple projects, the deployment stalled as internal resources were pulled to support other critical projects…ultimately leaving a gap in the HIPAA mandated coverage for monitoring critical system logs.
When organizations decide to invest in a SIEM, it takes a lot of time and resources to complete the initial implementation. One of the greatest challenges faced by most organizations is how to continue driving value from a SIEM investment after the initial implementation push fades.
Recognizing the ongoing challenges of supporting the QRadar deployment, the regional healthcare organization contacted VioPoint to quantify the implementation gaps and develop a plan to address them. After conducting a health check on the SIEM deployment, VioPoint identified a number of key issues that were prioritized into action plans. One of the more critical challenges focused on the limited resources that could be applied to monitoring and tuning QRadar. When environments are not consistently tuned and monitored, changes in the infrastructure can disrupt the data that is collected and prioritized by the SIEM. These gaps in data make it difficult to identify a potential breach and leave organizations non-compliant with HIPAA standards.
The main function of a SIEM is to take centralized log data and put it in security context so it is easier for the company to spot anomalies and see potential threats. When an organization is fully optimizing their SIEM investment, QRadar should be doing the following:
- Collecting logs from servers and network devices on a recurring basis
– Log Sources-devices from where we get the logs (Window, Network Gear, Anti-Virus etc.)
- Alerting on suspicious behavior by invoking pre-defined rules
– Rules-set criteria to describe when alert needs to be made
– Flows-Description of Network Traffic such as source, destination and Port
- Providing a “dashboard” quick view of the network activity and suspicious behavior
After conducting a brief assessment to learn about the healthcare provider’s critical gaps, VioPoint developed a customized action plan. Key areas that required additional focus included adding log sources, enabling Netflow, and developing custom rules.
After receiving approval for the plan, VioPoint pointed in-scope internal IT resources to the QRadar log collector. Once the logs were successfully aggregated, VioPoint shifted focus to defining and applying correlation rules that would generate alerts. These tasks were completed during a series of ongoing configuration and tuning sessions to improve capabilities of QRadar. Customized dashboards and standardized reporting were also defined to highlight ongoing HIPAA compliance details.
The main focus of the SIEM project was to help the healthcare organization effectively leverage QRadar and comply with the HIPAA mandated coverage for monitoring critical system logs. To accomplish this goal, VioPoint followed a structured approach that included the following:
- Create enhanced visibility in the network by increasing log source tracking by 150%
- Tune out false positive so their internal resources could be accurately assigned
- Upgrade QRadar to a newer version that simplified ongoing support
- Integrate Anti-Virus feeds for increased visibility on desktops and servers
- Create customized dashboards to highlight specific security and compliance information
Ultimately, the VioPoint services helped the regional healthcare provider improve visibility while reducing the number of resources required to address monitoring requirements. If you have a QRadar SIEM that is not driving the expected value, please feel free to contact VioPoint directly for more information on the services and programs we offer for this technology: