To meet New York State compliance deadlines for its new security regulation and rapidly achieve operational sophistication, this property and casualty insurer engaged IBM Business Partner Sirius to architect, install and remotely manage an enterprise-wide IBM® QRadar® SIEM solution.
With the introduction of a comprehensive new security regulation, the insurer needed a fast path to implementing security information and event management (SIEM) across the enterprise.
With help from Sirius, the insurer was able to address a critical component of the overall security regulation’s requirements without a significant investment in hard-to-find security staff.
When the New York state Department of Financial Services (NYDFS) announced 23 New York Code Rules and Regulations 500 (23 NYCRR 500), a cybersecurity regulation for all financial institutions doing business in New York, it gave covered organizations a staggered set of implementation deadlines to meet.
Addressing the regulation’s requirements fit within the plans of this property and casualty insurance company that does business in New York and several other states. It had determined that security management is a strategic business function for the company—only now it had a firm deadline with a short runway for addressing compliance.
A critical component of the compliance effort was to get an organization-wide security information and event management (SIEM) system in place and fully operational prior to the September 2018 implementation deadline for 23 NYCRR 500. The company did have SIEM tools deployed in different parts of its infrastructure, but that left devices and entities uncovered. Moreover, even with those gaps, the tools were generating more events than the current staff could handle effectively. Company leadership was not getting the detailed view it needed across the entire enterprise.
Rather than tackling the task of choosing and implementing an enterprise-wide SIEM solution on its own, the insurance company turned to IBM Platinum Business Partner Sirius (link resides outside of ibm.com) for help. The company had an existing relationship with Sirius, and Sirius was already approved to work within its IT environment—both factors that positioned the IT solutions provider to help address the company’s need for speed.
“Step one was selecting the SIEM tool that would meet this client’s current needs and, more importantly, provide a strategic platform for taking the company into the future,” says Brian Reichart, Sirius Managed Services Solutions Sales Specialist, who led the engagement. Sirius recommended IBM QRadar SIEM, which was one of the tools already in use at the company.
“The newly appointed CISO did grill us very intensively as to why we thought QRadar was the product to go with. We also had a long discussion about the value of an on-premises deployment versus the cloud. After working through their strategic imperatives around security, and considering the company’s expected 10% to 15% year-over-year growth, we really felt that a dedicated on-premises QRadar solution was correct for this client.”
Among the differentiating features that contributed to the selection of QRadar over other SIEM platforms under consideration is the extensive set of standard reports included as well as the flexibility of reporting. That means little customization was required to set up the security software. The log manager platform provides fast access to data for operational review and enables analysis of activity in subsets of the environment.
The insurance company’s CISO also appreciated the opportunity to add functionality through the IBM Security App Exchange, an ecosystem of developers offering apps and add-ons for QRadar and other security solutions.
With just over six months until the company’s “go live” target date, Sirius went to work architecting the scalable QRadar solution and installing collectors and consoles across the insurer’s three major data centers plus several remote locations. The Sirius solution includes correlation rules that filter out false positives and are critical to the efficiency of any SIEM solution, notes Reichart: “In addition to the correlation rules recommended by IBM, Sirius has developed its own set of correlations that we add. This tuning helps to significantly reduce the number of alerts that the system generates.”
Today the insurance company’s QRadar SIEM installation covers more than 5,100 devices, with new log sources being added continuously as the business grows. The solution supports the company’s current workload at 24,000 events per second (EPS) with the capability to scale up to 40,000 EPS.
Monitoring and ongoing management are provided by Sirius via the Business Partner’s SOC, which enabled the insurer to meet its tight deadline for achieving operational sophistication without having to build and staff its own operations center. This positioned the company to avoid potential fines and penalties from 23 NYCRR 500 while giving the insurer time it needs to staff up and equip their own SOC in the future.
“Right now, we are 24x7x365 eyes on glass and hands on keyboards supporting QRadar,” says Reichart. Ongoing support includes adding new correlation rules to fine tune the system, meeting with the client weekly and continuing to implement new log sources as the company adds new resources to its IT environment.
“This company has not slowed down their growth,” says Reichart. “They are continuing to deploy new tools, new hardware and new servers in the environment. Those are all new log sources that we are pulling for them as we go.”
This property and casualty insurance company is headquartered in the southeast US and is licensed in multiple states across the country.
Sirius (link resides outside of ibm.com), an IBM Platinum Business Partner, is a national integrator of technology-based business solutions that span the enterprise, including the data center and lines of business. Since its founding in 1980, Sirius has grown to be one of the largest IT solutions integrators in North America. Today, Sirius offers integrated, multivendor technology solutions that meet the requirements of the full range of organizations, from small businesses with fewer than 500 employees to large enterprises with thousands of employees and hundreds of locations. To learn more about Sirius, visit: https://www.cdw.com/content/cdw/en/solutions.html (link resides outside of ibm.com).
Legal
© Copyright IBM Corporation 2018, IBM Corporation, IBM Security, 75 Binney Street, Cambridge, MA 02142.
Produced in the United States of America, December 2018.
IBM, the IBM logo, ibm.com and QRadar are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/trademark.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.