Large IBM Qradar deployment and SOC Build out

ST

Project Description

Large IBM Qradar deployment and SOC Build out. Deployed 160+ QRadar appliances over multiple countries. The Qradar components deployed were:

Qradar Console, QRIF, QVM, QRIF, AppNodes, Flow Collectors (Cu & Fi), Log Collectors and Processors

IBM Resilient (SOAR).

At the end we had over 9000 log sources from enterprise infra such Servers, Routers, Switches, Firewalls, Mainframes, Mcafee EPO, SWIFT systems and many other. In addition we were rolling out logging from end points as well. The daily influx of logs was over 2 billion events distilling down to around ~100 offences (after tuning).

Lessons Learned

Ensure that sufficient engineering resources were available with Qradar experience to not only deploy, maintain and update the appliances but also create/tune use cases.

Highlights

Received a promotion
Support from colleagues
scalability

Difficulties

Management had to be convinced
Equipment incompatibility
Steep learning curve
Hard to meet schedule

Products Used

IBM Security QRadar
RSA Archer
Atlassian Confluence
McAfee ePolicy Orchestrator
Recorded Future
CrowdStrike Falcon
IBM Resilient
IBM Watson for Cyber Security
ServiceNow Security Operations
  • London (ENG-GB)51.5085-0.12574
  • Helsinki (FI)60.169524.9354
  • Paris (A8-FR)48.85342.3488
  • Brussels (BRU-BE)50.85044.34878