Some time ago I was assigned for a project in a Telecom in South America to design, build and deploy a SOC Infrastructure.
The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.
I meet the audit team and then I got able to understand where their main frauds happen, some examples were:
- ADSL and Dial users sharing username/password;
- ADSL Subscribers connecting with higher speeds than they had hired;
- Operators accessing the system outside of their working hours;
We decided to use the same SIEM Tool acquired to do the network security events correlation instead of using a dedicated Fraud Detection System for several reasons;
- Saves investment;
- Improves ROI;
- More freedom to create behavioral rules than using a statistic Fraud system;
All logs to make these correlations were available but were scattered among several existing systems ( electronic turnstile, access control systems, Radius and Ldap databases, Provisioning System, CRM, etc.) so the first task was to create the proper collectors and apropriate parsings.
After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.
This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.
For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.
Best Regards and a Happy New Year
More...
01-21-2009
