Case Study: SIEM Audit and Optimisation for Critical National Infrastructure Client

Overview

Apto Solutions was engaged by a client, a business classified as part of the Critical National Infrastructure (CNI), to perform a comprehensive audit of their SIEM (Security Information and Event Management) system, in this instance a Splunk deployment with Enterprise Security. The client’s security team wanted to validate their security posture as well as ensure they were adequately covered for compliance requirements and future audits. The business also needed to independently verify that their outsourced Security Operations Centre (SOC) was effectively using the SIEM, which was operated by the customer.

The engagement involved a 360-degree review of the Splunk deployment, with a detailed focus on use case reviews, threat intelligence integration, MITRE ATT&CK mapping, data quality analysis, and ultimately a gap analysis followed by an optimisation report.

The Client’s Challenge

As a business within the CNI sector, security and compliance are critical. The client required assurance that their SIEM was operating optimally and that all critical threats and risks were being adequately monitored. Furthermore, they wanted to ensure that their SOC’s operations aligned with their security objectives and that Splunk was appropriately configured for present and future compliance audits.

In particular, the client was concerned that:

• The data within their SIEM was mapped accurately to security use cases and alerts.
• Their SOC was using the system effectively.
• They were prepared for any upcoming compliance inspections.
• Potential gaps in security coverage could be identified and addressed.

Our Approach

Our team conducted an exhaustive review of the SIEM system. We began with a use case review, applying Apto Solutions’ in-house tools to scan hundreds of active use cases. These tools allowed us to assess active use cases, detect false positives, false negatives, and identify use cases that required a logic review. We also conducted manual validation of search logic and filtering, including special attention to critical use cases, such as “break glass” account monitoring.

Additionally, we performed a threat intelligence platform assessment and MITRE ATT&CK mapping to ensure the organisation’s security framework was appropriately aligned. The data quality review revealed numerous overwritten source types that could have impacted Splunk’s ability to capture important security data from key vendor applications like CrowdStrike.

Finally, we completed a gap analysis and delivered an optimisation report, providing the client with actionable insights to improve their system’s overall performance.

Key Outcomes

The results of our SIEM audit provided the client with:

• Optimised Use Case Management: By identifying and correcting issues with their use case configurations, the client was able to reduce false positives. This allowed their security team to allocate resources more effectively and improve overall response times.
• Improved Data Quality: Our data quality review uncovered over 20 overwritten source types, leading to a remediation plan that ensured the system’s integrity and that future vendor updates would not be missed.
• Confidence in Threat Intelligence: The client was reassured that their threat intelligence platform was fully operational, bridging a knowledge gap within their security team.
• Better Licence Management: The review of licence usage and load balancing resulted in recommendations for a new Risk-Based Access Control (RBAC) solution, which alleviated pressure on key Splunk components, thus avoiding skipped searches and improving security coverage.
• Enhanced Compliance Readiness: The audit gave the client confidence that they would meet future compliance inspections and further evidenced the value delivered by their security posture.

The client has since moved forward to scope new security measures, including a cloud application security broker, RBAC, and plans to integrate Qualys data for risk-based alerting.

Business Impact

The engagement provided the client’s leadership team with a clear view of their security posture, helping them quantify the value of their SIEM platform to the CISO. The audit’s recommendations have led to better operational efficiency within the SOC, a reduction in security risks, and improved alignment with compliance standards.

For similar businesses, this SIEM audit process can deliver significant value by mapping security capabilities to compliance and operational requirements. Additionally, the identification of data quality issues and unleveraged data can be critical to improving a company’s overall security posture.