A large public university needed proven expertise to implement Google Security Operations SIEM (Security Information and Event Management) to improve their security monitoring and alerting capabilities.
Recognizing that their existing solution was not meeting the university’s operational requirements for the increasing complexity of attacks and analysis needed, the IT team sought Dito’s expertise to design and implement a more efficient and robust security operations solution.
Challenge
During the discovery phase, Dito identified several critical issues with university’s legacy Splunk system:
- Frequent false positives and failure to detect important security events
- Accumulation of technical debt
- Excessive time investment from IT staff to create workarounds
- Parsing failures for Shibboleth logs
- Underperforming API for legacy stream detection alerts
These challenges led to them seek a new SIEM solution that could integrate seamlessly with their existing Cisco XDR system while addressing the shortcomings of their current setup.
Solution
Dito developed a comprehensive technical design solution leveraging Google Security Operations SIEM (formerly known as “Chronicle” and now part of the unified Google SecOps platform). Google Security Operations SIEM is a cloud-based security solution that ingests, normalizes, and analyzes massive volumes of security and network telemetry.
The platform provides instant analysis and context for potential security risks, allowing for comprehensive historical searches across all enterprise assets, domains, and IP addresses. This enables efficient threat detection, investigation, and response over extended time periods.
Key components of the implementation included:
- Optimizing Unified Data Models to create incident-specific rules rather than log-event specific rules
- Developing custom parsers and extensions to resolve mapping issues
- Converting and optimizing Splunk rules for Google SecOps SIEM alerting system
- Creating API code to proactively monitor alerts and send notifications to external systems (chat, email)
- Developing a custom module based on the SearchRulesAlerts API to implement a polling framework for querying alerts
This solution provided a pull-based alternative for users who preferred not to maintain a push events handler from StreamDetectionAlerts. The framework was then utilized to send notifications to external systems such as XDR, chat, and email.
Throughout the engagement, Dito conducted regular knowledge-sharing sessions with the university staff, enabling them to build expertise in Google Security Operations.
Results
The implementation of Google Security Operations SIEM yielded significant improvements for the university’s security operations:
- Streamlined triage operations, minimizing false positives and optimizing IT team efficiency in incident detection and prevention
- Increased proficiency in Google SecOps among IT staff, evidenced by the ability to delegate rules creation within the team
- Reduction in consulting session duration from 1.5 hours to 20 minutes by the final project phase
- Google SecOps SIEM became the primary tool for incident detection, prevention, and log aggregation in the customer’s production environment, replacing Splunk
The most significant indicator of success was the adoption of Google Security Operations SIEM as the primary security platform over its legacy system, demonstrating the project’s overall effectiveness in enhancing the university’s security posture and operational efficiency.
