SalienceNotes.dev

SIEM Modernisation

An overview of a strategic initiative to modernize security operations by migrating from legacy on-premises infrastructure to a high-performance, AI-driven SaaS SIEM platform.

Ye Soe · 3 min read
Contents

Category

Article

Tags

cybersecuritysiemcortex xsiamcriblsoc transformationcloud migration

Contents

Problem Statement

The existing on-premises QRadar solution faced significant hurdles that hindered the Security Operations Centre (SOC). Key challenges included:

  • Limited scalability: The aging 31-appliance infrastructure struggled with high log volumes, leading to ingestion backlogs.
  • High operational costs: Maintaining the on-premise hardware required frequent, expensive tech refreshes, with costs projected to exceed S$8.46 million over five years if the system remained unchanged.
  • Vendor strategy shift: In late 2024, IBM sold its QRadar SaaS assets to Palo Alto Networks and ceased adding features to the on-premises version, effectively making it a legacy solution.
  • Alert fatigue: The old model was alert-centric, overwhelmed by a high noise-to-signal ratio and a lack of modern automated parsers.

High-Level Architecture

The new architecture introduces a streamlined data pipeline designed for flexibility and depth:

Logical architecture diagram for SOC modernization

  1. Sources: Logs are collected from push-based sources such as firewalls and Linux systems, pull-based sources such as Oracle RDBMS, and Windows servers via Cribl Edge.
  2. Observability pipeline: Cribl Stream serves as the central control plane, where Cribl Workers process, filter, and route data.
  3. Destinations: Logs are concurrently routed to Cortex XSIAM for analytics, on-premises storage for long-term network log retention, and temporarily back to legacy QRadar during the transition.
  4. Automation: The platform integrates with Cortex XSOAR to automate incident response and triage.

Implementation Approach

To ensure business continuity, the project utilizes an EC-by-EC sequential replacement approach. Each legacy QRadar Event Collector is replaced one by one with a Cribl Worker node. The migration follows a strict timeline:

  • Pilot phase: Focused on initial ingestion validation and user acceptance testing for priority log sources.
  • Execution phase: A staged rollout across Singapore, Malaysia, and Indonesia, prioritizing collectors with the most common log sources first to achieve broad coverage early.
  • Post go-live: Includes decommissioning legacy hardware and establishing automated threat intelligence sharing via a TAXII server.

Key Design Decisions

  • IP swapping: To minimize configuration changes on thousands of log sources, the project replicates the legacy collector’s IP address and hostname onto the new Cribl Worker nodes.
  • Centralized management: The Cribl Leader node is placed in the Central Management Zone to oversee all regional workers.
  • Data tiering: Searchable data is retained in XSIAM for 90 days, while network logs are kept for three years on-premises to meet forensic and regulatory requirements.
  • Secure connectivity: All outbound traffic to the cloud-based XSIAM is routed via Tier 2 proxies at each site with specific DLP inspection exceptions to prevent breaking encrypted telemetry.

Outcome

The re-platforming project is expected to transform the SOC into a signal- and case-driven model. Key benefits include:

  • Massive cost avoidance: Reducing annual running costs from over S$2 million to less than S$1 million, with a total five-year cost avoidance of S$6.47 million.
  • Enhanced efficiency: Leveraging AI and machine learning to reduce false positives and automate the triaging of security incidents.
  • Simplified tech stack: Consolidating SIEM, threat intelligence, and automation capabilities into a unified, scalable ecosystem.