How Imdex got control of its logs

Headquartered in Western Australia, Imdex is a global mining-technology company with about 700 employees. The publicly listed organisation needed not only to ensure its internal systems were protected but also that the systems it develops and are used by its customers are safe and always available.

With Australia being a playground for cyberattacks where often it is an external party or law-enforcement organisation that informs the affected party that its data has been found somewhere in a public forum, organisations must be alert and in control of their systems.

Imdex

“I strongly believe that if any company thinks that they are immune to a cybersecurity attack, they’re delusional,” says Sameera Bandara, Imdex’s general manager of cybersecurity and enterprise architecture. “I think it’s very important being able to detect anything unusual, and then being able to respond quickly. For me, just correlating all the logs from the different sources, and just setting it up in a way so that we get an alert if there’s any suspicious activity, instead of us having to manually go into all of these different systems, has been a big advantage as well.”

Imdex was looking for one customisable application for log analysis

Having an alerts system in place and connected to all its systems ensures that Imdex can meet their customers’ expectations of uptime. Drilling explorations and mining operations require systems to be available 24/7. If a system were to go down on the weekend and not trigger any alerts, this would result in serious problems for Imdex’s users.

Thus for Imdex, it was critical to be able to detect what was happening in its systems. With different systems across the organisation, all of which collecting logs, Imdex needed one application that could look at all instances collectively, Bandara tells CSO Australia. For an organisation that runs software from multiple technology vendors as well as its in-house ones, this is not something that can be done manually.

Also, in a company with 700 employees, looking at incidents separately may not be effective. For example, if two unsuccessful logins to the VPN is reported, that alone does not trigger an alert, but if there is a mass copy of files at the same time, that tells that something bad likely happened.

Imdex was using logs from multiple systems individually. Bandara says that Microsoft Azure, for example, has done a good job in the last five years in providing “decent” logs in one place where information about the Azure environment can be found. But, like many organisations, Imdex had part of its environment in the (Microsoft) cloud and half on premises using SaaS offerings not from Microsoft, it becomes a challenge to figure out what is going on all the systems.

How Imdex found the right SIEM product

The Imdex security team used the Centre for Internet Security’s list of security controls to see what capabilities were recommended for a SIEM (security information and event management) product and compiled a MoSCoW (must-have, should-have, could-have, and won’t-have) list to identify Imdex’s specific needs.

The list of vendors that met its requirements came down to Splunk and LogRhythm. Imdex decided to go with Splunk because of its custom applications.

With the support of a consultant from Data#3, Imdex did the installation, and its security engineer built the infrastructure to host the Splunk service. “My security engineer would make sure that the systems are forwarding the logs to Splunk, and then professional services and Data#3 made sure that they did what’s called an index, and then the logs are being consumed by Splunk,” Bandara says.

The challenges of implementing SIEM

One of the first things Bandara realised he underestimated was how many logs would be generated. “For example, a firewall these days, what we call a Layer 7 firewall, generates an enormous amount of logs just when a user accesses a website. When you multiply that by 700 [users], you have a considerable amount of logs,” he says. That led Imdex, which generates 35 gigabytes of logs per day, to buy additional capacity during the installation process.

As a mining-technology company, Imdex develops niche software, so it had to build its own indexers for those applications. 9:40 PMhat was one of the reasons the organization went with Splunk, which lets customers build those bespoke indexers within Splunk.

Another issue that organisations will likely run into when using a SIEM product is the initial amount of alerts. “If you get too much noise, what that means is you’re not really looking at any of it. We’ve spent a considerable amount of time just tweaking the alerts and setting the thresholds right, so that you only get a manageable amount of alerts, and that they’re meaningful and not a waste of time,” Bandara says.

Next security priorities for the mining-tech company

There are plenty projects on the horizon for the cybersecurity team at Imdex. The two next big projects will focus on data loss prevention and data classification. With their data classified, the company will find it easier to work on access controls for its 700 staff. Following that, Imdex plans to implement a cloud access security broker.

Bandara will also continue to focus on an ongoing project to build a devsecops program. “I’ve been working pretty hard with our software development team to build a devsecops program. Instead of fixing security vulnerabilities after the code is deployed, [we will be] training the developers and providing them the tools so an incident doesn’t occur in the first place,” Bandara says.