BlueScope.

The challenge

BlueScope’s Group Manager for Information Services and Cyber Security, David Johnston, had long wanted to build a centralized Security Operations Centre — but found the commercial security-intelligence options “expensive and over-prescriptive.” He shared the problem with the small team of professional hackers running BlueScope’s regular penetration tests. Among them were the co-founders of SIEMonster, and the idea of an affordable, infinitely scalable SIEM was born.

The newly founded SIEMonster team then worked closely with BlueScope’s security team for two years, building a SIEM that could monitor servers, routers and firewalls — as well as complex SCADA systems like blast furnaces and automated heavy equipment. BlueScope needed continuous monitoring and alerting but couldn’t justify the cost: “Looking at the marketplace, software costs are in the hundreds of thousands,” Johnston explained. “By the time you get a project team in to do the integration, it’s usually $1 million plus.”

To curb unnecessary cost, SIEMonster CISO Chris Rock turned to open-source components including the Elastic stack, Kafka and Wazuh. Combined, these tools gave the security team real-time visibility of BlueScope’s entire network, with configurable thresholds and alerts. “It was beyond our expectations in terms of just how well and how smoothly the trial went,” Johnston says.

The solution

The solution was first implemented in April 2015 and continues to this day. BlueScope runs SIEMonster’s AWS Cloud Edition, and its SOC has processed over 350,000 events per second from across the worldwide network. “Given the way the threat landscape looks these days, it really is important to have that real-time view of what’s going on.”

Data is filtered and made available to users in real time, with around 10TB of processed data archived every month. The production environment is built on Kubernetes and leverages Amazon EC2 and S3 to scale virtual-server and data-storage infrastructure with demand — storing roughly 12 months of data onsite, a further 12 months archived, and more offloaded to Amazon Glacier for later recall.

Because the solution is open by design, the team integrated a diverse range of systems with ease — essential in BlueScope’s heavily industrialized environment. The SOC oversees far more than standard payroll systems and networked devices; it monitors industry-specific control systems attached to steel furnaces and paint guns. SIEMonster’s affordability, scalability and easy visualization made it the perfect fit for BlueScope’s unique security problem.