.. include:: global.rst


======================================================================   
Regional Insurance Group: Secure Remote Access & SIEM Implementation
====================================================================== 

Overview
========

This project represents the final phase of a multi-part network redesign for a fictional organization, *Regional Insurance Group*. Building on prior work in network architecture redesign and infrastructure planning, this phase focuses on implementing secure remote access and centralized security monitoring.

The primary objectives of this project include:

- Deploying a secure and scalable VPN solution for remote employees
- Implementing a Security Information and Event Management (SIEM) system
- Enhancing threat detection, monitoring, and incident response capabilities
- Supporting compliance and long-term security scalability

.. note::

   This project builds on previous portfolio entries:

   - :doc:`lab_five`

VPN Implementation
==================

To support a distributed workforce, an **SSL/TLS-based VPN solution** was selected as the primary remote access method.

**Key Features:**

- Browser-based access (no client installation required)
- Strong encryption using TLS protocols
- High compatibility with firewalls (HTTPS-based communication)
- Granular access control to limit exposure of internal resources
- Scalable design to accommodate organizational growth

**Security Enhancements:**

- Multi-Factor Authentication (MFA)
- Zero Trust Network Access (ZTNA) principles
- Endpoint compliance validation (patching, antivirus)

This approach ensures secure, flexible access for remote users while minimizing administrative overhead and security risks.

VPN Writeup
=============

.. raw:: html

   <iframe src="../../../../_static/lab_seven_vpn.pdf"
           width="100%"
           height="800px"
           style="border: none;">
   </iframe>

SIEM Implementation
===================

To improve visibility and incident response, **Splunk Enterprise Security** was selected as the SIEM platform.

**Rationale for Selection:**

- Strong log aggregation and real-time analysis capabilities
- Advanced correlation engine for threat detection
- Compatibility with diverse log sources (VPN, firewall, servers)
- Integration with MITRE ATT&CK framework
- Scalable and well-documented platform

**Security Objectives Supported:**

- Centralized log management
- Threat detection and response
- Monitoring of remote access activity
- Incident investigation and forensic analysis
- Reduced response time through automated alerts

Data Sources Integrated
=======================

The SIEM aggregates logs from multiple sources to provide comprehensive visibility:

- Firewall logs
- VPN logs
- Server logs
- Endpoint security tools
- Network devices (routers and switches)
- Active Directory logs
- Web server logs

This centralized approach enables correlation across systems and improves detection accuracy.

Detection Rules and Alerting
============================

Custom detection rules were developed to identify suspicious activity across multiple domains:

**Authentication Monitoring:**

- Multiple failed login attempts (brute force detection)
- Logins outside normal working hours
- Privileged account misuse

**Network Activity Monitoring:**

- Unusual outbound traffic patterns
- Communication with malicious IP addresses
- Port scanning behavior

**VPN-Specific Monitoring:**

- Repeated failed VPN login attempts
- Simultaneous logins from different geographic locations
- Connections from suspicious or blacklisted IPs

**Data Exfiltration Detection:**

- Large or abnormal data transfers
- Unusual file access patterns

Alert Severity Levels
=====================

Alerts are categorized to prioritize response efforts:

- **Critical:** Confirmed intrusions, malware, unauthorized privileged access
- **High:** Brute force attempts, suspicious VPN activity
- **Medium:** Policy violations, unusual traffic patterns
- **Low:** Informational or audit-related events

Alert delivery methods include email notifications, system alerts, and SMS for critical incidents.

Results and Impact
==================

The implementation significantly improves the organization's security posture by:

- Increasing visibility across the entire network
- Enabling faster detection and response to threats
- Securing remote workforce access
- Supporting compliance and audit readiness
- Providing a scalable foundation for future security enhancements

.. raw:: html

   <iframe src="../../../../_static/lab_seven_siem.pdf"
           width="100%"
           height="800px"
           style="border: none;">
   </iframe>

Conclusion
==========

This project demonstrates the integration of secure remote access with advanced monitoring capabilities. By combining an SSL/TLS VPN with a robust SIEM platform, Regional Insurance Group achieves a layered security approach aligned with modern cybersecurity best practices.

The solution is designed to scale with organizational growth while maintaining strong protection against evolving threats.