Regional Insurance Group: Secure Remote Access & SIEM Implementation

Overview

This project represents the final phase of a multi-part network redesign for a fictional organization, Regional Insurance Group. Building on prior work in network architecture redesign and infrastructure planning, this phase focuses on implementing secure remote access and centralized security monitoring.

The primary objectives of this project include:

  • Deploying a secure and scalable VPN solution for remote employees

  • Implementing a Security Information and Event Management (SIEM) system

  • Enhancing threat detection, monitoring, and incident response capabilities

  • Supporting compliance and long-term security scalability

Note

This project builds on previous portfolio entries:

VPN Implementation

To support a distributed workforce, an SSL/TLS-based VPN solution was selected as the primary remote access method.

Key Features:

  • Browser-based access (no client installation required)

  • Strong encryption using TLS protocols

  • High compatibility with firewalls (HTTPS-based communication)

  • Granular access control to limit exposure of internal resources

  • Scalable design to accommodate organizational growth

Security Enhancements:

  • Multi-Factor Authentication (MFA)

  • Zero Trust Network Access (ZTNA) principles

  • Endpoint compliance validation (patching, antivirus)

This approach ensures secure, flexible access for remote users while minimizing administrative overhead and security risks.

VPN Writeup

SIEM Implementation

To improve visibility and incident response, Splunk Enterprise Security was selected as the SIEM platform.

Rationale for Selection:

  • Strong log aggregation and real-time analysis capabilities

  • Advanced correlation engine for threat detection

  • Compatibility with diverse log sources (VPN, firewall, servers)

  • Integration with MITRE ATT&CK framework

  • Scalable and well-documented platform

Security Objectives Supported:

  • Centralized log management

  • Threat detection and response

  • Monitoring of remote access activity

  • Incident investigation and forensic analysis

  • Reduced response time through automated alerts

Data Sources Integrated

The SIEM aggregates logs from multiple sources to provide comprehensive visibility:

  • Firewall logs

  • VPN logs

  • Server logs

  • Endpoint security tools

  • Network devices (routers and switches)

  • Active Directory logs

  • Web server logs

This centralized approach enables correlation across systems and improves detection accuracy.

Detection Rules and Alerting

Custom detection rules were developed to identify suspicious activity across multiple domains:

Authentication Monitoring:

  • Multiple failed login attempts (brute force detection)

  • Logins outside normal working hours

  • Privileged account misuse

Network Activity Monitoring:

  • Unusual outbound traffic patterns

  • Communication with malicious IP addresses

  • Port scanning behavior

VPN-Specific Monitoring:

  • Repeated failed VPN login attempts

  • Simultaneous logins from different geographic locations

  • Connections from suspicious or blacklisted IPs

Data Exfiltration Detection:

  • Large or abnormal data transfers

  • Unusual file access patterns

Alert Severity Levels

Alerts are categorized to prioritize response efforts:

  • Critical: Confirmed intrusions, malware, unauthorized privileged access

  • High: Brute force attempts, suspicious VPN activity

  • Medium: Policy violations, unusual traffic patterns

  • Low: Informational or audit-related events

Alert delivery methods include email notifications, system alerts, and SMS for critical incidents.

Results and Impact

The implementation significantly improves the organization’s security posture by:

  • Increasing visibility across the entire network

  • Enabling faster detection and response to threats

  • Securing remote workforce access

  • Supporting compliance and audit readiness

  • Providing a scalable foundation for future security enhancements

Conclusion

This project demonstrates the integration of secure remote access with advanced monitoring capabilities. By combining an SSL/TLS VPN with a robust SIEM platform, Regional Insurance Group achieves a layered security approach aligned with modern cybersecurity best practices.

The solution is designed to scale with organizational growth while maintaining strong protection against evolving threats.