
2022 Gartner® Magic Quadrant™ SIEM
Get the report
MoreSeptember 18, 2019
Not all security information and event management (SIEM) use cases are equally important. Depending on the nature of your business, some will be more useful than others. How to know which ones are crucial for your business? Read on to find out.
In this article, we will learn:
SIEM is a powerful tool, able to spot the smallest threats, provided that they are accurately defined and searched for in the right place. These should essentially inform whether something is happening or has happened.
Building an effective SIEM security use case should focus on three elements: insight, data and analytics. Cloud architects and security directors should actually frame use cases as insights, powered by analytics and fueled with data. The relationship between these three elements is illustrated below in Fig. 1.
You should always start off by defining the required data points for your cloud security use case, which for the most part will be the logs from your organization’s infrastructure. Flat files detailing the organization context or HR documents about users may be useful as well. Do keep in mind that managing data for SIEM consumption is expensive, so ensure you only provide the data that is actually needed.
We’d like to note here that bringing some of the data points to your SIEM solution is relatively easy, while others may be difficult. Consult the below diagram to understand more:
Once you set all the crucial data sources, applying the right analytics will help you identify anomalies across your entire organization. These days, one machine learning model can often replace dozens (or more) correlation rules, but such advanced solutions are rarely available in commercial off-the-shelf tools.
Nonetheless, simple analytics (such as simple correlations, thresholds or pattern matching) continue to provide valuable insights that translate to excellent performance and ROI. Their additional advantage is that they are much easier to comprehend and fine-tune if needed.
Analytics methods aren’t mutually exclusive, so it’s possible to achieve in-depth analytics by layering several simple methods. The golden rule? Choose the simplest analytic method possible for a given use case.
In addition, there is a set of guiding principles that should be followed right from the onset in order to ensure SIEM use cases offer maximum efficiency. See the table below:
Every use case has its lifecycle, which is why it's necessary to catalog, review and optimize them. If you don’t do this, you may end up with duplicate use cases covering one area while leaving other areas uncovered. This can also lead to generating false positives or negatives on the part of the SIEM solution.
A given use case will typically follow the cycle outlined below. Each of these phases will require a different level of effort, depending on the size and maturity of your organization.
Once a use case retires from your SIEM solution, you will have to clean it up and update your use case catalog accordingly.
Use cases can be easily categorised into hierarchical families for compliance and threat detection, as well as business-level applications. Figure 4 below illustrates Gartner’s approach to organizing SIEM use cases, rooted in their CARTA (Continuous Adaptive Risk and Trust Assessment).
When it comes to use cases, quality exceeds quantity. Having just a few strong use cases will be more effective than deploying many use cases that have not been built properly for your business needs. The drivers that may help you determine which use cases to prioritize are outlined in Table 2 below.
As we’ve mentioned earlier, some security use cases are more valuable than others, depending on the size and nature of your organization. At Sumo Logic, we concentrate on helping businesses set up their security analytics tool quickly and in accordance with the industry’s best practices. Prioritize SIEM monitoring for the following list of security use cases and you’ll quickly see value from the solution.
Smart businesses can easily identify, prevent and dispatch known threats using a signature-based tool, but they must complement this technique with behavior-based solutions in order to catch the unknown threats a signature-based solution may miss.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.
Start free trial