Not all security information and event management (SIEM) use cases are equally important. Depending on the nature of your business, some will be more useful than others. How to know which ones are crucial for your business? Read on to find out.
In this article, we will learn:
- The right approach to building SIEM use cases
- How to organize and prioritize use cases effectively
- The top 10 use cases you cannot afford to miss
Building SIEM use cases the right way
SIEM is a powerful tool, able to spot the smallest threats, provided that they are accurately defined and searched for in the right place. These should essentially inform whether something is happening or has happened.
Building an effective SIEM security use case should focus on three elements: insight, data and analytics. Cloud architects and security directors should actually frame use cases as insights, powered by analytics and fueled with data. The relationship between these three elements is illustrated below in Fig. 1.
Identifying data sources for the right insights
You should always start off by defining the required data points, which for the most part will be the logs from your organization’s infrastructure. Flat files detailing the organization context or HR documents about users may be useful as well. Do keep in mind that managing data for SIEM consumption is expensive, so ensure you only provide the data that is actually needed.
We’d like to note here that bringing some of the data points to your SIEM solution is relatively easy, while others may be difficult. Consult the below diagram to understand more:
Choosing the right analytics for your data
Once you set all the crucial data sources, applying the right analytics will help you identify anomalies across your entire organization. These days, one machine learning model can often replace dozens (or more) correlation rules, but such advanced solutions are rarely available in commercial off-the-shelf tools.
Nonetheless, simple analytics (such as simple correlations, thresholds or pattern matching) continue to provide valuable insights that translate to excellent performance and ROI. Their additional advantage is that they are much easier to comprehend and fine-tune if needed.
Analytics methods aren’t mutually exclusive, so it’s possible to achieve in-depth analytics by layering several simple methods. The golden rule? Choose the simplest analytic method possible for a given use case.
The guiding principles to maximize use case efficiency
In addition, there is a set of guiding principles that should be followed right from the onset in order to ensure SIEM use cases offer maximum efficiency. See the table below:
Organizing and prioritizing your use cases
Every use case has its lifecycle, which is why it's necessary to catalog, review and optimize them. If you don’t do this, you may end up with duplicate use cases covering one area while leaving other areas uncovered. This can also lead to generating false positives or negatives on the part of the SIEM solution.
A given use case will typically follow the cycle outlined below. Each of these phases will require a different level of effort, depending on the size and maturity of your organization.
Once a use case retires from your SIEM solution, you will have to clean it up and update your use case catalog accordingly.
Use cases can be easily categorised into hierarchical families for compliance and threat detection, as well as business-level applications. Figure 4 below illustrates Gartner’s approach to organizing SIEM use cases, rooted in their CARTA (Continuous Adaptive Risk and Trust Assessment).
When it comes to use cases, quality exceeds quantity. Having just a few strong use cases will be more effective than deploying many use cases that have not been built properly for your business needs. The drivers that may help you determine which use cases to prioritize are outlined in Table 2 below.
Top 10 use cases you need to have
As we’ve mentioned earlier, some use cases are more valuable than others, depending on the size and nature of your organization. At Sumo Logic, we concentrate on helping businesses set up their security analytics tool quickly and in accordance with the industry’s best practices. Prioritize SIEM monitoring for the following use cases and you’ll quickly see value from the solution.
- (Attempts to) compromise user credentials
Ensure you have a use case in place to detect any attempts to compromise user credentials through Brute Force, Pass The Hash, Golden Ticket, or any other methods. In the event of a successful compromise, it’s crucial to identify the entities affected in order to investigate the impact and prevent further damage.
- Unwarranted escalation of privilege
Once an adversary obtains a higher level of permission, the risk of damage rises, indicating there is a weakness in your system. Sumo Logic uses a wide variety of machine learning techniques to detect anomalies in accounts that escalate privileges, including self escalation, short-lived accounts, lateral movement, etc.
- Misuse of an account
Dormant and inactive accounts are often an easy target for attackers because there is little visibility on these accounts. Full visibility is critical to avoid misuse of any account. Make sure your use cases cover your organization to the maximum extent.
- Unusual behavior on privileged accounts
Privileged users, such as system or database administrators, have escalated access rights, which is why they are particularly attractive for hackers. We use special analytics for privileged and shared accounts that can flag unusual behavior within both types.
- Traffic to malicious domains
Visits to high entropy domains may suggest a Domain Generation Algorithm is in operation. With DGAs, attackers can hide your command and control to avoid detection by security tools and thus give instructions or receive information from malware.
- Protection against data loss
It’s critical to protect all the sensitive information within your organization and prevent users from sharing this data outside of your infrastructure. You must monitor all endpoints for an abnormal volume of data egress (also across channels) and set alerts on any anomalies based on past behavior. Don’t forget about critical endpoints, watchlisted accounts, flight risk users and employees who have recently been, or are about to be terminated.
- System changes
Set appropriate rules for flagging any critical events, such as unauthorized changes to configs or deletion of audit trails. These should be escalated immediately to stop the damage and minimize further risks. Tampering with audit logs is always a red flag!
- Instances of Denial of Service
Denial of Service (DoS) is a cyberattack that prevents legitimate users from accessing data. There are many types of DoS attacks, with some directly targeting the underlying server infrastructure. Sumo Logic monitors network traffic logs to give alerts for malicious traffic spikes or deviations from the normal traffic baseline, such as an abnormal number of requests from multiple ports or the same IP address.
- Detection of malware
Threats continue to proliferate, so it’s important to expect malware to break through the network monitoring tools and enterprise threat detection solutions you have in place. Sumo Logic uses machine learning capabilities to give alerts from the moment malware enters your infrastructure, providing the most reliable alert system.
- Phishing efforts.
Phishing is an attempt to lure you into giving sensitive information that is subsequently used in criminal behavior. This will include attempts to obtain personal information, such as social security numbers, bank account numbers, addresses, etc. as well as PIN numbers and passwords. Make sure these types of data are protected across your entire organization.
Smart businesses can easily identify, prevent and dispatch known threats using a signature-based tool, but they must complement this technique with behavior-based solutions in order to catch the unknown threats a signature-based solution may miss.
- Frame use cases as insights, powered by analytics and fueled by data.
- Organize your use cases into families and subfamilies.
- Determine which use cases take priority before deploying them.
- Follow the use case lifecycle.
- Implement the top 10 best practices for maximum efficiency.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.