In recent years, Security Information and Event Management (SIEM) technologies have become one of the most adopted and essential components of a company’s infrastructure. This can be attributed to many factors, such as strict compliance regulations, the evolution of cyberattacks, and the importance of maintaining unhindered day-to-day operations. Unfortunately, without the use of magic, a SIEM cannot be deployed and alert on what is essential. This problem is resolved through the development and implementation of use cases. A use case in this context, is a pattern of activity that serves as the basis of SIEM content, such as alerts and reports. A defined use case development process is critical in getting the most use and value from a SIEM solution, and this article provides the essentials of what you need to know.
Essentials of a SIEM Use Case
1. Create a Scope for Use Case Identification
- Identify and break down areas of interest:Generally, the first step in the development process is to identify high-level areas of interest that serve as the foundation for use case creation. This step typically requires the most collaboration among upper management to determine the primary concerns of the business from all angles. The goal is to create a high-level overview of these areas, which may include items such as preventing cyberattacks, reducing the risk for information leakage, and maintaining compliance. These can then be broken down into more narrow, actionable sub-areas, tuning out those that are beyond the scope of SIEM use cases. For example, sub concepts of a broad topic, like “maintaining compliance”, might include items like “maintain 3 months of logs for systems in scope for compliance” and “conduct quarterly vulnerability scans”.
- Associate types of activity with the areas of interest:Once area of interest have been identified and broken down, they must be associated with patterns of activity that can be captured by a SIEM. For example, if the intention were to be alerted on the potential compromise of endpoints, possible types of activity that can be associated might include authentication anomalies, malware infections, and network intrusions.
2. Create Use Cases Relevant to Scope
- Break down general patterns of activity until left with refined use cases:The goal in this step is to continue to break down activity identified in the previous step until we are left with specific events and patterns that will serve as the basis of SIEM content. This task will generally fall to the SIEM administration team, and may require collaboration with those who possess a technical understanding of the activity we are trying to isolate. Without the proper level of knowledge and understanding of “what” we want to alert or report on, it can be difficult to create effective rules later on.
- Identify applicable data sources: As use cases are identified, it is important for administrators to identify data sources that are relevant to each, and to ensure that the SIEM is collecting logs from each data source. As an example, for use cases related to perimeter intrusions, logs from firewalls, IDS/IPS, web gateways, and other perimeter log sources should be collected and utilized. Depending on the architecture in place, it may not be possible to implement certain use cases.
- Establish priority levels and appropriate response procedure: One of the more difficult steps in use case development is determining what the appropriate level of response is to certain activity. A common approach will normally involve consulting the department responsible for investigating/remediating the activity targeted by the use case. A server shut down, for instance, might normally be responded to by the Server Administration team, making them an authority in determining the incident response procedure and priority if the use case.
- Create pseudo-rules: Once a use case is defined, relevant log collection is confirmed, and an appropriate response is identified, pseudo-rules can be created. These rules ideally will be technical, containing the alert criteria and thresholds that will be used in SIEM content. Some rules might be based on a single a single log, such as “1 Windows shutdown event from specific node list”, or may be more complex, such as “3 malware detections on 3 separate hosts within 15 minutes”. Each pseudo-rule may also contain a priority (High, Critical, etc.) and the appropriate escalation procedure, which can be incorporated in the alert once translated to the SIEM.
3. Translate Use Cases into SIEM Rules
- Create SIEM rules based on pseudo-rules: Using the pseudo-rules, a SIEM engineer will normally be responsible for identifying the logs that can be used to create the corresponding SIEM content. This task requires a varying amount of analysis and testing, along with a significant amount of SIEM-specific knowledge. An effective way to begin involves searching relevant log sources, and slowly narrowing the search results until we are left with logs that are related to the use case. Isolating the logs that SIEM content is designed to capture ahead of time helps to ensure proper correlation, as the content can be modeled directly from the refined search results.
- Tune to reduce false positives: In most cases, newly created content may alert or report on false positives until it has gone through a tuning process. The tuning process itself is worthy of an article of its own, but simply put, the goal is to reduce the possibility an alert will fire on activity that does not match what the rule was intended to capture. False positives can flood responders with notifications, potentially causing true positives to be missed, and prompt unnecessary responses to activity that may not actually warrant escalation.
- Evaluate effectiveness: One of the final stages in the development process is to routinely evaluate the use cases that are currently implemented. As an enterprise evolves, priorities change, log sources are added, and different types of activity must be considered to ensure current content is still applicable, and that new use cases are developed to adapt to the changing environment.
SIEM solutions and use cases are critical components within an organization’s security environment and operations. Use cases and other content creation allow organizations to become consumers of more intelligent security alerts, anomalies, and better detection of possible threats. Having the skills and knowledge to manage and maintain a SIEM is also critical to getting the most of the tool.
Our SIEM whitepaper will provide you with best practices and information to effectively manage your solution. Download here.
- September 17, 2017 Regex 101 If the title of this article caught your eye, you are more than likely familiar with or frequently use Regex. If you aren’t familiar, Regex is a “string of text that allows you to create patterns that help match, locate, and manage text”. […]
- May 9, 2017 How to get the most value out of your SIEM solution through effective data correlation IT security teams in most organizations utilize Security Information and Event Management (SIEM) solutions so they can easily correlate data across multiple log sources. Correlation of relevant security data is critical for enabling an […]
Mason Vensland graduated from Old Dominion University with a degree in Criminal Justice and Computer Science. He began his IT career working in Systems Administration and Support, then transitioned to Information Security in 2014. He moved from Virginia to Florida to join ReliaQuest in 2015 with a background in Security Operations and Digital Forensics.
Published in: Blog