Most organizations have multiple security controls to detect suspicious behavior and identify security threats. But these mechanisms often work in isolation, making it difficult to get a comprehensive view of the network environment. As cyber-attacks become more sophisticated, isolated security controls will prove inadequate for monitoring and protecting a distributed network. 

Security information and event management (SIEM) aggregates and analyzes various types of data from multiple sources across the IT environment, creating a centralized platform for real-time analysis of security events and compliance support.

An effective SIEM solution involves creating business-relevant use cases to help find the threats and vulnerabilities that are important to the business. Your use cases define your SIEM solution and building them correctly will help you get the greatest benefit out of your SIEM solution.

How to Build Security Use Cases for Your SIEM

Good use cases align with the security priorities of your company. The first step to build security use cases is analysis.

Analysis

Analyze your environment to find the organizational problems best solved by SIEM. Consider the threats that are likely to affect your business such as phishing and ransomware attacks. Good places to start are risk and threat assessment guidance and business unit requirements. Create use cases based on findings from threat hunts and reports on recent attacks.

Compliance documents and policy mandates are easy to convert to use cases since the rules are already defined. Simple analytics can also help. Think of the questions you need to ask to get the right answers from your use cases.

Organize your use cases

Without proper organization, use case management could get out of hand negating the benefits of SIEM. Depending on the size of your business, You might need to manage hundreds or thousands of use cases. Proper organization can help your team create unambiguous use cases and avoid duplications.

Name and catalog all use cases then, group them by categories such as threat detection and compliance, and according to their natural hierarchy. For example, breakdown compliance use cases into separate categories for PCI, HIPAA, SOX ISO27001.

Prioritize your use cases

Give priority to use cases that directly relate to business threats and risks such as incidents that could cause loss of finances, data, or reputation. Imagine all your worst-case scenarios.

Consider the use case that will reduce risks with basic security hygiene and the ones directly related to business problems or requirements. Use cases for data sets that are easily accessible and analytical use cases that are easy to perform should also be among the first created.

Engage in a use-case life cycle

The use case life cycle gives you a process for cataloging, reviewing, optimizing, and retiring use cases and looks like the following:

1. Build the use case.
2. Name and organize
3. Prioritize based on business relevance and threat level
4. Deploy in the SIEM solution
5. Measure use case performance and its impact on assets, workflows, and processes to discover gaps
   – Fine-tune: after analyzing performance, the cycle can return to any of the previous four steps for fine-tuning.
6. Deprecate the use case when no longer needed
   – Clean up: update the use case catalog and retire the use case from SIEM

Top 5 SIEM Use Cases to Implement

Now that we’ve gone through the process of how to build a use case, let’s look at some of the top SIEM use cases a business should implement.

1. Authentication activities

Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.

Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.

Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.

2. Account management

Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.

Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.

Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.

3. Connection activities

As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network. 

Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.

4. Policy-related activities

Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.

Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.

5. Threat, malware, and vulnerability detection

SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.

Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.

Keep Your Network Safe with Cyber Sainik SIEM

Cyber Sainik’s managed SIEM solutions use integrated security analytics architecture and modern machine analytics to provide greater visibility into the activities of your network environment. Let us help you implement the right SIEM security use cases to keep your network safe. Contact us to learn more about our SIEM solutions.