Scribd
Upload
2K views9 pages

SIEM 201 Use Case Overview - VisibleRisk

This document outlines a framework for defining use cases for security information and event management (SIEM) systems. It provides guidance on documenting general information about a use case, the associated business justification and technical requirements, how to assess relevant data collection, the proposed solution, testing the solution, and ongoing operations. The goal is to help SIEM customers maximize the value of their investment by fully leveraging the system's functionality through well-defined use cases aligned with business and technical needs.

Uploaded by

clu5t3r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views9 pages

SIEM 201 Use Case Overview - VisibleRisk

This document outlines a framework for defining use cases for security information and event management (SIEM) systems. It provides guidance on documenting general information about a use case, the associated business justification and technical requirements, how to assess relevant data collection, the proposed solution, testing the solution, and ongoing operations. The goal is to help SIEM customers maximize the value of their investment by fully leveraging the system's functionality through well-defined use cases aligned with business and technical needs.

Uploaded by

clu5t3r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

SIEM 201 Use Case Overview VisibleRisk

1 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

VISIBILITY AND DEFENSIBILITY THROUGH ANALYTICS

Part2ofDecuritysBacktoSchoolSeries:
SIEM201:SIEMUseCaseDefinition
CoursePrerequisites:AwhilebackI
publishedadiagramandassociatedtext
illustratingthebenefitsofacombinedSIEM
andLogManagementarchitecture.This
diagram/postdidagoodjobofexplaining
thefeaturesandfunctionalityofLog
ManagementandSIEMataveryhighlevel.
Ifyouhaventseenthatpostorifyou
haventreadDecuritysSIEM101previously
Iwouldencourageyoutogobackandtakea
look.Basicconceptsfromthoseresources
willhelpinunderstandingofUseCasesand
howtheyapplytoSIEM.
Introduction:
InmyexperienceIvenoticedthatSIEM
customersusesomethinglike30%oflessof
thefunctionalityofthetooltheybought.
Thatnumberisactuallyprobablyprettyhigh
whenyouconsiderthefactthataveryhigh
percentageofcustomersareonlyusingthe

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

2 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

advancedusersoutthere,nodoubtandthis
postwillhelpthemaswell,butitisreally
focusedonprovidingaframeworkto
advancethemajorityofSIEMuserssothey
cangainbetterappreciationforhowto
maximizethevalueoftheirSIEM
investment.
Theprocess(anddiagram)thatfollows,
outlineshowDecuritylooksatusecases
relatedtoSIEM.Weareprovidingthis
informationinthehopesthatyoull
internalizeitaspartofyourSIEM
operations.Decuritywillalsobeannouncing
intheverynearfutureanonlinesolution
usingthismethodologysothatyoucan
track/update/shareyourusecases/solutions
contactusifyoureinterestedinlearning
moreaboutthatsolution.
UseCaseRequirement:
ThemostsimplisticadviceIcangiveisthat
youshouldtrytofocusontheoutputfirst.
Whatisthepointoftheworkeort?Whatis
theproblemwearetryingtosolve?Whatis
theintendedaction/output?Whobenefits
fromthisandmoreimportantlywhydothey
benefitfromthissolution?Thenyoucan
moveintoquestionslikewhatinformation
isrequiredtosolvetheproblem?
Theinformationprovidedinthisarticlewill
helptoguideyouthroughtheprocess.
ImplementingsolutionsinyourSIEMinan
adhocmannerwillresultinfailureoratbest
verytemporaryandminimalisticgains.If
youdontbelievemeyoucanaskanyofthe
hundredsoforganizationswhotriedit
beforeyou.
UseCaseIllustration:

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

3 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

General:
Thisisthemostbasiclogisticalinformation
relatedtotheusecaseandrelatedsolution.
Itprovidesadocumentationframework.
Author:Whowasinvolvedinthe
creation/authoringofthesolution?
ID,VersionandDate:Whatisthecurrent
versionandIDandlastdateofupdate.
Objects,Artifacts:Linktoobjects
(externalizedorwithinsolution)usedwithin
thesolutionforexample,theconfiguration
objectslikereport,rules,dashboards,etc.
SolutionDescription:Quickreferenceto
thesolution,usingcategorizationthatmakes
senseforyourorganization.
References:CorporateorExternal
documentsthatactasreferencematerialfor
yourusecaseand/orsolution.
BusinessJustification:Thisistheproblem
beingaddressedfromacorporate
perspective.OneormoreBusinessproblems
mayapply,buteachshouldbedocumented
insomefashion.
BusinessProblemDescription:Whatare
thespecificproblemsthatneedtobe
addressed?
BusinessOwner(s):Whoownstheactions
foroutputofthesystem?Whoownsrelevant
Systems,ApplicationsandData?Whois

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

4 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

Compliance,Risk,Audit,Fraud,Legal,HR,
Other?
CurrentSolution:Todayhowisthis
problemaddressed?Howcanitbe
improved?
Expectations:Whatisitthatthebusiness
ownersexpectfromthesolution?
Priority:Whatisthevalueofsolvingthis
issue,orconverselywhatisthecostofnot
solvingthisissue?
TechnicalRequirements:
Need:ActiveStatementsThesystem
shall,Wehaveto*(DOSOMETHING)*
Definethatsomething.
Action:Action(s)and/orOutput(s)
requiredfromthesystem.
Actor:Relativetoa*(PERSON/TEAM)*
Event:Specificscenario(s)tobeevaluated.
Context:Relevantenvironmental
conditions.Howdoesourknowledgeofthis
environmentaecthowwecanrefinethe
analysisandoutput?Someexamplesof
contextthatshouldbeconsideredare:
OrganizationalStructure,BusinessUnits,
Applicationand/orDataCategorizations,
NetworkSegmentation,System
Configurations,Users,HotLists,
VulnerabilityData,Data/System/User
Criticality,otherenvironmentspecific
information.
Timing:Within,before,at,during,after.
Logic:BooleanLogicStatements(T/F)
usingAND,OR,IF,THEN,NOTas
conditions.
Collection:

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

5 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

DataAccessibility:Aretherephysical,
logical,business,technicalorpolitical
barrierstohavingtherelevantdata?
DataFormat:isthedatareadily
comprehendedbyoursolution,is
customizationofthedatanecessaryor
possible?Doweneedtoupdatelogging
standards?
DataRelevance:
oContent:Whatelementsofthedata
provideusthenecessarycontext?Which
exactfieldsarerelevant?
oTiming:Dowereceiveitoftenenoughto
berelevanttoourproposedsolution?
DataLocation:Doesthedataresideina
centralized,easilyaccessedlocation?Isit
alreadyaggregated,normalizedorfilteredin
awaythatwouldadverselyaectour
proposedsolution?
Note:Youcanandshouldusethese
questionsandrelatedanswersas
justificationforyourenterprisevisibility
project.LoggingStandards,DataAccessand
reliableaccesstotheinformationarevery
oftentheproverbiallongpole.
ProposedSolution:
Technology/Process:DoesSIEMmake
sensetosolvethisproblem,giventhedata
wehave,ourenvironmentandtheproposed
solution?Canwesolvethisusingother
technologyorprocessesinamore
ecient/eectivemanner?SIEMisgreat,but
notalwaystheanswer.
Configuration:WhatSIEMconfiguration(s)
provideuswiththemostecientand
eectivesolution.Isitsimplyareportordo

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

6 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

variables/obstacles.Knowthecapabilitiesof
yourproductwillhelpyoutounderstand
howtoconfigureit.AdvancedUseCases,
CustomApplications,FraudDetection,etc
requireanontraditionaldatasetandlogic
approachwellatleastnontraditionalfrom
thesecurityadministratorperspective.
Havingtheflexibilitytocompareagainst
userdefinedfieldsiskeytosolvingthose
usecases.Ifyoufindyourselfunableto
solveanumberofCoreusecasesthenit
mightbetimetoconsidertraining,external
adviceorasalastresortanewsolution.
ExpectedOutcome:Whatisitthatwe
expecttoseefromthesystem?Forexample
(WithinnMinutes,weshouldseex
whenyoccurs.)
KnownFalsePositive:Howarefalse
positivesdierentiatedfromknownbad
activitiesandhowcanwetuneour
systems/data/environmenttoreducethe
numberofvalidactivitieswerespondto?
KnownGaps:Relativetotheproblemset
describedwhatdoweexpectthatthis
solutionwillmiss?Howcanweclosethose
gaps?
AlternativeMethods:WithintheSIEMor
externaltoSIEMwhatarealternativeways
toaddresssomesubsetofthisproblem?Do
relatedsolutionsalreadyexist?
QA:
Performance:isthesolutionEcient?
Doesitcausesignificantsystem
degradation?Haveyoubuiltcontentto
monitorforeciency?
Functionality:Isthisprovidingan
acceptablesolutionfortheusersand
owners?Arerefinementsrequired?

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

7 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

LabValidation:WereLabtestsmeaningful
andsuccessful?
Note:Youmightgetthesensefrommy
wordingthatQAisanongoingactivity,
youdbecorrect.Ifyoulabhasirrelevant
data/systemsyourtestsaremeaningless.
Testingnewcorrelationscenariosagainst
existingdatasetisinvaluable.Knowinghow
thesystemisgoingtorespondbeforeyou
implementintoproductionsavestime,eort
andheadaches.
Operations:
Feedback:Youneedaperiodicfeedback
looptoensureyouareintouchwiththeir
needsandupdating/planningaround
upcomingrequirements.
Monitor:Changesareinevitable,from
process,people,environmenttothreatsand
datasetsyouwillneedtostayintouchwith
howyourSIEMissupportingtheevolving
requirements.
Refine:simplerefinementsmaybeapplied
daily/weekly/monthly.
Enhance:Doweneedtoaddmore/better
datasets?IstherebetterLogicthatcanbe
applied?Doneworrelatedusecasesoer
betterinsight?
Validations:Whatisthenormal
operationlookofthisusecaselooklikeand
howwouldyouknowabnormalbehaviorof
yoursolution?
CourseSummary:
Soitshouldbeclearbynowthatwethink
SIEMisagreattool,withtonsofpotentialto
identifynewactivitiesyoucouldnt
previouslyconsiderandtoautomate
definableactivitiesandfacilitateworkflow.

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

8 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

yourorganization.Thisguideandrelated
articles/postswillgoalongwaytoassistyou
withyoureorts.Ifnot,reachoutandwell
findotherwaystohelpyou!
RememberthatSIEMisaprocessnotjusta
tool.Ifyouarentmakingchangestoyour
SIEMonadailybasis(orhavingsomeone
makechangesforyou)youarenotgetting
themostfromyourSIEM.Threatsconstantly
evolve,yournetworks/systems/data/users
arealwaysbeingmodified,your
understandingofyourenvironmentis
alwayschanging,shouldntyourdetection
techniquesalsobeenhancedonadaily
basis?Themoretimeyouspendon
usecasesasidentifiedinthispostthemore
valueyoullreceiveoutofyourSIEM.
Disclaimer:Noteveryvendorsolves
problemsinthesamemanner.Dueto
technologicaldierences,wildlyvarying
skillsofconsultantsandcomprehensionof
actualproblemand/ordatayoumileagewill
vary.Thatsaidtheapproachweare
documentingherewillworkwithanySIEM
andshouldbeusedeverytimeyouthink
aboutsolvingnewproblemsusingyour
SIEM.Itdoesmeaneorthastobeapplied,
butitalsomeansyouwillhaveobjective
measurementsofsuccesswhenitcomesto
thevalueyourSIEMisproviding.

COMMENT SHARE 0 LIKES

2/20/2015 1:44 AM

SIEM 201 Use Case Overview VisibleRisk

9 of 9

http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...

BLOG

COMMENT S ( 0)

NewestFirst

Subscribeviaemail

2/20/2015 1:44 AM

You might also like