Gartner Blog Network


Detailed SIEM Use Case Example

by Anton Chuvakin  |  September 24, 2013  |  Comments Off on Detailed SIEM Use Case Example

During inquiries, I am handling a lot of questions about SIEM use cases, what they are, where to get them, how to create them, how to document them, evolve them, map them to particular SIEM features, etc, etc. I often walk through a complete example to explain it, with a painful level of details; here is that example for everybody to enjoy:

Baby’s first SIEM use case: tracking user authentications | logins/logons

Step Details
Use-case Selection Selected use case is tracking authentication information across systems [what] to detect unauthorized access. [why]
Data Collection Needed Prepare a list of systems such as servers, VPN concentrators, network devices, and others.
Log Source Configuration Needed Contact the team that operates the systems and make them modify the logging configurations in order for the logs to be collected by SIEM.
SIEM Content Creation, Preparation and Selection Review vendor’s content — such as their authentication reports and relevant correlation rules or other “canned” analytics — that deals with the problem and check it for suitability; modify the reports and rules until satisfied.
Definition of Operational Processes Required Review operational processes related to the security use case and check whether additional processes are needed. A process for suspending or disabling user accounts might have to be created.
Refinement of the Content and Processes Loop After reports and correlation rules are deployed and the data is flowing in, review reports, dashboards, and perform the testing of correlation rules on the collected data to see whether incidents will be detected. Simulate password guessing and check whether SIEM detected and sent an alert.

Another reason why you want to be that specific with your SIEM use cases is that they provide a nice way to measure your ongoing SIEM program effectiveness and, ultimately, your SIEM capability maturity….

Enjoy!

My SIEM research papers (GTP subscriber access):

Blog posts related to SIEM:

Category: logging  monitoring  policy  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.