Time to touch the main challenge: SIEM use case implementation / refinement process [also applicable to other monitoring technologies, like UBA / UEBA]. In our seminal paper on the topic, “Security Information and Event Management Architecture and Operational Processes”, (did I mention that it exudes pure awesomeness – from each of its 61 pages!), we have described the process similar to this:
Define a particular problem to be solved by a SIEM tool in clear, unambiguous terms.
Review the SIEM functionality (rules, algorithms, reports and dashboards) that is needed to solve the problem.
Look at the available and potentially available log data that is useful for solving the problem.
If a correlation rule is the chosen piece of content to be created, analyze what sequence of logged events needs to be tracked and how these events are represented in a SIEM tool; using normalized events and taxonomy categories is highly recommended because they make the rule easier to modify, maintain and apply to additional log sources.
If using a statistical detection method, review its logic to confirm that it will deliver the result needed.
Draft correlation rules on paper, and review the logic flow.
Implement the correlation rule using the SIEM rule interface; some products allow one to click on events and define a rule straight from the observed sequence of events.
If a product has functionality to test the rule or algorithm on historical data, execute this functionality to determine how often this rule would have fired in the past if it had been enabled.
Review any alerting process that this rule will trigger, and set up alerts to go to the people who know how to triage them.
Enable the rule to run on real-time data flow in the production environment.
Review alerts generated by this rule, review the cases where the rule matches partially (if the SIEM product has such functionality) and refine when the rule is needed.
What stages do you think need additional details? Examples? Specific guidance? Any changes?
Select recent blog posts related to SIEM:
- Fun Challenges with SIEM Use Cases
- SIEM Use Case Discovery
- Discovering New Monitoring Use Cases
- SIEM Use Cases – And Other Security Monitoring Use Cases Too!
- Co-Managed SIEM Rising
- Research on Security Monitoring Use Cases Coming Up
- My “Evaluation Criteria for Security Information and Event Management” 2015 Update Publishes
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.