We’ve been thinking about the multiple processes around monitoring use cases for our next research project. This week, the focus was on the use case discovery process. So you have the ability/technology to implement use cases; but how to find out which ones?
As Anton explained in his post, the process is a mix of compliance regulations mining, threat and risk assessments, etc. The use cases are then assessed and prioritized from a relevance and “doability” point view. But exploring this a bit further, what kind of use cases we can get? It seems that they would be classified in three big buckets:
- Control Oriented Use Cases: those use cases required as a control from a framework or other regulatory document, such as PCI DSS. The use case can be the control itself (such as “investigate all unauthorized access attempts”) or a way to demonstrate a control presence or effectiveness (denied events, antivirus signature update events, etc).
- Threat Oriented Use Cases: the UCs implemented to identify a specific threat or threat actor. Those are the use cases where you try to find activities related specific sources and destinations (that content you’re getting from your Threat Intelligence provider?) or specific activities related to Tactics, Techniques and Procedures (TTPs). Lots of interesting stuff to look for here: network events similar to C&C activity, executables running from user profile folders, DLL injection attempts, crazy stuff detected by the malware sandbox, etc.
- Asset Oriented Use Cases: We know a lot of malicious activity we want to detect, but hopefully you also want to know about activities touching specific data assets – payment card data, for example. Those are the UCs looking at events from DLP systems, File Integrity or Activity Monitoring or even business applications.
It is expected to have use cases from all those buckets; it doesn’t make sense to “select” one of those as the right one. If you are only putting in UCs from one of those it might be time to stop and think if you really shouldn’t be doing anything else related to the other two.
We are having a lot of fun finding ways to “slice and dice” use cases and use case selection and development processes. As usual, another call to action: Let us know how you select (and classify) monitoring use cases!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.