by Anton Chuvakin | September 24, 2013 | Comments Off on Detailed SIEM Use Case Example
During inquiries, I am handling a lot of questions about SIEM use cases, what they are, where to get them, how to create them, how to document them, evolve them, map them to particular SIEM features, etc, etc. I often walk through a complete example to explain it, with a painful level of details; here is that example for everybody to enjoy:
Baby’s first SIEM use case: tracking user authentications | logins/logons
|Use-case Selection||Selected use case is tracking authentication information across systems [what] to detect unauthorized access. [why]|
|Data Collection Needed||Prepare a list of systems such as servers, VPN concentrators, network devices, and others.|
|Log Source Configuration Needed||Contact the team that operates the systems and make them modify the logging configurations in order for the logs to be collected by SIEM.|
|SIEM Content Creation, Preparation and Selection||Review vendor’s content — such as their authentication reports and relevant correlation rules or other “canned” analytics — that deals with the problem and check it for suitability; modify the reports and rules until satisfied.|
|Definition of Operational Processes Required||Review operational processes related to the security use case and check whether additional processes are needed. A process for suspending or disabling user accounts might have to be created.|
|Refinement of the Content and Processes Loop||After reports and correlation rules are deployed and the data is flowing in, review reports, dashboards, and perform the testing of correlation rules on the collected data to see whether incidents will be detected. Simulate password guessing and check whether SIEM detected and sent an alert.|
Another reason why you want to be that specific with your SIEM use cases is that they provide a nice way to measure your ongoing SIEM program effectiveness and, ultimately, your SIEM capability maturity….
My SIEM research papers (GTP subscriber access):
- “Security Information and Event Management Architecture and Operational Processes”
- “SIEM Market Trends, Solutions, Assessment and Select Product Profiles”
- “Security Information and Event Management Futures”
Blog posts related to SIEM:
- On “Output-driven” SIEM
- Services: A MUST for SIEM!
- On SIEM Maturity Scale and Maybe On CMM Too
- My SIEM Workshop / SAS Day
- On SIEM Deployment Evolution
- On People Running SIEM
- On SIEM Processes/Practices
- On Large-scale SIEM Architecture
- Some of the Big SIEM Questions
- All posts tagged SIEM
Read Complimentary Relevant Research
Security Monitoring and Operations Primer for 2017
Security monitoring and operations excellence is a key component of any effective security program. Gartner's 2017 research will guide...
View Relevant Webinars
Equip Your IAM Risk-Based Planning With a Comprehensive Risk Model
Assessment of more than 50 large IAM deployments have shown suboptimal IAM solutions with arbitrary priorities, missing time and budget...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.