Short answer: YES, as long as you START there, rather than FINISH there.
Longer answer: Indeed, many organizations have successfully implemented their monitoring capabilities (whether SIEM-centric or focused on other monitoring and security analytics tools) starting from canned content delivered with their SIEM or other tool. Better SIEM vendors spent 15+ years serving customers, even if for some of them they served primarily their compliance needs (a useful reminder: SIEM tech predates The Compliance Years of Infosec, which are roughly 2003-2008 in my estimation) and a lot of great content got developed. Some of it, BTW, is pretty “evergreen”; after all, a pattern of login failures followed by a successful login was relevant in 1999 and is relevant in 2015.
However, WIN happens if you start there, while FAIL [at least failure to realize full value of SIEM technology] happens when you assume that vendor content is all you ever need with SIEM. Most mature SIEM users report that their most valuable use cases were site-specific, custom or at least heavily customized. If “SIEM saved your bacon” too, think about those situations: was it canned vendor content that did it or something you put together in a coffee-fueled haze? 🙂
Now, think about these two EXTREME approaches to use case development:
- PRIORITY-CENTRIC: we will do first what is of TOP PRIORITY. This leads to people starting with, say, SAP logs and learning FAIL first-hand because it is so damn hard to start there. And then questioning SIEM value.
- FEASIBILITY-CENTRIC: we will do first what is EASY, does not require any changes to the tool, log sources etc. This leads to people solving problems they don’t really care to solve, and then questioning SIEM value.
If both extremes are bad, what works? This:
So, yes, START from vendor use case content, but DO rank them by means of your risk/threat assessment, compliance, etc – see this for details! Also, link the use cases you keep to your security operations processes, such as alert triage and/or, ultimately, incident response (IR). Decide which ones you will actually act on and keep (and refine) those. Next, as you learn the tool, move to juicier problems that require more content authoring. And, no, not all of them will need a SIEM – you may need UBA / UEBA, EDR / ETDR, etc. Ahem..even DLP… maybe.
Select recent blog posts related to SIEM:
- SIEM Use Case Implementation and Tuning Process
- Base Rates And Security Monitoring Use Cases
- Fun Challenges with SIEM Use Cases
- SIEM Use Case Discovery
- Discovering New Monitoring Use Cases
- SIEM Use Cases – And Other Security Monitoring Use Cases Too!
- Co-Managed SIEM Rising
- Research on Security Monitoring Use Cases Coming Up
- My “Evaluation Criteria for Security Information and Event Management” 2015 Update Publishes
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.