I’m very happy to announce that our paper on “How to Develop and Maintain Security Monitoring Use Cases” has just been published! This is the result of our work to provide a structured approach for organizations that need to operate their security monitoring infrastructure in an integrated and coordinated way, aligning their monitoring activities with the overall security planning efforts.
Some interesting pieces from the paper:
“Use cases can be created from three different sources: compliance, threat detection and asset oriented.”
“Monitoring use cases are generally seen as SIEM content, but also can be implemented with other technologies, including user and entity behavior analytics (UEBA), data loss prevention (DLP) and others.”
“An organization can have too much process overhead in this area — agility and predictability are both needed.”
“Many organizations focus on implementing canned vendor UC content, and that approach is workable, as long as the content is tuned and further steps are taken.”
“Given all those security problems to solve, which ones should the organization do first? For example, some security architects claim that SIEM use cases must always be selected by order of importance, but that is a big mistake. Gartner research indicates that organizations should not undertake a complex and hard to develop use case as a first phase, unless absolutely necessary and unless all precautions (such as moving in small steps) are taken. On the other hand, “do only what is easy” will not yield the desired results either. A much better order is a balance of importance with “feasibility” (that is, ease of implementation).”
“The organization beginning its journey into security monitoring and use-case development should start implementing use cases one by one, using the experience to improve the processes and putting together the basic technology components that will form the core of the security monitoring infrastructure. In a “walk, then run” way, it can expand the cycles to implement multiple use cases simultaneously later, especially when the use cases share similarities on chosen technology, data sources and objectives. “
“Use cases almost never operate under static conditions; the IT and threat environments are very dynamic and could affect the use-case value, relevance and performance. Situations not identified by change management or security intelligence processes, or cases of undetected slow changes, could be identified during a periodic review of the use cases. These reviews can be built as general periodic cycles where all existing use cases are reviewed or based on a “use-case schedule” and each has its own review date based on when it was originally implemented or last reviewed. This approach requires more work on maintaining the review schedule, but also avoids accumulating too much review work on a single task. It also requires just a few reviews happening frequently instead of a big batch of work that ends up creating an audit like “use-case review season.” “
Now, as mentioned before, we’re full speed ahead with EDR. Stay tuned!