Posting about updated documents is often boring, but this time I’m talking about my favorite Gartner document, as usual, co-authored with Anton: “How to Develop and Maintain Security Monitoring Use Cases”!
This document described an approach to identity, prioritize, implement and manage security monitoring use cases. Of course, it has a lot on SIEM, as it’s usually the chosen tool for implementation of those use cases, but we revised to ensure we are also covering technologies such as UEBA, EDR and even SOAR. If we consider that detection can often be implemented as multi-stage process, that’s a natural evolution!
The major changes are:
- Revamping the main graphic of the document to better illustrate how the process works (below)
- Putting more emphasis on some of the artifacts generated by the process, such as use case lists
- Evolving the language around about doing use case development as software development to say “doing it as AGILE software development”
- Reinforcing the types of use cases that are usually managed by this process: threat, controls and asset oriented
- Including tips for use case management when working with a MSSP (we are writing more about this in our upcoming MSSP doc, BTW)
The summary diagram for the framework can be seen below:
Again, we are always looking for feedback on our research. If you have anything to say about this document, please use this page to do it.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.