Posting about updated documents is often boring, but this time I’m talking about my favorite Gartner document, as usual, co-authored with Anton: “How to Develop and Maintain Security Monitoring Use Cases”!
This document described an approach to identity, prioritize, implement and manage security monitoring use cases. Of course, it has a lot on SIEM, as it’s usually the chosen tool for implementation of those use cases, but we revised to ensure we are also covering technologies such as UEBA, EDR and even SOAR. If we consider that detection can often be implemented as multi-stage process, that’s a natural evolution!
The major changes are:
- Revamping the main graphic of the document to better illustrate how the process works (below)
- Putting more emphasis on some of the artifacts generated by the process, such as use case lists
- Evolving the language around about doing use case development as software development to say “doing it as AGILE software development”
- Reinforcing the types of use cases that are usually managed by this process: threat, controls and asset oriented
- Including tips for use case management when working with a MSSP (we are writing more about this in our upcoming MSSP doc, BTW)
The summary diagram for the framework can be seen below:
Again, we are always looking for feedback on our research. If you have anything to say about this document, please use this page to do it.