Posting about updated documents is often boring, but this time I’m talking about my favorite Gartner document, as usual, co-authored with Anton: “How to Develop and Maintain Security Monitoring Use Cases”!
This document described an approach to identity, prioritize, implement and manage security monitoring use cases. Of course, it has a lot on SIEM, as it’s usually the chosen tool for implementation of those use cases, but we revised to ensure we are also covering technologies such as UEBA, EDR and even SOAR. If we consider that detection can often be implemented as multi-stage process, that’s a natural evolution!
The major changes are:
- Revamping the main graphic of the document to better illustrate how the process works (below)
- Putting more emphasis on some of the artifacts generated by the process, such as use case lists
- Evolving the language around about doing use case development as software development to say “doing it as AGILE software development”
- Reinforcing the types of use cases that are usually managed by this process: threat, controls and asset oriented
- Including tips for use case management when working with a MSSP (we are writing more about this in our upcoming MSSP doc, BTW)
The summary diagram for the framework can be seen below:
Again, we are always looking for feedback on our research. If you have anything to say about this document, please use this page to do it.
Read Complimentary Relevant Research
Leadership Vision for 2018: Infrastructure & Operations Leaders
I&O are key enablers for digital business. I&O leaders are accountable for delivering agility and innovation to their primary consumers...
View Relevant Webinars
Accelerating Deal Value Realization in Mergers & Acquisitions
With Tech M&A activities at unprecedented levels, Gartner continues to play an essential role with general managers and corporate development...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.