Blog post

Security Monitoring Use Cases, the UPDATE!

By Augusto Barros | January 17, 2018 | 1 Comment

threat detectionsiem and log management

Posting about updated documents is often boring, but this time I’m talking about my favorite Gartner document, as usual, co-authored with Anton“How to Develop and Maintain Security Monitoring Use Cases”!

This document described an approach to identity, prioritize, implement and manage security monitoring use cases. Of course, it has a lot on SIEM, as it’s usually the chosen tool for implementation of those use cases, but we revised to ensure we are also covering technologies such as UEBA, EDR and even SOAR. If we consider that detection can often be implemented as multi-stage process, that’s a natural evolution!

The major changes are:

  • Revamping the main graphic of the document to better illustrate how the process works (below)
  • Putting more emphasis on some of the artifacts generated by the process, such as use case lists
  • Evolving the language around about doing use case development as software development to say “doing it as AGILE software development”
  • Reinforcing the types of use cases that are usually managed by this process: threat, controls and asset oriented
  • Including tips for use case management when working with a MSSP (we are writing more about this in our upcoming MSSP doc, BTW)

The summary diagram for the framework can be seen below:Enlarge Image

Again, we are always looking for feedback on our research. If you have anything to say about this document, please use this page to do it.

Leave a Comment

1 Comment

  • Andrii says:

    Hi Augusto, thank you for covering this challenge, its been chasing me since I first saw a SIEM 10+ years ago and is still a huge task to manage. I try to look at this workflow in 2 combined phases as Identify + Prioritize + Sprint task that requires SIEM (soon SOAR!) engineering resources that most organizations don’t have. And Review + Tune / Remove + Measure as the core process to any SOC and SIEM implementation. The latter will stay a huge work in itself for a while. The former should ideally be simplified to 1 word “Select!” (the needed use cases). A big roadblock to this is that every SIEM uses their own language for content blocks (and a big pain is documenting the use cases and keeping those pages updated). So if one would find a use case at Splunkbase there may be no corresponding one in QRadar or ArcSight marketplace. It gets even harder with threat-centric use cases as there are usually huge time constraints to create them. One of the huge advancements I’ve discovered in that regard is the SIGMA rules open source standard https://github.com/Neo23x0 by Florian Roth and Thomas Patzke. Sigma is like SNORT in IDS world or YARA in malware analysis. To make the authoring and distribution of SIGMA rules we’ve added a UI on top https://ucl.socprime.com/sigma/ , meaning one can create a working query for most common SIEM / VM tools available, including a good ol’ regex for Grep 😉 Though SIGMA is still in early stages I can see it being a huge resource saver even for mature SIEM engineering experts.