How to define complex use cases and implement them in your SIEM/SOC project

In our first two contributions, we presented the overall structure for a SIEM/SOC project and derived best practices for building the technical infrastructure of a SIEM. In this article, we introduce you to the complexity of use case development and its challenges, and  propose some best practices.

The struggle about SIEM use cases

Use cases form the basis for log data analysis in every SIEM. They define which log data are analyzed, the type of analysis performed on the log data, as well as the reactions to a possible event. Without tangible use cases, the data in any SIEM would only be stored in a structured manner, enabling ex-post investigation if necessary – but near real-time monitoring of security-relevant parameters is a long way off. Thus, it can be said that use cases make up the core of every SIEM and deliver the functionality that most organizations want, and many authorities require: efficient, near real-time monitoring of security-relevant events!

However, many projects face problems when creating use cases in an efficient and effective way. We have identified three key challenges:

1. Lack of focus
2. Lack of structure during use case creation
3. Lack of control over stakeholders involved

The broad and heterogenous IT landscape of large organizations can create a loose track of SIEM use cases – focusing on key risks, related systems and most likely attack paths is necessary.

Although the ideal goal of every SIEM is to have every single application connected, your SIEM project should initially focus on quick-wins and high-risk applications. The question that arises is simple but non-trivial: What applications shall we link to our SIEM first?

As the IT landscape is often very heterogeneous, there are common standards that you should base your scoping on:

• Apply a risk-based approach when deciding on what applications you will connect to your SIEM first. In doing so, rely on what you already have in place, e.g. protection requirements analysis.
• Include business requirements in your decision. Focus on the applications that are most critical to your business.
• Assess benefits and costs related to the use case implementation.
• Realize scaling effects by onboarding common and widespread, used technical platforms, such as the operating systems, to quickly achieve a baseline coverage.

A well-structured approach to use case definition and application expertise are needed to ensure efficiency during this stage.

If you start with the use case formulation without a concrete plan, you’ll quickly reach your limits.

Use case formulation is a complex process and requires detailed specification in various dimensions. First, the use case’s objective needs to be specified functionally, i.e. the exact correlation rule and the steps for resolving a possible event. Secondly, the use case needs to be specified technically, i.e. the exact log where the information is drawn from, the type of log and the storage location. Also, readability of logfiles and the logfile volume should be considered.

These factors call for the following:

• A structured and pre-defined approach towards use case development in order to cover all relevant aspects.
• A standardized template that covers all relevant information to ensure that all aspects are properly documented and use cases can be compared.
• Involvement of critical stakeholders (e.g. the application owners) to ensure their buy-in and make the use cases effective.

A central instance is required to steer the stakeholders involved in use case creation and to ensure a common standard.

Each SIEM use case unites a wide set of interests and goals. The CISO requires the use cases to tackle security-relevant goals. These goals, however, can only be implemented with deep knowledge of the applications. Hence, the application owners need to be involved. The worker’s council wants to avert employee monitoring, while the management’s interest is on monetary aspects mostly. You must consider the following during use case creation:

• Install a central steering instance which is responsible for driving the use case formulation process.
• The central steering instance must have a deep understanding of the stakeholders’ interests and their expertise in order to tackle their concerns individually.
• In-depth preparation of workshops with the stakeholders is required to use the time they provide to the project most efficiently.

Contact us now to learn more about  SIEM use cases!

Based on diverse project experiences, Capgemini Invent has developed a framework for use case formulation that tackles relevant obstacles. We’re more than happy to share our experience with you and help you define and implement the right use cases in your SIEM.