My previous post “Adopting SIEM – What you need to know” would give a better starting point if you are new to SIEM and want to implement it in your organization. If you already use/manage/implement a SIEM, then read on.
To start with, SIEM tools take a lot of effort to implement. Once implemented, they need to be taken care like babies. If care is not given, within a few months you would be staring at a million dollar museum artifact. Now there are two parts of care:
- Making sure that the systems are updated regularly, not only for patches and configurations but also the content put in them.
- Second and the most important part is making the SIEM relevant to the current Threat Landscape.
Anyone who has worked on SIEM for some time would agree with me, that Administration is generally easier compared to making the system relevant to the Threat Landscape. Before people hit me with “Administration is also a pain”, I would like to offer a defense saying that mostly, all SIEM products have documentation attached that give fair amount of information on how to install, update, upgrade and operate these systems. However, Translating Threat Landscapes to nuts and bolts for SIEM purposes is the biggest challenge and there are no guides that can help do that.
In this blog post, my attempt is to make this translation as easy as possible. In SIEM parlance, we call the translation as a Use Case. If there is well-defined Use Case, implementing them, responding to them and managing them would become easier. Such Use Cases would eventually become the cornerstone on which a SOC (Security Operations Center) is built. As usual, I would like to start with defining a Use Case, running through its stages and then finally wrapping it up with an example. So here we go.
Use Case Definition: A Use Case by definition is nothing but a Logical, Actionable and Reportable component of an Event Management system (SIEM). It can be either a Rule, Report, Alert or Dashboard which solves a set of needs or requirements.
A Use Case is actually “developed” and this development is a complete process and not just a simple task. Like a mini project it has several stages. The various Stages involved in Use Case Development are as follows:
- First stage is the “Requirements”Definition. It can be any of the following high level requirements and is unique to every company:
- Business
- Compliance
- Regulatory
- Security
- Once the requirements are finalized, the next stage would be to “Define the scope” of the requirement. This would typically mean the IT Infrastructure that needs to be protected and is a high priority for the specific requirement.
- Once the scope is finalized, we can sit down and list the “Event Sources” that would be required to implement the Use Case. These would be Log Data, Configuration Data, Alert Data etc coming out of IT Systems under the above Requirements Scope.
- The next stage would be to ensure that the Event Sources are going through “Validation Phase” before use. Many times, we would have an Event source but the required data to trigger an Event may not be available. This needs to be fixed before we proceed with the Use Case development.
- Post validation, we need to “Define the Logic”. This is where we exactly define what and how much data is needed to alert along with the Attack Vector we would like to detect.
- Use Case “Implementation and Testing” is the next stage. This is where we actually configure the SIEM to do what it does best – Correlation and Alerting. During Implementation the definition of the desired output can also be done. The output can be one of the following:
- Report
- Real Time Notification
- Historical Notification
- Once implementation is done, we need to “Define Use Case Response” procedures. These procedures help you to make the Use Case Operational.
- Finally, Use Case “Maintenance” is an ongoing process to keep the Use Case relevant by appropriate tuning.
Now that we have defined in detail the Use Case Development methodology, it is time to take an example and see how this actually looks in Real Life Implementation terms.
- IDS/IPS at Network and Host – Signature Based Detection
- Mail Hygiene or Mail Filtering Tools – Signature Based Detection
- Events from Network Devices – Traffic Anomaly Based Detection
- Events from End User Detection tools – Signature and Traffic Anomaly Based Detection
The Event Validation: The devices logging to SIEM should be normalized and parsed properly. Typically, SIEM products would allow Content development based on their native Field Mappings (Through Parsing). If the fields are not mapped, then the SIEM does a poor job of Event Triggering and Alerting. The required fields for the above Use Case would typically be Source IP, Source user ID, Email Addresses, Target IP, Host information of Source and Target, Event Names for SPAM detection, Port and Protocol for SMTP based traffic detection etc.
- One machine doing Port 25 Outbound connections at the rate of 10 in a minute
- SPAM Signatures originating from the same source from IDS/IPS, Mail Filter etc having the same destination Public domain
- SYN Scans on port 25 constantly from a single source etc
Implementation and Testing: Once the logic is defined, Configuration of SIEM and tuning the implementation to trigger more accurately is the next phase. After Implementation of the Use Case, we would need several iterations of Incident Analysis along with data collection to ensure that the Use Case is doing what it is intended to do. This is done at the SIEM level and may involve aggregation, threshold adjustments, logic tightening etc.
Use Case Response: After implementation, the Use Case need to be made as a valuable resource by Defining a Use Case Response. This is the stage where you would define “What action needs to be taken and how it needs to be taken”. You can look at Episode 4 of my Security Investigation series to get an idea of how to Investigate SPAM cases. Other Security Investigation Series Articles are located here – Security Investigation Series.
SIEM Use Cases are really the starting point for good Incident detection. If you want to run a SOC, having well-defined SIEM Use Cases would ease management and increase efficiency of Operations. This post is my humble attempt to simplify and regularize Use Case development for SIEM implementations.
As always, I would love to hear comments and thoughts on this topic.
Great post and awareness of the importance of targeted use of SIEM. Defining the end result is important when starting to develop intelligence. One thing that I want to note that I feel is important as well is building a base set of layered intelligence. Many times organizations will attempt to create the perfect set or “Top 10” correlation rules, often forgetting that next generation APT’s will be discovered or appear as normal operation. This type of APT is disguised, doesn’t trip any alarms, but found through systematical and programmatic approach to event review. What I mean by this is a layered approach to reviewing login’s matching users inside a specific OU for example. For instance, a report is sent to the group itself, security management, and IAM team. A multi review system is set up to catch any abnormal behavior or privilege compromise. Just a common thing I see overlooked when attempting to define the perfect correlation rule or use case. Anyways, hope the best for you and keep up the great blogging!
Hi, I really liked this post. Can you point me to some resource wherein I can find a good list of standard SIEM use cases along with their details? Any assistance would be appreciated..
Thanks for your comments Sandeep. Unfortunately, there is no guide for USE Cases. It differs from organization to organization.
Thanks for this wonderful blog post.. Worth reading!
SIEM Use-Cases Linkedin group.
http://www.linkedin.com/groups/SIEM-UseCases-6704216?gid=6704216&mostPopular=&trk=tyah&trkInfo=tarId%3A1401478276267%2Ctas%3Asiem%20use-cases%2Cidx%3A1-1-1
Excellent lines to feed oneself with some good knldge on building usecases.
Are use cases synonymous with run books? That is, what to do if event X occurs?
Use Cases encompass run books. So the “Response” part of the Use case covers the “what to do”.
Great post and more globally high quality website !
One practical question : how do you store your Use cases catalog/library ?
Thanks for your kind words.
The use cases are a combination of both the process documentation along with the actual SIEM content.
A TWiki Server or a SharePoint portal is a good place to store this data. We have also seen this stored in Shared Drives for the Ops team to access