In many organisations today, a Security Information and Event Management (SIEM) solution is like a “white elephant,” expensive to maintain and adding very little value to the overall security posture of the organization. Many organizations do not even reap 50% of the true potential of a SIEM solution, reducing it to a tool used for generating reports to satisfy auditors and to comply with regulatory requirements.
One of the main reasons for this scenario is a lack of effective use cases, which makes a SIEM solution just a box which generates a huge number of false positives or alerts with no actionable steps to take. These non-actionable alerts have a huge impact on how people perceive SIEM alerts and ultimately the solution becomes similar to noisy Intrusion Detection System (IDS), whose alerts no one takes seriously. Even the team monitoring the solution starts taking the alerts lightly, or worse, ignores them completely. Just like tuning of a signature is essential to make an IDS effective, use cases are paramount to an effective SIEM solution.
SIEM implementation should be driven by use cases, but we generally see that the Use cases are the least focused part of SIEM implementation. Organizations mostly take a product-centric approach and evaluate and select a SIEM solution first, realizing later that the use cases are difficult to implement due to product limitation or cannot be implemented in the way the organization wants. Because of this reversed approach, many organizations are unable to utilize the true potential of a SIEM solution in incident detection, incident handling and even in general troubleshooting.
Ideally, you should have all of the use cases documented before the implementation of SIEM begins, or even before the SIEM Product is selected. Having effective use cases beforehand will ensure that you are not just clogging the SIEM solution with every possible kind of log and then trying to make sense of it (though logging everything might be an important requirement for forensics or to fulfil regulatory requirement). But if you have use cases designed well in advance, it will help you tremendously in effectively utilizing these collected logs. Use cases will also help you in the evaluation of the SIEM solution that is best suited to your needs.
The Advantage of Having Use Cases Ready before SIEM Implementation
A major advantage of having the use cases ready before SIEM implementation is that use cases will drive the process to:
- Identify all required data sources for logging
Different log sources will provide different perspectives of the same event. You need to identify all log sources which can add value or provide context to the use case that you have defined.
Many times organizations do not integrate Application logs in SIEM solutions. Application logs that provide crucial pieces of information are usually the ultimate target of the attacks.
- Ensure all required logging levels are enabled on each data source and that logs are parsed by the SIEM solution
Just logging at default value might not help and you should carefully study what logs are available for each device, server and application, and then decide which one needs to be enabled for a particular use case.
- Customize the default use cases offered by SIEM solution
This is another important step. Default rules might create a lot of false positives or generate alerts which do not require any action. Customizing these default rules is very important, and you may even find you have to disable the default rules if they don’t generate meaningful alerts for your environment.
- Define a process for taking action on alerts/reports generated by each use case
As a part of use case, the process on how to handle alerts or reports generated by the use case should be defined and all stakeholders who are part of the process should be made aware of their roles and the timelines they have to respond in these 4 processes form a strong foundation for an effective SIEM solution and can be easily driven by a use case-centric SIEM implementation.
Designing the use case
When designing use cases, the IT Team and other business stake holders should be involved. Ideally, a workshop should be held where all team members become familiar with what security risks or operational events IT and business consider critical, and the use cases should then be designed with this input in mind. In this way, business and IT will find value in the SIEM solution which would result in a SIEM solution that is effective and linked to business needs.
Another advantage in designing the use cases in consultation with IT is that there will be greater involvement of IT in incident handling and resolution, and they will perceive SIEM as something that is there to aid them instead of something that is there to monitor them.
It’s a good idea to test all of the use cases by generating the required events and performing the whole lifecycle of incident handling as per the defined process. This will ensure that the use cases have been correctly implemented and will actually trigger the expected alert when a real event happens. Also, each team will know what is expected from them and how they have to respond. Milestones of the SIEM project can be linked to successful testing and signoff of the use cases.
An important aspect to consider while designing a use case is to think about higher level security goals like detecting attacks, signs of compromise, data leakage, DDoS, insider attacks, malicious events, etc. instead of detecting individual system level events, like a login failure, which in silo might not bring a lot of value in detecting an actionable security incident.
Use case is the heart of SIEM solutions and a use case-centric SIEM solution deployment will ensure you have a healthy SIEM solution, which will greatly improve the overall security posture of your organisation.