19 December 2013

Use Cases, used well   Security Information and Event Management (SIEM) can be a massively useful tool in helping organisations discover Spam bots on their networks, identify malpractice by staff, detect Advanced Persistent Threats (APTs) and much more.  However, SIEM can also drown IT staff in a sea of data where events go unnoticed and hard disks are filled with information that no one will ever look at.  The secret to success with SIEM lies in appropriate use of Use Cases.   Deployments of SIEM are steadily increasingly, in part due to the publication of the Government’s Good Practice Guide 13 (GPG13), a set of guidelines recommending protective monitoring as a means of securing sensitive data but more importantly, to improve visibility into the company network and usage.  GPG13 compliance is now recommended for suppliers to the MoD and many councils too are deploying SIEM on government advice.   The strength of SIEM lies in its ability to correlate data from a multitude of sources and compare relevant events together.  Intrusion Detection Systems (IDS) are notorious for the false positives they generate, but if the data from IDS can be linked with database access logs or information from firewalls, then it is possible to improve the reliability of alerts being generated.  The issue is that each organisation has different sources and different events, and the skill is in looking at the right combination of events.  These combinations are termed Use Cases, and it is absolutely vital to the success of any SIEM project that the Use Cases for a company are defined before SIEM is even bought, let alone deployed.   Selecting the right Use Cases is a skilled job that cannot be covered in detail in a short article of this nature.  However, the intention of this article is to raise awareness of the necessary planning that is required prior to purchase or deployment.  If this is carried out, organisations are less likely to waste money buying and deploying a solution that they cannot make effective use of.   The first step is look for where Use Cases can be drawn from.  Internal company procedures will give good guidance as to expected behaviour.  If any audits have been carried out, then the report will have recommendations of what needs to be addressed.  Another important starting point is workshops: working with stakeholders to find out the Use Cases that most affect the company.   The stakeholders should be asked what is important to maintain a profitable business model and how to reduce the risk to that model.  Use Cases will generally fall into one of the following three categories:  

  • Confidentiality – a data breach for instance
  • Integrity – data being modified by unauthorised sources
  • Availability – an outage of a website or service that breaches the SLA

  This “CIA” three letter acronym will be familiar to any Certified Information Systems Security Professional (CISSP)!   As an example consider a real life example of  an employee who was allowed to work from home and had a virtual private network (VPN) so that he could access the relevant resources to do his work.  The questions that should have been asked to protect the integrity of the system might have been:  

  • How many VPNs are authorised? – multiple VPNs by one person might indicate a compromise
  • Users who are ostensibly logged in – both name and IP address are useful to correlate a valid login
  • Is a user is logged in anywhere else – a user logged in on site should not need remote access
  • Where the VPN originates from – certain countries may be taboo
  • Time of login – Are there hours when access is not permitted or unusual times of day that might indicate a different time zone.
  • Quantity of data – large downloads above company policy should be a warning.

  Had the organisation used these Use Cases, and implemented them through a SIEM system to correlate different data, it would certainly have detected the inappropriate Chinese VPN much sooner.  The same Use Cases might also alert the company to further insider misuse which could affect Confidentiality or Integrity or another breach of the VPN credentials.   IT security company Verzion has published details of this incident that occurred during 2012.  During an investigation, an unauthorised VPN connection was detected on an organisation’s network and, eventually, an employee was found to be outsourcing his work to a third party developer in China.  (http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/).   No IT manager is going to know the most appropriate Use Cases straight away; it takes time to build up this knowledge and it will be different for different organisations.  IT managers need to talk to department heads, understand the company procedures and prioritise Use Cases relating to sensitive data.  Only with this thorough preparation and planning can Use Cases be used well, as part of a successful SIEM deployment.

back to all posts