A well-implemented SIEM platform is key to maintaining a robust cyber security posture.
However, SIEM requires the effective application of use cases or threat detection rules to achieve its full potential.
In the first of this two-part series, we outline the importance of SIEM use cases (or rules) and the limitations of relying upon those provided out of the box with SIEM platforms.
What is SIEM?
Security Information and Event Management (SIEM) is a set of integrated log management and monitoring tools that help organisations detect and respond to cyber-attacks.
SIEM systems aggregate, normalise and correlate log event information from endpoints, infrastructure, and applications in order to detect potentially malicious activity. When anomalous behaviour is identified, an alert is generated for investigation.
Used effectively, SIEM can help organisations to detect threats on their networks, identify potential Indicators of Compromise (IOCs), and much more.
The value of SIEM use cases
The impact of SIEM lies in its capacity to ingest data from a multitude of log sources and correlate relevant events. With each organisation having different sources and events, it is important to focus on correlations most likely to indicate a cyber-attack. This type of analysis results in a use case or threat detection rule – a set of logical conditions used to identify potentially malicious behaviour.
SIEM platforms typically include a standard set of out of the box, pre-defined use cases. Each rule evaluates the data ingested and raises an alert when a potentially malicious pattern of events is identified. Alerts are reviewed by an organisation’s in-house or outsourced security team and, in some cases, are used to trigger automated responses.
Use cases generally fall into one of the three categories of the traditional CIA triad – confidentiality, integrity, and availability. This helps security teams to determine which element(s) are the most important for their organisation in its security posture and informs the consequent prioritisation of security tasks.
Learn more about best practices for creating customised SIEM use cases from a recent Kroll and Redscan webinar.
MITRE ATT&CK and SIEM use cases
To achieve comprehensive detection capability, organisations must consider how to implement coverage of behaviours across the MITRE ATT&CK framework. However, while many security professionals are aware of the general Enterprise matrix related to traditional IT environments, the specialised matrices which cover aspects such as Cloud, Network and Containers are often overlooked. Out of the box use cases often fail to address contemporary threat actor tactics and focus heavily on requirements such as retention and compliance.
Types of use cases that rules can be set up for include:
- Malware – Targeted rules ensure that threats from common malware types are promptly contained and eliminated.
- Lateral movement – Authentication-based use cases support the detection of the lateral movement of attackers through systems and accounts.
- Data modification and exfiltration – File monitoring and network egress use cases defend against sensitive data being modified, stolen, or erased.
- Phishing – Email-based use cases support action to identify and defend against suspicious activity associated with phishing attacks.
- Cloud-focused threats – With the ongoing trend of cyber security threats specifically targeting assets and data in the cloud, rules can be designed to help monitor specific cloud and hybrid environments.
The limitations of out of the box use cases
Even when out of the box use cases are focused on threat detection, they may quickly become stale and fail adapt to the latest threats. Implementing a process of ongoing detection creation and tuning provides protection against emerging security risks.
It’s all too easy to assume that investing in an out of the box SIEM means that the use cases it comes with are set up to work immediately. However, the reality is that a great deal of tuning and reconfiguration is required to ensure that they perform effectively.
Out of the box use cases can trigger many false positives, while simultaneously failing to provide appropriate coverage for the specific technologies deployed within the environment.
Added to this, out of the box use cases are often geared toward the detection of compliance issues or improving IT operational effectiveness, but are not external-threat or adversary-orientated, which can create significant gaps in an organisation’s security coverage.
Maximising the value of SIEM
While pre-defined SIEM rules provide a basic level of performance, businesses need to be able to develop their own bespoke rules in order to expand threat coverage and visibility across their environments. By doing so, they are less likely to waste money buying and deploying a solution which does not fully meet all of their security priorities, particularly around detection of novel and emerging threats.
Developing a set of bespoke use cases will enable you to minimise the risk of cyber-attacks going undetected and impacting your organisation’s finances, reputation and compliance status. We’ll explore what’s involved with achieving this in the second part of this blog series.