Cloud SIEM Use Cases - Part 1

One of the challenges with the legacy SIEM is that those use correlation rules. The organisation needs deep technical expertise and continuous investment to keep up with the new threat and know what type of attack must be detected. On the other hand, a modern SIEM uses behaviour-based analytics (UEBA), which helps address unknown attacks, insider threats, and different types of complex attacks. With the entry of IoT and increased cloud adoption, threat actors will have the edge to create newer types of threats and device unique ways to penetrate enterprise systems. So, SIEM should continue to polish its capabilities across users, networks, devices, applications, and cloud environments.

1 ) Building SIEM use cases.

SIEM is a powerful tool, able to spot threats, provided that they are accurately defined and searched for in the right place. These should essentially inform whether something is happening or has happened. Building a practical SIEM security use case should focus on three elements: insight, data, and analytics. Cloud architects and security directors should frame use cases as insights, powered by analytics and fuelled with data.

2) Organising and prioritising your SIEM use cases

Every use case has its lifecycle, which is why it's necessary to catalogue, review and optimize them. If you don't do this, you may have the same use cases covering one area while leaving other areas uncovered. This situation can also lead to generating false positives or negatives on the part of the SIEM solution. A given use case will typically follow the cycle outlined below. Each phase will require a different level of effort, depending on the size and maturity of your organization.  Once a use case retires from your SIEM solution, you will have to clean it up and update your use case catalogue accordingly. Use cases can be easily categorized into hierarchical families for compliance and threat detection and business-level applications.

3) Use Case Framework

There are multiple frameworks available you can use to build SIEM use cases. For this example, let's look at the most effective frameworks, MITRE ATT&CK and Lockheed Martin Cyber Kill Chain. Both frameworks have two sections: pre-and post-attack. Pre-attack includes all use cases/rules that relate to target selection and finding vulnerabilities. Meanwhile, post-attack involves use cases/regulations related to delivery, execution, connection, and extraction.  SIEM use cases are an essential part of making sure your SOC functions at its best. They can determine whether an attack within your network will be detected or missed and at what stage you can detect incoming threats. SOC analyst proficiency will also vary based on defined use cases. The more tuned and refined the use cases are, the better detection and analysis will be.