Cloud SIEM Use Cases - Part 2

SIEM use cases examples in Modern Threat Landscape

In the previous post, we highlighted that some security use cases are more valuable than others, depending on the size and nature of your organisation. We focus on helping businesses set up their security analytics tool and per the industry's best practices faster.
Prioritise SIEM monitoring for the following list of security use cases, and you'll quickly see value from the solution.


1) Insider Threat :

Insider threats are detected with User Behaviour Analytics (UBA) is a model that assists in tracking the suspicious or malicious intent of cyber attackers. It uses an advanced machine learning technique that monitors system logs, data flow, report generation, and other related information.

  • Insider threat detection is challenging

    Behaviour doesn't set off alerts in most security tools because the threat actor appears to be a legitimate user. However, a SIEM can help discover insider threat indicators via behavioural analysis, enabling security teams to identify and mitigate attacks.

  • File Integrity Monitoring

    The FIM application monitors access to privileged file share systems and provide information on the type of access and the actions performed in the file.

  • Detecting compromised user credentials

    SIEM can use behavioural analysis to see anomalous behaviour by users, indicating a compromise. For example, logins at unusual hours, at unexpected frequency, or accessing random data or systems.

  • Anomalous privilege escalation

    SIEM can detect users changing or escalating privileges for critical systems.

  • Command and control communication

    SIEM can correlate network traffic with threat intelligence to discover malware communicating with external attackers. This is a sign of a compromised user account.

  • Information Leak

    Leakage of information from the company's trusted partner's external to the organization


2) Threat Hunting:

Threat hunting is the process of actively searching for and responding to cyber security threats before they breach your networks or environments. A threat hunt can be conducted on the heels of a security incident and proactively discover new and unknown attacks or breaches.

  • Providing context for security events

    Delivering actionable alerts that provide context and data to help investigate a potential incident.

  • Anomaly detection

    Identifying anomalies across your network and assets using correlations and behavioral analytics.

  • Vulnerability Data and Surfing

    Organizing data around a new vulnerability—timeline and systems, data and users affected, and correlating with historical data for attack patterns or signatures similar to known attacks.

  • Threat intelligence

    Combining threat intelligence with security data to intelligently detect attacks in IT systems.

  • Hypotheses based on known risks

    Helping analysts frame a view and test it by exploring security data in the SIEM.

  • Similar incidents

    checking if "this happened before"—searching security data for patterns identical to a current or previous security incident.


3) IoT Security:

One of the most challenging issues facing enterprises today involves IoT devices. While a considerable benefit to workflows, IoT devices rarely receive any built-in security, and they may suffer from serious vulnerabilities.   So SIEM works to identify unusual traffic patterns connecting to IoT devices and to manage IT vulnerabilities. Additionally, SIEM solutions can detect unpatched or outdated systems.

  • Denial of Service (DoS) attacks

    Identifying unusual traffic from organization-owned IoT devices, which an attacker might leverage to perform an attack.

  • IT Vulnerability management

    Detecting old operating systems, access to sensitive data or critical functions, unpatched vulnerabilities, and insecure protocols on IoT devices.

  • Access control

    Monitoring who is accessing IoT devices and connecting to and alerting when the source or target is unknown or suspicious.

  • Data flow monitoring

    IoT devices communicate over unencrypted protocols and can be used as a vehicle to transfer sensitive data. A SIEM can monitor unusual data flows to and from IoT devices and alert security staff.

  • Compromised devices

    Identifying anomalous or suspicious behaviour of IoT devices and alerting security staff that a device or fleet of compromised devices.

  • Threat Intelligence

    Identifying devices communicating to C&C based on threat intelligence IOCs  


4) Data Exfiltration:

Data exfiltration is the unauthorised copying, transfer, or retrieval of data from a computer or other device, typically by cybercriminals over the Internet or other networks. Data exfiltration can be challenging to detect, and as it involves the transfer or moving of data within and outside a company's network, to reliably detect data exfiltration, organisations need to distinguish between unauthorised and authorised data transfer.

  • Backdoors, rootkits, and botnets

    Monitoring network traffic communication (HTTP/s/DNS) towards command-and-control [C&C] server and identifying infected systems transmitting data to unauthorised parties.

  • FTP/ SFTP/RDP/ HTTP/S

    Monitoring network traffic over protocols that facilitate large data transfer and alerting when unusual quantities or file types are transferred or when the target is unknown or malicious.

  • Cloud Storage

    A rapidly emerging vector for exfiltration, which attackers are occasionally using for C&C and exfiltration.

  • Web applications

    Monitoring usage of organizational web applications by outsiders or inside the use of external web applications, which might involve downloads or browser access to sensitive data.

  • Email forwarding

    Monitoring emails (SMTP traffic) forwarded or sent to entities other than trusted.

  • Lateral movement

    Data exfiltration typically involves attackers attempting to escalate privileges or accessing other IT systems on their way to a lucrative target. SIEMs can detect lateral movement by correlating data from multiple IT systems.

  • Mobile data security

    a SIEM can monitor data from the mobile workforce and identify anomalies that might indicate information leakage via a mobile device

  • Rapid Encryption

    It can detect the encryption of the data on the user systems. These bizarre incidents on the user data can be ransomware attacks.


5) GDPR Compliance:

The General Data Protection Regulation (GDPR) is Europe's new framework for protecting security and privacy for Personally Identifiable Information (PII). It states that the institutions must obtain explicit consent from individuals before collecting their data and keep it confidential. GDPR applies to any legal entity which stores, controls, or processes personal data for EU citizens and focuses on two categories: personal data, such as an IP address or username, and sensitive personal data, such as biometric or genetic data.

  • GDPR logging and auditing

    Monitoring critical changes to credentials, security groups, auditing databases and servers are storing PII and automatically tracking assets that hold sensitive data.

  • Breach notification

    Detecting data breaches, alerting security staff, analysing the incident to uncover full impact, and quickly generate detailed reports required by GDPR.

  • Record of data processing

    Identifying events related to personal data, auditing any changes to the data, and generating reports as required by GDPR.

SIEM use cases examples in Modern Threat Landscape

As we've mentioned earlier, some security use cases are more valuable than others, depending on the size and nature of your organization. We concentrate on helping businesses swiftly set up their security analytics tool and per the industry's best practices. Prioritize SIEM monitoring for the following list of security use cases, and you'll quickly see value from the solution.

1) Insider Threat :

Insider threats are detected with User Behavior Analytics (UBA) is a model that assists in tracking the suspicious or malicious intent of cyber attackers. It uses an advanced machine learning technique that monitors system logs, data flow, report generation, and other related information.

◼ Insider threat detection is challenging

behavior doesn't set off alerts in most security tools because the threat actor appears to be a legitimate user. However, a SIEM can help discover insider threat indicators via behavioral analysis, helping security teams identify and mitigate attacks.20:04

◼ File Integrity Monitoring

The FIM application monitors access to privileged file share systems and provides information on the type of access and the actions performed in the file.

◼ Detecting compromised user credentials

SIEM can use behavioral analysis to see anomalous behavior by users, indicating a compromise. For example, logins at unusual hours, at unexpected frequency, or accessing unexpected data or systems.

◼ Anomalous privilege escalation

SIEM can detect users changing or escalating privileges for critical systems.

◼ Command and control communication

SIEM can correlate network traffic with threat intelligence to discover malware communicating with external attackers. This is a sign of a compromised user account.

◼ Information Leak

Leakage of information from the company's trusted partner's external to the organization

2) Threat Hunting:

Threat hunting is the process of actively searching for and responding to cyber security threats before they breach your networks or environments. A threat hunt can be conducted on the heels of a security incident and proactively discover new and unknown attacks or breaches.

◼ Providing context for security events

Delivering actionable alerts that provide context and data to help investigate a potential incident.

◼ Anomaly detection

Identifying anomalies across your network and assets using correlations and behavioral analytics.

◼ Vulnerability Data and Surfing

Organizing data around a new vulnerability—timeline and systems, data and users affected, and correlating with historical data for attack patterns or signatures similar to known attacks.

◼ Threat intelligence

Combining threat intelligence with security data to intelligently detect attacks in IT systems.

◼ Hypotheses based on known risks

Helping analysts frame a view and test it by exploring security data in the SIEM.

◼ Similar incidents

checking if "this happened before"—searching security data for patterns identical to a current or previous security incident.

3) IoT Security:

One of the most challenging issues facing enterprises today involves IoT devices. While a considerable benefit to workflows, IoT devices rarely receive any built-in security, and they may suffer from serious vulnerabilities.   So SIEM works to identify unusual traffic patterns connecting to IoT devices and to manage IT vulnerabilities. Additionally, SIEM solutions can detect unpatched or outdated systems.

◼ Denial of Service (DoS) attacks

Identifying unusual traffic from organization-owned IoT devices, which an attacker might leverage to perform an attack.

◼ IT Vulnerability management

Detecting old operating systems, access to sensitive data or critical functions, unpatched vulnerabilities, and insecure protocols on IoT devices.

◼ Access control

Monitoring who is accessing IoT devices and where they connect to and alerting when source or target is unknown or suspicious.

◼ Data flow monitoring

IoT devices communicate over unencrypted protocols and can be used as a vehicle to transfer sensitive data. A SIEM can monitor unusual data flows to and from IoT devices and alert security staff.

◼ Compromised devices

Identifying anomalous or suspicious behavior of IoT devices and alerting security staff that a device or fleet of devices has been compromised.

◼ Threat Intelligence

Identifying devices communicating to C&C based on threat intelligence IOCs  

4) Data Exfiltration

Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or other device, typically by cybercriminals over the Internet or other network. Data exfiltration can be challenging to detect, and as it involves the transfer or moving of data within and outside a company's network, to reliably detect data exfiltration, organizations need to distinguish between unauthorized and authorized data transfer.20:04

◼ Backdoors, rootkits, and botnets

Monitoring network traffic communication (HTTP/s/DNS) towards command-and-control [C&C] server and identifying infected systems transmitting data to unauthorized parties.

◼ FTP/ SFTP/RDP/ HTTP/S

Monitoring network traffic over protocols that facilitate large data transfer and alerting when unusual quantities or file types are being transferred or when the target is unknown or malicious.

◼ Cloud Storage

A rapidly emerging vector for exfiltration, which attackers are occasionally using for C&C and exfiltration.

◼ Web applications

Monitoring usage of organizational web applications by outsiders or inside the use of external web applications, which might involve downloads or browser access to sensitive data.

◼ Email forwarding

Monitoring emails (SMTP traffic) forwarded or sent to entities other than trusted.

◼ Lateral movement

Data exfiltration typically involves attackers attempting to escalate privileges or accessing other IT systems on their way to a lucrative target. SIEMs can detect lateral movement by correlating data from multiple IT systems.

◼ Mobile data security

a SIEM can monitor data from the mobile workforce and identify anomalies that might indicate information leakage via a mobile device.

◼ Rapid Encryption

It can detect the encryption of the data on the user systems. These bizarre incidents on the user data can be ransomware attacks.

5) GDPR Compliance:

The General Data Protection Regulation (GDPR) is Europe's new framework for protecting security and privacy for Personally Identifiable Information (PII). It states that the institutions must obtain explicit consent from individuals before collecting their data and keep it confidential. GDPR applies to any legal entity which stores, controls, or processes personal data for EU citizens and focuses on two categories: personal data, such as an IP address or username, and sensitive personal data, such as biometric or genetic data

◼ GDPR logging and auditing

Monitoring critical changes to credentials, security groups, auditing databases and servers storing PII and automatically tracking assets that store sensitive data.

◼ Breach notification

Detecting data breaches, alerting security staff, analyzing the incident to uncover full impact, and quickly generating detailed reports required by GDPR.

◼ Record of data processing

Identifying events related to personal data, auditing any changes to the data, and generating reports as required by GDPR.

ACCESS OUR PUBLICATIONS