SIEM use cases examples in Modern Threat Landscape
In the previous post, we highlighted that some security use cases are more valuable than others, depending on the size and nature of your organisation. We focus on helping businesses set up their security analytics tool and per the industry's best practices faster.
Prioritise SIEM monitoring for the following list of security use cases, and you'll quickly see value from the solution.
1) Insider Threat :
Insider threats are detected with User Behaviour Analytics (UBA) is a model that assists in tracking the suspicious or malicious intent of cyber attackers. It uses an advanced machine learning technique that monitors system logs, data flow, report generation, and other related information.
Insider threat detection is challenging
Behaviour doesn't set off alerts in most security tools because the threat actor appears to be a legitimate user. However, a SIEM can help discover insider threat indicators via behavioural analysis, enabling security teams to identify and mitigate attacks.
File Integrity Monitoring
The FIM application monitors access to privileged file share systems and provide information on the type of access and the actions performed in the file.
Detecting compromised user credentials
SIEM can use behavioural analysis to see anomalous behaviour by users, indicating a compromise. For example, logins at unusual hours, at unexpected frequency, or accessing random data or systems.
Anomalous privilege escalation
SIEM can detect users changing or escalating privileges for critical systems.
Command and control communication
SIEM can correlate network traffic with threat intelligence to discover malware communicating with external attackers. This is a sign of a compromised user account.
Information Leak
Leakage of information from the company's trusted partner's external to the organization
2) Threat Hunting:
Threat hunting is the process of actively searching for and responding to cyber security threats before they breach your networks or environments. A threat hunt can be conducted on the heels of a security incident and proactively discover new and unknown attacks or breaches.
Providing context for security events
Delivering actionable alerts that provide context and data to help investigate a potential incident.
Anomaly detection
Identifying anomalies across your network and assets using correlations and behavioral analytics.
Vulnerability Data and Surfing
Organizing data around a new vulnerability—timeline and systems, data and users affected, and correlating with historical data for attack patterns or signatures similar to known attacks.
Threat intelligence
Combining threat intelligence with security data to intelligently detect attacks in IT systems.
Hypotheses based on known risks
Helping analysts frame a view and test it by exploring security data in the SIEM.
Similar incidents
checking if "this happened before"—searching security data for patterns identical to a current or previous security incident.
3) IoT Security:
One of the most challenging issues facing enterprises today involves IoT devices. While a considerable benefit to workflows, IoT devices rarely receive any built-in security, and they may suffer from serious vulnerabilities. So SIEM works to identify unusual traffic patterns connecting to IoT devices and to manage IT vulnerabilities. Additionally, SIEM solutions can detect unpatched or outdated systems.
Denial of Service (DoS) attacks
Identifying unusual traffic from organization-owned IoT devices, which an attacker might leverage to perform an attack.
IT Vulnerability management
Detecting old operating systems, access to sensitive data or critical functions, unpatched vulnerabilities, and insecure protocols on IoT devices.
Access control
Monitoring who is accessing IoT devices and connecting to and alerting when the source or target is unknown or suspicious.
Data flow monitoring
IoT devices communicate over unencrypted protocols and can be used as a vehicle to transfer sensitive data. A SIEM can monitor unusual data flows to and from IoT devices and alert security staff.
Compromised devices
Identifying anomalous or suspicious behaviour of IoT devices and alerting security staff that a device or fleet of compromised devices.
Threat Intelligence
Identifying devices communicating to C&C based on threat intelligence IOCs
4) Data Exfiltration:
Data exfiltration is the unauthorised copying, transfer, or retrieval of data from a computer or other device, typically by cybercriminals over the Internet or other networks. Data exfiltration can be challenging to detect, and as it involves the transfer or moving of data within and outside a company's network, to reliably detect data exfiltration, organisations need to distinguish between unauthorised and authorised data transfer.
Backdoors, rootkits, and botnets
Monitoring network traffic communication (HTTP/s/DNS) towards command-and-control [C&C] server and identifying infected systems transmitting data to unauthorised parties.
FTP/ SFTP/RDP/ HTTP/S
Monitoring network traffic over protocols that facilitate large data transfer and alerting when unusual quantities or file types are transferred or when the target is unknown or malicious.
Cloud Storage
A rapidly emerging vector for exfiltration, which attackers are occasionally using for C&C and exfiltration.
Web applications
Monitoring usage of organizational web applications by outsiders or inside the use of external web applications, which might involve downloads or browser access to sensitive data.
Email forwarding
Monitoring emails (SMTP traffic) forwarded or sent to entities other than trusted.
Lateral movement
Data exfiltration typically involves attackers attempting to escalate privileges or accessing other IT systems on their way to a lucrative target. SIEMs can detect lateral movement by correlating data from multiple IT systems.
Mobile data security
a SIEM can monitor data from the mobile workforce and identify anomalies that might indicate information leakage via a mobile device
Rapid Encryption
It can detect the encryption of the data on the user systems. These bizarre incidents on the user data can be ransomware attacks.
5) GDPR Compliance:
The General Data Protection Regulation (GDPR) is Europe's new framework for protecting security and privacy for Personally Identifiable Information (PII). It states that the institutions must obtain explicit consent from individuals before collecting their data and keep it confidential. GDPR applies to any legal entity which stores, controls, or processes personal data for EU citizens and focuses on two categories: personal data, such as an IP address or username, and sensitive personal data, such as biometric or genetic data.
GDPR logging and auditing
Monitoring critical changes to credentials, security groups, auditing databases and servers are storing PII and automatically tracking assets that hold sensitive data.
Breach notification
Detecting data breaches, alerting security staff, analysing the incident to uncover full impact, and quickly generate detailed reports required by GDPR.
Record of data processing
Identifying events related to personal data, auditing any changes to the data, and generating reports as required by GDPR.
.webp)
