SIEM 201 Use Case Overview - VisibleRisk

SIEM 201 Use Case Overview VisibleRisk
1 of 9
http://www.visiblerisk.com/blog/2009/8/30/siem-201-use-case-overview...
VISIBILITY AND DEFENSIBILITY THROUGH ANALYTICS
Part2ofDecuritysBacktoSchoolSeries:
SIEM201:SIEMUseCaseDefinition
CoursePrerequisites:AwhilebackI
publishedadiagramandassociatedtext
illustratingthebenefitsofacombinedSIEM
andLogManagementarchitecture.This
diagram/postdidagoodjobofexplaining
thefeaturesandfunctionalityofLog
ManagementandSIEMataveryhighlevel.
Ifyouhaventseenthatpostorifyou
haventreadDecuritysSIEM101previously
Iwouldencourageyoutogobackandtakea
look.Basicconceptsfromthoseresources
willhelpinunderstandingofUseCasesand
howtheyapplytoSIEM.
Introduction:
InmyexperienceIvenoticedthatSIEM
customersusesomethinglike30%oflessof
thefunctionalityofthetooltheybought.
Thatnumberisactuallyprobablyprettyhigh
whenyouconsiderthefactthataveryhigh
percentageofcustomersareonlyusingthe
2/20/2015 1:44 AM
2 of 9
BLOG
advancedusersoutthere,nodoubtandthis
postwillhelpthemaswell,butitisreally
focusedonprovidingaframeworkto
advancethemajorityofSIEMuserssothey
cangainbetterappreciationforhowto
maximizethevalueoftheirSIEM
investment.
Theprocess(anddiagram)thatfollows,
outlineshowDecuritylooksatusecases
relatedtoSIEM.Weareprovidingthis
informationinthehopesthatyoull
internalizeitaspartofyourSIEM
operations.Decuritywillalsobeannouncing
intheverynearfutureanonlinesolution
usingthismethodologysothatyoucan
track/update/shareyourusecases/solutions
contactusifyoureinterestedinlearning
moreaboutthatsolution.
UseCaseRequirement:
ThemostsimplisticadviceIcangiveisthat
youshouldtrytofocusontheoutputfirst.
Whatisthepointoftheworkeort?Whatis
theproblemwearetryingtosolve?Whatis
theintendedaction/output?Whobenefits
fromthisandmoreimportantlywhydothey
benefitfromthissolution?Thenyoucan
moveintoquestionslikewhatinformation
isrequiredtosolvetheproblem?
Theinformationprovidedinthisarticlewill
helptoguideyouthroughtheprocess.
ImplementingsolutionsinyourSIEMinan
adhocmannerwillresultinfailureoratbest
verytemporaryandminimalisticgains.If
youdontbelievemeyoucanaskanyofthe
hundredsoforganizationswhotriedit
beforeyou.
UseCaseIllustration:
2/20/2015 1:44 AM
3 of 9
BLOG
General:
Thisisthemostbasiclogisticalinformation
relatedtotheusecaseandrelatedsolution.
Itprovidesadocumentationframework.
Author:Whowasinvolvedinthe
creation/authoringofthesolution?
ID,VersionandDate:Whatisthecurrent
versionandIDandlastdateofupdate.
Objects,Artifacts:Linktoobjects
(externalizedorwithinsolution)usedwithin
thesolutionforexample,theconfiguration
objectslikereport,rules,dashboards,etc.
SolutionDescription:Quickreferenceto
thesolution,usingcategorizationthatmakes
senseforyourorganization.
References:CorporateorExternal
documentsthatactasreferencematerialfor
yourusecaseand/orsolution.
BusinessJustification:Thisistheproblem
beingaddressedfromacorporate
perspective.OneormoreBusinessproblems
mayapply,buteachshouldbedocumented
insomefashion.
BusinessProblemDescription:Whatare
thespecificproblemsthatneedtobe
addressed?
BusinessOwner(s):Whoownstheactions
foroutputofthesystem?Whoownsrelevant
Systems,ApplicationsandData?Whois
2/20/2015 1:44 AM
4 of 9
BLOG
Compliance,Risk,Audit,Fraud,Legal,HR,
Other?
CurrentSolution:Todayhowisthis
problemaddressed?Howcanitbe
improved?
Expectations:Whatisitthatthebusiness
ownersexpectfromthesolution?
Priority:Whatisthevalueofsolvingthis
issue,orconverselywhatisthecostofnot
solvingthisissue?
TechnicalRequirements:
Need:ActiveStatementsThesystem
shall,Wehaveto*(DOSOMETHING)*
Definethatsomething.
Action:Action(s)and/orOutput(s)
requiredfromthesystem.
Actor:Relativetoa*(PERSON/TEAM)*
Event:Specificscenario(s)tobeevaluated.
Context:Relevantenvironmental
conditions.Howdoesourknowledgeofthis
environmentaecthowwecanrefinethe
analysisandoutput?Someexamplesof
contextthatshouldbeconsideredare:
OrganizationalStructure,BusinessUnits,
Applicationand/orDataCategorizations,
NetworkSegmentation,System
Configurations,Users,HotLists,
VulnerabilityData,Data/System/User
Criticality,otherenvironmentspecific
information.
Timing:Within,before,at,during,after.
Logic:BooleanLogicStatements(T/F)
usingAND,OR,IF,THEN,NOTas
conditions.
Collection:
2/20/2015 1:44 AM
5 of 9
BLOG
DataAccessibility:Aretherephysical,
logical,business,technicalorpolitical
barrierstohavingtherelevantdata?
DataFormat:isthedatareadily
comprehendedbyoursolution,is
customizationofthedatanecessaryor
possible?Doweneedtoupdatelogging
standards?
DataRelevance:
oContent:Whatelementsofthedata
provideusthenecessarycontext?Which
exactfieldsarerelevant?
oTiming:Dowereceiveitoftenenoughto
berelevanttoourproposedsolution?
DataLocation:Doesthedataresideina
centralized,easilyaccessedlocation?Isit
alreadyaggregated,normalizedorfilteredin
awaythatwouldadverselyaectour
proposedsolution?
Note:Youcanandshouldusethese
questionsandrelatedanswersas
justificationforyourenterprisevisibility
project.LoggingStandards,DataAccessand
reliableaccesstotheinformationarevery
oftentheproverbiallongpole.
ProposedSolution:
Technology/Process:DoesSIEMmake
sensetosolvethisproblem,giventhedata
wehave,ourenvironmentandtheproposed
solution?Canwesolvethisusingother
technologyorprocessesinamore
ecient/eectivemanner?SIEMisgreat,but
notalwaystheanswer.
Configuration:WhatSIEMconfiguration(s)
provideuswiththemostecientand
eectivesolution.Isitsimplyareportordo
2/20/2015 1:44 AM
6 of 9
BLOG
variables/obstacles.Knowthecapabilitiesof
yourproductwillhelpyoutounderstand
howtoconfigureit.AdvancedUseCases,
CustomApplications,FraudDetection,etc
requireanontraditionaldatasetandlogic
approachwellatleastnontraditionalfrom
thesecurityadministratorperspective.
Havingtheflexibilitytocompareagainst
userdefinedfieldsiskeytosolvingthose
usecases.Ifyoufindyourselfunableto
solveanumberofCoreusecasesthenit
mightbetimetoconsidertraining,external
adviceorasalastresortanewsolution.
ExpectedOutcome:Whatisitthatwe
expecttoseefromthesystem?Forexample
(WithinnMinutes,weshouldseex
whenyoccurs.)
KnownFalsePositive:Howarefalse
positivesdierentiatedfromknownbad
activitiesandhowcanwetuneour
systems/data/environmenttoreducethe
numberofvalidactivitieswerespondto?
KnownGaps:Relativetotheproblemset
describedwhatdoweexpectthatthis
solutionwillmiss?Howcanweclosethose
gaps?
AlternativeMethods:WithintheSIEMor
externaltoSIEMwhatarealternativeways
toaddresssomesubsetofthisproblem?Do
relatedsolutionsalreadyexist?
QA:
Performance:isthesolutionEcient?
Doesitcausesignificantsystem
degradation?Haveyoubuiltcontentto
monitorforeciency?
Functionality:Isthisprovidingan
acceptablesolutionfortheusersand
owners?Arerefinementsrequired?
2/20/2015 1:44 AM
7 of 9
BLOG
LabValidation:WereLabtestsmeaningful
andsuccessful?
Note:Youmightgetthesensefrommy
wordingthatQAisanongoingactivity,
youdbecorrect.Ifyoulabhasirrelevant
data/systemsyourtestsaremeaningless.
Testingnewcorrelationscenariosagainst
existingdatasetisinvaluable.Knowinghow
thesystemisgoingtorespondbeforeyou
implementintoproductionsavestime,eort
andheadaches.
Operations:
Feedback:Youneedaperiodicfeedback
looptoensureyouareintouchwiththeir
needsandupdating/planningaround
upcomingrequirements.
Monitor:Changesareinevitable,from
process,people,environmenttothreatsand
datasetsyouwillneedtostayintouchwith
howyourSIEMissupportingtheevolving
requirements.
Refine:simplerefinementsmaybeapplied
daily/weekly/monthly.
Enhance:Doweneedtoaddmore/better
datasets?IstherebetterLogicthatcanbe
applied?Doneworrelatedusecasesoer
betterinsight?
Validations:Whatisthenormal
operationlookofthisusecaselooklikeand
howwouldyouknowabnormalbehaviorof
yoursolution?
CourseSummary:
Soitshouldbeclearbynowthatwethink
SIEMisagreattool,withtonsofpotentialto
identifynewactivitiesyoucouldnt
previouslyconsiderandtoautomate
definableactivitiesandfacilitateworkflow.
2/20/2015 1:44 AM
8 of 9
BLOG
yourorganization.Thisguideandrelated
articles/postswillgoalongwaytoassistyou
withyoureorts.Ifnot,reachoutandwell
findotherwaystohelpyou!
RememberthatSIEMisaprocessnotjusta
tool.Ifyouarentmakingchangestoyour
SIEMonadailybasis(orhavingsomeone
makechangesforyou)youarenotgetting
themostfromyourSIEM.Threatsconstantly
evolve,yournetworks/systems/data/users
arealwaysbeingmodified,your
understandingofyourenvironmentis
alwayschanging,shouldntyourdetection
techniquesalsobeenhancedonadaily
basis?Themoretimeyouspendon
usecasesasidentifiedinthispostthemore
valueyoullreceiveoutofyourSIEM.
Disclaimer:Noteveryvendorsolves
problemsinthesamemanner.Dueto
technologicaldierences,wildlyvarying
skillsofconsultantsandcomprehensionof
actualproblemand/ordatayoumileagewill
vary.Thatsaidtheapproachweare
documentingherewillworkwithanySIEM
andshouldbeusedeverytimeyouthink
aboutsolvingnewproblemsusingyour
SIEM.Itdoesmeaneorthastobeapplied,
butitalsomeansyouwillhaveobjective
measurementsofsuccesswhenitcomesto
thevalueyourSIEMisproviding.
COMMENT SHARE 0 LIKES
2/20/2015 1:44 AM
9 of 9
BLOG
COMMENT S ( 0)
NewestFirst
Subscribeviaemail
2/20/2015 1:44 AM

SIEM 201 Use Case Overview - VisibleRisk

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SIEM 201 Use Case Overview - VisibleRisk

Hochgeladen von

Copyright:

Verfügbare Formate

SIEM 201 Use Case Overview VisibleRisk

VISIBILITY AND DEFENSIBILITY THROUGH ANALYTICS