All Articles

Threat hunting or monitoring is the practice of actively seeking out cyber threats in an organization or network. A threat hunt can be conducted during a security incident, or pre-incident time to discover new and unknown attacks or breaches. Threat hunting requires quality use cases which can run on top of the security data across the organization, and pin point the required information to complete the threat investigation. These use case works on top of the correlation engine provided by SIEM platform.

SIEM is a very expensive and powerful tool. Getting maximum out of the SIEM tool is always a challenging task. One of the easy ways to fully utilize the SIEM capability is to define and implement Security Use Cases which gives all team members a reference library to leverage as they describe business- and security-related procedures within the security operations.

Security Use Cases are the pre-built content package offered by SIEM vendors that contains correlation rules, reports, dashboards, watchlist, alarms, etc. for the quick investigation of security threats within the SOC (Security Operation Centre) environment. These Use Cases are easy to implement and customize the SIEM tool as per the organization’s needs and very helpful for Security Analysts for performing incident analysis and triage.

SIEM is all about the security contents. The more quality of use case you have in SIEM, the more will be the threat detection chances in terms of reduced false-positive incidents. Use Case development is a continuous task and needs time and expertise. Many organization struggles to keep pace with the rapidly changing threat landscape and failed to get maximum out of the SIEM due to lack of quality Use cases. It is very important to have the quality of use cases implemented on SIEM for the success of Security Operations.

SIEM has matured over the time and all the leading SIEM vendors have out of box set of content packs which can be easily utilize with ongoing customization and tuning. No need to invest resource for developing from scratch.

Now choosing which Use Case are applicable to the organization is the key for the success of Security Monitoring Program. In this article, I will discuss the approach which one can adopt to successfully secure there environment.

I have developed a set of security use case approach with my many years of security operations experience which will be effective in security operations and help organizations to achieve ROI (Return of Investment) of their SIEM implementation. The followings are the threat monitoring use case approach:

Advance Threat Use Cases:
Security threats continue to be more sophisticated and advanced with each day, with the majority often going completely undetected because of the rise of Advanced Persistent Threats (APTs) and insider attacks. Organizations are usually scrambling to keep up even after implementing SIEM to protect themselves. Under Advance Security Use Case package, organization can implement set of contents which will help the organization to provide a great deal of visibility into an organization’s networks (On-premise, Cloud or Hybrid) and identify extremely sophisticated threats that may have otherwise been hidden. These contents will unleased the capability of SIEM advanced correlation engines as well as big data analytics to provide insightful analysis and forensics into the overall data.

Advance Threat Use Cases covers a comprehensive area of security threats which includes, but not limited to, malware activity monitoring, suspicious activities detection, data exfiltration attempts, DNS activities monitoring, Zero-day threat detection, exploit monitoring, windows activities monitoring, privileged user activity monitoring, phishing, UBEA, and network anomaly detection.

Generally mapping the entire cyber security kill chain is the aim of this Use case. One can use MITRE ATT&CK framework as reference for this as well. https://attack.mitre.org/matrices/enterprise/

I would recommend to use your Tier3/Level3 Security expert/SME to regularly invest time to develop and fine tune these use cases for the monitoring team.

Device-Specific Use Case:
In a typical incident investigation process, after the incident triage, further investigation of the incident required. For this security analysts need granule level overview of the impacted device or environment to make a critical discussion to conclude the breach vs false positive. That information may be in the form of a dashboard where the analyst can drill down to do further investigation.

To support the further investigation of incidents, Organization has to develop the Device-specific (Firewall, Endpoint Protection, Proxy, Cloud security etc, Network Security, Servers, Applications) use cases which can be implemented on the existing SIEM solution. These use cases will help analysts to get a deep level of information and drill-down capabilities during the threat investigation and forensics.

Device-Specific use cases designed to focus on a particular security (Firewall, Endpoint Protection, Web Gateway, Email Security, etc.) or network product (Flow based use cases) and environment (such as cloud, network, security, applications, database, etc.)

I would recommend Tier2/Level2 analyst should invest time on these Rules/Dashboards for further 2nd level of investigation.

Compliance Specific Use Cases:
IT compliance is the set of rules laid down by the government which must meet by the organizations in order to do business with a particular client or in a particular market/domain such as health, financial, or educational, public/private sectors, etc.

Since IT compliance implies detecting and reporting threats, having a combination of SIEM and Compliance Specific Use case package within the organization is the first step to conducting business according to rules and regulations. Implementing compliance specific use cases on existing SIEM solutions will make organization become IT compliant with any of the acts and regulations.

Technical aspects of the regulations and compliance can be easily tracked, maintained and automated by the SIEM tool using the content packages. These use case packages can be used to provide on-demand information during external/internal audits. Data retention is the key aspect of the compliance and their status can be presented at any given point using dashboards of content package. The pre-built reports can be used for generating compliance reports at any point in time.

All leading SIEM vendors has the Use Case package for all the leading regulations and compliance such as GDPR, PCI-DSS, SOX, HIPPA, GPG13, ISO 27002, etc.

Cloud Specific Use Cases:
All the organization is moving or already moved to the cloud or SaaS services so securing resources in the cloud environment is the big changeling and must be on the priority while designing any security monitoring program.

Security Content for cloud/hybrid environment such as AWS, Azure, IBM Cloud, Microsoft Office 365 etc. for the active monitoring and preventing mis-configurations, Controlling and Monitoring Access, Protecting Cloud Resource Integrity, Anomalous User and Account Behavior, Monitoring Critical Data Applications and Resources, Enhanced Analysis of Flow Traffic is core to

All SIEM vendors provides pre-build cloud use cases packaged into apps/downloads which can be quickly utilize for rapidly deploy workflows, visualizations,analytics to address specific security requirements.


Internal Threat Monitoring Use Case:
Keeping close eye on the internal resources (Users, Assets etc.) is another critical aspect of the security monitoring for the successful security monitoring program. The ideal case, is to get automated alert/report of any abnormal activities or with few clicks is desirable in today's changing security landscape.

I would recommend to use Machine learning and Behavioral-based correlation for tracking Users/assets and alerts/automated responses based on the risk scores tied to specific services and communication of events or thresholds of changes in these indicators.