This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security Monitoring - Use Case Frameworks
Security monitoring use cases are the beating heart of any security monitoring system. Even when a system is equipped with ‘out-of-the-box’ detection capabilities, there’s still use cases running underneath the hood. This is true for SIEM systems with default content packs as well as intrusion detection systems and more advanced network traffic analysis systems.

The only exception here would be systems that apply unsupervised machine learning. This is because there is no true use case, only statistics and thresholds that are applied to differentiate ‘normal’ from ‘abnormal’ behavior. The lack of a use case in these systems is, in my opinion, exactly the reason why such detection capabilities often provide little added value.

Back to use cases. An important question to ask is: what exactly is a use case? In security monitoring context, I believe that a use case is “a security monitoring scenario that is aimed at the manifestation of a cyber threat”. This is the definition that we created as a working group of the Dutch FI-ISAC when we created the MaGMa use case framework ( I know that this is highly simplified (there are many elements to consider), but I think it captures the essence of use cases. To break down a use case into useable parts, it is worth looking at use cases from different levels:
  • A high level that explains the use case in terms of risk. Use this level to talk to stakeholders and business.
  • An intermediate level that explains how the high-level risk could be exploited by cyber criminals. Use this level to integrate with threat intelligence TTPs.
  • A low level that shows how detection of that exploitation is implemented in detection technology
These levels correspond to the MaGMa L1, L2 and L3 levels respectively. The MaGMa use case framework can be used to structure use cases, document them and, most importantly, measure their performance through 3 metrics.
Using the MaGMa framework has brought us 4 important benefits:
  1. It has provided us with insight into which areas of security monitoring require improvement: low level use cases with low scores.
  2. It has provided us with insight into gaps in security monitoring: intermediate level use cases that have no or insufficient coverage in the
  3. It has provided us with guidance for replacing security components in the network. These security components are tied to use cases. The framework has helped us identify which use cases and the current shortcomings.
  4. It has helped us show how detection use cases reduce high-level risks.

Does anyone have any experiences with a security monitoring use case framework? Which one do you use, what are it’s core features and how has it helped you to evolve your security monitoring service?
I have consulted the magma Framework, it's very interesting. I have read that it's a collaborative Framework of several Financial institutions. The Framework include mostly use-cases on the infrastructure rather than Financial use-cases. Have you already developped specific finantial use-case ?
tanks in advance

Forum Jump:

Users browsing this thread: 1 Guest(s)