Security monitoring use cases are the beating heart of any security monitoring system. Even when a system is equipped with ‘out-of-the-box’ detection capabilities, there’s still use cases running underneath the hood. This is true for SIEM systems with default content packs as well as intrusion detection systems and more advanced network traffic analysis systems.
The only exception here would be systems that apply unsupervised machine learning. This is because there is no true use case, only statistics and thresholds that are applied to differentiate ‘normal’ from ‘abnormal’ behavior. The lack of a use case in these systems is, in my opinion, exactly the reason why such detection capabilities often provide little added value.
Back to use cases. An important question to ask is: what exactly is a use case? In security monitoring context, I believe that a use case is “a security monitoring scenario that is aimed at the manifestation of a cyber threat”. This is the definition that we created as a working group of the Dutch FI-ISAC when we created the MaGMa use case framework (https://www.betaalvereniging.nl/en/safety/magma/). I know that this is highly simplified (there are many elements to consider), but I think it captures the essence of use cases. To break down a use case into useable parts, it is worth looking at use cases from different levels:
Using the MaGMa framework has brought us 4 important benefits:
Does anyone have any experiences with a security monitoring use case framework? Which one do you use, what are it’s core features and how has it helped you to evolve your security monitoring service?
The only exception here would be systems that apply unsupervised machine learning. This is because there is no true use case, only statistics and thresholds that are applied to differentiate ‘normal’ from ‘abnormal’ behavior. The lack of a use case in these systems is, in my opinion, exactly the reason why such detection capabilities often provide little added value.
Back to use cases. An important question to ask is: what exactly is a use case? In security monitoring context, I believe that a use case is “a security monitoring scenario that is aimed at the manifestation of a cyber threat”. This is the definition that we created as a working group of the Dutch FI-ISAC when we created the MaGMa use case framework (https://www.betaalvereniging.nl/en/safety/magma/). I know that this is highly simplified (there are many elements to consider), but I think it captures the essence of use cases. To break down a use case into useable parts, it is worth looking at use cases from different levels:
- A high level that explains the use case in terms of risk. Use this level to talk to stakeholders and business.
- An intermediate level that explains how the high-level risk could be exploited by cyber criminals. Use this level to integrate with threat intelligence TTPs.
- A low level that shows how detection of that exploitation is implemented in detection technology
Using the MaGMa framework has brought us 4 important benefits:
- It has provided us with insight into which areas of security monitoring require improvement: low level use cases with low scores.
- It has provided us with insight into gaps in security monitoring: intermediate level use cases that have no or insufficient coverage in the
- It has provided us with guidance for replacing security components in the network. These security components are tied to use cases. The framework has helped us identify which use cases and the current shortcomings.
- It has helped us show how detection use cases reduce high-level risks.
Does anyone have any experiences with a security monitoring use case framework? Which one do you use, what are it’s core features and how has it helped you to evolve your security monitoring service?