Five (5) Security Use Cases for Enterprises
In securing the modern threat landscape, many organizations turn to Security Information and Event Management (SIEM) as their best practices solution for aggregating and analyzing data across the IT environment to gain a holistic view with actionable insights.
Security use cases for SIEM can vary widely. Let’s explore a few.
Different kinds of security use cases
Use Case # 1: Detecting employee or insider threats
Not all threats are external. A member of your IT team or a subcontractor with access can do a great deal of damage. Proactively searching for such issues could include identifying an instance of multiple logins during off-hours at a higher rate than usual.
Data exfiltration analysis can also provide visibility into events that may appear harmless on the surface, such as BYOD usage of a thumb drive or file transference to personalized cloud storage. In this particular security use case, SIEM may connect the dots that would remain otherwise unflagged.
Use Case # 2: Monitoring privileged account access
Since modern attack surfaces are broad, breaches may occur across any number of vantage points. Monitoring for access outside of your expected areas helps raise any red flags immediately if something seems wrong.
Of course, VPNs can offer workarounds for such geo-targeted alerts, but this security use case can still prove valuable. Also consider deprecating generic accounts such as “admin” or “administrator,” as these paint a large target for cybercriminals.
Use Case # 3: Hunting for threats
To conduct a more effective threat hunt, security use case best practices point to using SIEM for the greatest visibility across your environment. Setting up alerts based upon real-time threat intelligence can detect new, previously undetected vulnerabilities or anomalies based on behavioral analytics.
Automation also plays a key factor in helping find the exploit needles in the IT haystack, which human eyes are likely to miss.
Use Case #4: Watching for man-in-the-cloud (MITC) attacks
Unlike your typical man-in-the-middle attacks (MITM), in which hackers can intercept data (such as logins) before the end-user is aware, MITC attacks rely on common file synchronization services, taking advantage of the OAuth token system used by enterprises for cloud services like OneDrive, Dropbox, etc.
The convenience of remote logins provides an open door for cybercriminals. Monitoring connections to your cloud instances and backing this up with a Cloud Access Security Broker (CASB) can help bolster your security use case.
Use Case # 5: Investigating attacks/incidents
The longer the timetable, the more likely an incident is to strike your environment. Performing a postmortem can mean sifting through hundreds, if not thousands, of points of data aggregated by SIEM.
Using automation and machine learning can help greatly reduce false positives, providing the context needed to produce actionable insights, such as who, what, when, and where in the event of a security breach.
Empower your security use case analytics
Having real-time operational alerts can greatly help maintain mission-critical services and ensure that you have the visibility you need across your attack surface.
PagerDuty offers the visualization and prescriptive dashboards you need—delivering the modern incident response to help reduce alert fatigue and mean-time-to-resolution (MTTR). This also includes the rich information needed to conduct thorough postmortems after an event occurs.
See for yourself with a 14-day free trial. No credit card is required.
Additional
Resources
Webinar
The Shared Irresponsibility Security Model With PagerDuty and Lacework
Podcast
The Secure Developer: Keeping PagerDuty Secure | Podcast | PagerDuty