Top Five SIEM Use Cases For Threat Prevention

Abstract: A Security and Information Event Management (SIEM) tool is of utmost importance to a SOC. This tool collects, stores, and analyzes log data from the entire IT infrastructure to detect suspicious activities and vulnerabilities and suggest a response to threats. But to work effectively, it needs use cases to provide data relevant to the event, determine legitimate activity from malicious actions, and protect the SOC.

‍

The Security and Information Event Management (SIEM) tool is one of the most essential SOC assets. This software platform collects, stores, and analyses log data from the entire IT infrastructure to detect suspicious activities and vulnerabilities and suggest a response to threats. Much like a security solution that relies on an AI or Machine Learning to provide anomaly detection, the SIEM is looking for data that doesn’t fit a set of patterns/behaviours and can be considered a vulnerability or deviant action.

However, not everything in security management is black or white. Sometimes, the data provided to flag a malicious event also describes a legitimate event, issuing a false alert. To cut down on false positives over legitimate events, an organisation needs to develop strong SEIM use cases that grow from historical and current data points and industry-wide knowledge and threat scenarios. In fact, to maximize the tool's efficacy, an organisation needs to write the rules and define its baselines and thresholds based on its knowledge of its own IT department, threat landscape, and bad actor behaviour. On top of that, new use cases and correlation rules should always be in the pipeline to address the ever-evolving threat scenarios.

Consider this blog a companion to the previous SIEM blog that looked at active threats to demonstrate more proactive defensive and preventative activities via robust use cases.

Compliance (SOX, HIPAA, PCI DSS)

Cybersecurity compliance isn’t an easy state to manage. Depending on the various laws, regulatory bodies, and private industry groups, there can be dozens of rules, controls, and procedures to follow to ensure the confidentiality, integrity, and availability of data. Compliance requirements also vary by sector and industry and have specific organisational processes and technologies that can come from a plethora of sources such as ISO 27001 and CIS. To ensure compliance, meet the regulations and prevent violations, an organisation’s SOC should maintain a log of when and by whom data was accessed, read, and copied.

To ensure that the data remains secure, the compliance use cases you develop need to address the laws in your jurisdiction, maintain a list of verified users for rights and access management, and flag any suspicious activity at endpoints. Then it must compare those cases to the regulations to look for errant behaviour.

Port/Service/Vulnerability Scanning

SIEM and threat management aren’t just about defensive actions but preventative ones. A SOC should have a process for scanning for open ports, running services, and detecting vulnerabilities that are present on systems. The caveat is to ensure that the anomalies and vulnerabilities that the system finds are a credible threat and not a one-off legitimate activity, such as on-premises or cloud scan.

A data point that doesn’t fit within the prescribed rules and use cases is cause for alarm to a SIEM. The benefit is that the SIEM is actively working to detect internal and external threats with near real-time monitoring across multiple applications, based on your thresholds and institutionalised knowledge.

Lateral Movement

This is a relative blind spot in cybersecurity and one that many enterprises and organisations don’t pay enough heed to. This attack isn’t a large, dramatic breach that is instantaneously detectable but a slow creep. Lateral movement is when an attacker gains a foothold in a network, usually via a lower privileged and less secured host, and conducts internal reconnaissance to secure their foothold. They then move through multiple systems and accounts to reach an objective.

A use case for lateral movement will serve as a tripwire for the threat before they get too far by monitoring login activities and keeping tabs on multiple credentialed devices or abnormal protocols. While movement like this could be a valid user, it’s best to have rules, barriers, and thresholds in place to ensure that no one is making their way around the network undetected and slow them down before an outbreak occurs.

Advanced Persistent Threats

APT is a sophisticated tactic where bad actors employ stealth over a long period of time to compromise and retain access to a system. Since they are so quietly intrusive, sometimes alerts aren’t triggered in the system, or if they do trip an alarm, it’s ignored as a false positive or a benign event. However, this doesn’t mean that they’re not causing significant data leakage.

The use cases for persistence must be sensitive enough to monitor any permission changes, user account modifications, deletions, newly inactive user accounts, or multiple failed login attempts. While there are legitimate reasons to change a registry, misremember a password or schedule a task that’s out of routine, your use case should have enough data about how your SOC and organisation operate to be able to separate the legitimate system changes from the malicious ones.

Command and Control (CnC, C2)

While we previously mentioned that a persistent attack was unobtrusive and relatively unnoticeable, the Command and Control attack is an all-out assault. In this intrusion, an attacker infects a computer and uses it to execute additional code, attacking more computers and creating a network of infected machines. Now, they have access to a company’s entire network and can exfiltrate data.

An appropriate use case for a CnC attack can include any anomalous activity on user accounts and privileged accounts that indicated compromise while also creating a trusted baseline of server activity, traffic, and network activity. Given that there is a semi-predictable cadence to network traffic and user activity, anything significantly outside the norm warrants a second look.

‍

AI-Assisted Cybersecurity Also Assists SIEM

As evidenced in our previous blog on SIEM use cases and the data we shared above, there is a challenge present in detecting and differentiating malicious activity from legitimate work when it’s left to an intelligent machine working solely off data points and use cases. To avoid a flood of alerts and false positives and improve the efficiency and accuracy of your SIEM, you need to adopt an AI-Assisted Cybersecurity (AICS) platform as part of a hybrid model with SOC analysts. By combining seasoned analysts with an AI capable of deep learning and threat detection via use cases, a robust SOC can emerge.

It doesn’t, however, stop there. Malicious activity and threats are constantly evolving; hence relying on detection methods to flag a specific example programmed from rules, previous attacks, and other data points isn’t enough. The SIEM will either flag an activity that checks all the boxes and triggers an alert, or it might not catch it. Therefore, use cases require ongoing revision and parameter updating to ensure your software is updated. An AI-Assisted Cybersecurity platform is capable of this.

When an alert is triggered by an AICS system such as Arcanna.ai, the system analyses it and determines a course of action, creates a ticket, adds threat intel, and an analyst reviews the outcome, and feedback is given. The system then adds this learning into its processes, continuing the cycle and further deepening its understanding and database of use cases for preventative and responsive detection.

The best tool an organisation can use to mitigate threats is to adopt a supervised anomaly detection model that is continuously trained by SOC analysts. Between human creativity and machine learning, your SIEM tools will function as intended.