cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Use Case - Sharing Ideas

Greetings Everyone,

Have you been overwhelmed with all your data sources and not sure what do with all the events you are collecting? I hope this thread can help start the sharing of ideas and help reduce the anxiety you may have.

I was talking with some of the sales reps about the idea of "Use Case" sharing from a business use case to a system use case. I understand that your company may have developed Use Cases that fall under Intellectual Property and cannot be shared.

A SIEM can be vast and trying to figure out what data is important and how to use the data for meaningful alerting, action and reporting can be a challenge. Not everyone can be an SME in all the data sources you are collecting. Not knowing what is good event data and what is noise. How do you find the needle in all the noise?

Example of a Use Case scenario: Find APT’s. The idea of an Advanced Persistent Treat/Attack (APT) in your network can be hard to detect, but using your data sources in concert with each other to help detect the abnormal behavior is where a SIEM can shine. This is a type of question that might be asked of you, and it’s up to your to figure out how to make it work.


Have you developed a Use Case Procedure that you can share with others? A workflow of how an idea is started and ended. The challenges you have found.

With data sources that range from (examples):

  • Firewalls
  • Network IDS/IPS
  • Host IDS/IPS
  • Proxy
  • AV
  • OS Events (Windows, Linux)
  • File Integrity
  • Network Devices (Switches, Routers…)
  • Databases
  • Vmware
  • Citrix
  • Cloud Based Tech
  • Any other device that you can make work within the SIEM.

As you can see, the list can be endless. It will be interesting to hear what others have come up and what kind of “out of the box” thinking have worked. How do you make it all work together and help protect your company’s assets?

Please consider sharing your ideas/stories if you can, what worked and what did not. What was the thinking behind it?

1 Reply
Highlighted

Re: Use Case - Sharing Ideas

I have been working with Windows events trying to reduce the noise and found this document from Microsoft. There a section that rates which events are high, med and low and areas to watch for compromise. I have adjusted my alerts based on their recommendations and our business compliance requirements. This helped to identify things I might not have thought about to look for.

Hope this help someone...

http://technet.microsoft.com/en-us/library/dn205220.aspx

Message was edited by: davids15 on 6/3/14 7:34:34 AM CDT
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community