Have you been overwhelmed with all your data sources and not sure what do with all the events you are collecting? I hope this thread can help start the sharing of ideas and help reduce the anxiety you may have.
I was talking with some of the sales reps about the idea of "Use Case" sharing from a business use case to a system use case. I understand that your company may have developed Use Cases that fall under Intellectual Property and cannot be shared.
A SIEM can be vast and trying to figure out what data is important and how to use the data for meaningful alerting, action and reporting can be a challenge. Not everyone can be an SME in all the data sources you are collecting. Not knowing what is good event data and what is noise. How do you find the needle in all the noise?
Example of a Use Case scenario: Find APT’s. The idea of an Advanced Persistent Treat/Attack (APT) in your network can be hard to detect, but using your data sources in concert with each other to help detect the abnormal behavior is where a SIEM can shine. This is a type of question that might be asked of you, and it’s up to your to figure out how to make it work.
Have you developed a Use Case Procedure that you can share with others? A workflow of how an idea is started and ended. The challenges you have found.
With data sources that range from (examples):
- Network IDS/IPS
- Host IDS/IPS
- OS Events (Windows, Linux)
- File Integrity
- Network Devices (Switches, Routers…)
- Cloud Based Tech
- Any other device that you can make work within the SIEM.
As you can see, the list can be endless. It will be interesting to hear what others have come up and what kind of “out of the box” thinking have worked. How do you make it all work together and help protect your company’s assets?
Please consider sharing your ideas/stories if you can, what worked and what did not. What was the thinking behind it?