How to Build Security Use Cases for Your SIEM


If you’re anything like me, you create an itinerary when traveling to a new place for an extended period. You want to prepare for the conditions you will be in, plan for things you will need, and have a plan in place to make sure you visit all the sites you want to see and stay within budget.

Like an itinerary is a guide for a successful trip, security use cases are a guide to successfully using a security information and event management (SIEM) solution.

Below, we’ll discuss Gartner’s recommendations for how to build security use cases that produce the highest return on your SIEM investment.

What are SIEM Security Use Cases?

Security use cases help guide your SIEM to find the threats that are relevant to your organization. Using the trip itinerary example, security use cases are your plans for what you want to get out of your SIEM. A few common security use cases teams build for their SIEM are privileged account access, insider threats, PCI compliance, and threat hunting.

Building security use cases may seem like an easy concept, but Gartner has found that many use cases are ambiguous leading to mistakes and a weak security posture.

Why CISOs Should be Involved in Building Security Use Cases

Bear with me as I continue to use the itinerary example to describe why CISOs should make security use cases for a SIEM a priority. When you are traveling with a group, everyone’s interest is important, but there is typically one designated person who will lead researching, planning, and coordinating plans to make a trip that satisfies the group’s top needs. Building security use cases for a SIEM should be a high-value activity that meets the security team’s objectives and the needs of the organization.

CISOs should prioritize areas with the most risks to their organization that will also yield the most ROI for their program. CISOs don’t want their program to be a cost center for the organization, and defining focus areas upfront can help CISOs communicate where their teams have made the most progress and where they can expand.

Use cases should provide insights that are critical to the business and demonstrate the value of the program. This means stepping away from generic use cases and focusing on building ones for high-risk scenarios.

Gartner’s report provides recommendations to help security leaders apply data and analytics to frame, organize, prioritize, and properly build use cases. Let’s explore those.

Four Steps to Building Security Use Cases for Your SIEM

1.   Frame the Use Case as an Insight

Using an insight-based approach to find the answers you are looking for in your SIEM is the foundation for building strong use cases.

A SIEM tool can find almost anything if it knows where it needs to look and has a good description of what to look for. Start by thinking of your use case as an insight and build the right question to provide the best answer to build a solid use case. You may need to reframe your question to create a security use case that’s best for your SIEM versus what’s best for a human. It may require you to construct various levels of description for one use case.

An insight-based approach to building use cases helps you make the most out of your SIEM by asking the right question on the right set of data, which brings us to Gartner’s next step.

2.   Get the Right Data for the Required Insight

Framing your use case as an insight is the foundation for building a strong security use case for your SIEM, but defining the data required to address your insight is the first step to building your use case.

In most cases, data points are logs from your organization’s IT infrastructure and structure or unstructured data when needed. Don’t make the mistake of bringing in all possible logs, thinking you will maybe need them in the future. Gartner recommends that you focus on the right data for your insight and only send necessary data to your SIEM.

You will need to consider if you have systems in place to access the data you need and if you have permission to access the data. If you can’t access the data to deliver on your insight, you won’t have a use case. Gartner uses the below figure to map the difficulty level of sending and managing typical data points in a SIEM.

Chart of difficulty levels for managing types of data sources
Figure 1. Gartner map of difficulty levels for typical data sources

3.  Apply the Right Analytics for the Required Insight

Advanced and simple analytics can offer valuable insights, and security use cases for SIEMs can leverage both, but Gartner recommends that teams privilege the simplest analytics method necessary for the use case. A good rule of thumb is to reserve advanced analytics for more complex use cases and use simpler analytics methods for basic cybersecurity hygiene use cases.

4.   Organize and Prioritize Your Security Use Cases

Security teams may manage dozens to hundreds of use cases, depending on the size of their organization and the maturity of their team. Proper organization can help your team avoid creating duplicate, incomplete, or unclear use cases.

Use cases fit into categories that can help build a hierarchy. Gartner suggests using a simple strategy to name and catalog use cases based on the category they fit in e.g., threat detection. Ideally, use cases can fit in a Venn diagram, with little overlap between higher-level categories and more overlap with more granular use cases.

Chart of organization structure for security use cases
Figure 2. Gartner’s organization structure for use cases

Your team should aim for simple and complete naming conventions aligned to the hierarchy in your categories.

Not all use cases are created equal. While you should strive for a few well built out use cases than many mediocre ones, there are ways to prioritize which security use cases to build first. Consider use cases that reduce risk to your organization by offering basic security hygiene and business requirements and provide the most return on your SIEM investment. You should also consider what data you can easily access, analytics that will be easy to perform, and use cases that can power several categories.

You’ve Built Security Use Cases for Your SIEM, Now What?

Security use cases do have a lifecycle, and having a plan for continuous improvement and deprecation will help you free up resources and maintain an organized use case catalog. The lifecycle of a security use case for a SIEM includes building, organizing and naming, prioritization, deployment, measuring, fine-tuning, deprecation, and cleanup.

Regardless of the size of your team, you can build valuable and effective use cases following Gartner’s recommendations to frame your questions as insights, then power them with analytics fueled by data.

Read Gartner’s full report.