The Most Popular SIEM Starter Use Cases for 2018
Anton Chuvakin, a research vice president and distinguished analyst at Gartner, created a list of popular security information and event management (SIEM) starter use cases in 2014, which he updated in July. The list does not include foundational SIEM use cases like searching logs or compliance reporting but rather focuses on the popular use cases Anton has observed.
Anton’s list is useful for many small to midsize enterprises (SMEs) ready to dip their toes in the SIEM pool. These SMEs frequently turn out to be customers, as Arctic Wolf provides a security operations center (SOC)-as-a-service that includes a purpose-built SIEM platform in the cloud. The AWN CyberSOC™ service can ingest any log data, but a key difference between our SOC-as-a-service and a SIEM is that we provide a managed detection and response (MDR) service that focuses on security outcomes. Enterprise customers avoid unnecessary noise as our Concierge Security™ teams sift through alerts to locate and investigate noteworthy security events.
Below is how Arctic Wolf addresses each of Anton’s particular use cases.
|Use Case||Description (from Anton’s blog)||Arctic Wolf Solution|
|1||Authentication tracking and account compromise detection; admin and user tracking||AWN CyberSOC monitors Active Directory (AD) and Okta logs to identify suspicious login activity. Arctic Wolf also monitors login activity from SaaS apps like Office 365, G Suite, Box and Salesforce.|
|2||Compromised- and infected-system tracking; malware detection using outbound firewall logs, proxy, etc.||Arctic Wolf network sensors use network data along with endpoint logs to help detect malware destined for endpoints.|
|3||Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts using vulnerability data, etc.||Arctic Wolf network sensors provide the core IDS/IPS functionality. AWN CyberSOC also performs regular vulnerability scanning for internet-facing systems.|
|4||Monitoring for suspicious outbound connectivity and data transfers using firewall logs, Web proxy logs, etc.||Arctic Wolf network sensors sit at the internet egress/ingress points and use threat intelligence to recognize bad IPs and domains, and detect connections to CnC servers (example: detect ransomware calling home).|
|5||Tracking system changes and other administrative actions across internal systems, etc.||AWN CyberSOC tracks privilege escalations through endpoint activity, AD logins, and SaaS/IaaS logins/activity.|
|6||Tracking of Web application attacks and their consequences, etc.||AWN CyberSOC can track web application attacks using log data from web application firewalls. *On a side note, Anton did not find it to be particularly common (perhaps why nobody is beating on our door about it).|
|7||Cloud activity monitoring, detecting cloud account compromise, cloud access and privilege abuse, other security issues, etc.||AWN CyberSOC monitors cloud activity via cloud connectors built for various cloud infrastructure (AWS, Azure) and SaaS applications (SalesForce, Office365 etc.).|
|8||Detecting threats by matching various logs to threat intelligence feeds||AWN CyberSOC uses multiple threat intelligence sources to identify known bad IPs/domains, known malicious files/executables, and geo-locations of suspicious traffic.|
|9||SIEM as “poor man’s EDR” – review of sysmon and similar endpoint data||AWN CyberSOC ingests your favorite log data including your existing endpoint protection platform (EPP).|
Small to midsize enterprises need 24×7 monitoring, threat detection and response, but they don’t need to do the work of establishing and maintaining a SIEM. There is a better way. Click on the banner below to learn how a SOC-as-a-service can provide you with the security outcomes you need.