The Most Popular SIEM Starter Use Cases for 2018

July 30, 2018 Todd Thiemann

Anton Chuvakin, a research vice president and distinguished analyst at Gartner, created a list of popular security information and event management (SIEM) starter use cases in 2014, which he updated in July. The list does not include foundational SIEM use cases like searching logs or compliance reporting but rather focuses on the popular use cases Anton has observed.

Anton’s list is useful for many small to midsize enterprises (SMEs) ready to dip their toes in the SIEM pool. These SMEs frequently turn out to be customers, as Arctic Wolf provides a security operations center (SOC)-as-a-service that includes a purpose-built SIEM platform in the cloud.  The AWN CyberSOC™ service can ingest any log data, but a key difference between our SOC-as-a-service and a SIEM is that we provide a managed detection and response (MDR) service that focuses on security outcomes. Enterprise customers avoid unnecessary noise as our Concierge Security™ teams sift through alerts to locate and investigate noteworthy security events.

 

Below is how Arctic Wolf addresses each of Anton’s particular use cases.

Use Case Description (from Anton’s blog) Arctic Wolf Solution
1 Authentication tracking and account compromise detection; admin and user tracking AWN CyberSOC monitors Active Directory (AD) and Okta logs to identify suspicious login activity. Arctic Wolf also monitors login activity from SaaS apps like Office 365, G Suite, Box and Salesforce.
2 Compromised- and infected-system tracking; malware detection using outbound firewall logs, proxy, etc. Arctic Wolf network sensors use network data along with endpoint logs to help detect malware destined for endpoints.
3 Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts using vulnerability data, etc. Arctic Wolf network sensors provide the core IDS/IPS functionality. AWN CyberSOC also performs regular vulnerability scanning for internet-facing systems.
4 Monitoring for suspicious outbound connectivity and data transfers using firewall logs, Web proxy logs, etc. Arctic Wolf network sensors sit at the internet egress/ingress points and use threat intelligence to recognize bad IPs and domains, and detect connections to CnC servers (example: detect ransomware calling home).
5 Tracking system changes and other administrative actions across internal systems, etc. AWN CyberSOC tracks privilege escalations through endpoint activity, AD logins, and SaaS/IaaS logins/activity.
6 Tracking of Web application attacks and their consequences, etc. AWN CyberSOC can track web application attacks using log data from web application firewalls. *On a side note, Anton did not find it to be particularly common (perhaps why nobody is beating on our door about it).
7 Cloud activity monitoring, detecting cloud account compromise, cloud access and privilege abuse, other security issues, etc. AWN CyberSOC monitors cloud activity via cloud connectors built for various cloud infrastructure (AWS, Azure) and SaaS applications (SalesForce, Office365 etc.).
8 Detecting threats by matching various logs to threat intelligence feeds AWN CyberSOC uses multiple threat intelligence sources to identify known bad IPs/domains, known malicious files/executables, and geo-locations of suspicious traffic.
9 SIEM as “poor man’s EDR” – review of sysmon and similar endpoint data AWN CyberSOC ingests your favorite log data including your existing endpoint protection platform (EPP).

 

Small to midsize enterprises need 24×7 monitoring, threat detection and response, but they don’t need to do the work of establishing and maintaining a SIEM. There is a better way. Click on the banner below to learn how a SOC-as-a-service can provide you with the security outcomes you need.

 

About the Author

Todd Thiemann

Todd Thiemann is a Product Marketing leader at Arctic Wolf Networks. He writes and engages in thought leadership on behalf of Arctic Wolf because, as he describes, Arctic Wolf is an innovative security startup that is radically changing how enterprises perform managed detection and response.

You might also be interested in...
Previous Article
How Hackers Launder Money Through Video Games
How Hackers Launder Money Through Video Games

Hackers' use of video games to launder money from stolen credit cards is symptomatic of a bigger threat: co...

Next Article
Welcome to the Security Operations Center (SOC)
Welcome to the Security Operations Center (SOC)

These people, processes and technologies represent the core components of the security operations center (S...

×

Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Company
!
Thanks for subscribing!
Error - something went wrong!