Part 1 of 2
This is part 1 of a 2-part post about the Use Case Factory. If you’d like to more in-depth information about the use case process itself, see part 2.
What do you mean by the term “use case”? Many customers view a use case as a detection scenario for cyber security threats in a SIEM (Security Information & Event Management) platform. But the reality is that a use case involves much more. This blog explores what a use case means and why we believe Use Case Factories are so vital to an organization’s cyber security strategy.
Use Case Life Cycle
A use case – sometimes referred to as an attack scenario – represents the outcome of an attack, or the attacker’s desired outcome state vis-à-vis a specific asset (or set of assets). This outcome should map to the MITRE ATT&CK Matrix Impact category.
Handling such a scenario effectively in a way that mitigates risks and minimizes damage to an organization involves several kinds of preparatory work – including:
- Collecting the right security data to perform security analytics
- Orchestrating security monitoring & incident response technologies
- Enriching security alerts for better contextualization
- Developing incident response playbooks and incident management workflows
- Automating responses by enabling integration with network and security controls
- Creating dashboards & reports for real-time visibility
Tailoring Use Cases
Use cases should be customized for each organization and should reflect the organization's unique requirements and threat profile.
Use cases should be customized for each organization and should reflect the organization’s unique requirements and threat profile. Considerations should include the threat landscape based on its industry vertical, the types of assets owned, its operating regions, applications & services used, and more. By taking these factors into account, organizations can keep their security comprehensive and up to date, thereby optimizing resilience –maximizing the ability to identify and respond to an attack quickly enough to reduce business impact.
Why a Factory?
To ensure continuous visibility to evolving threats, and improved ability to respond to cyber security threats and suspicious activities, an effective SOC (Security Operations Center) team should continuously produce new, relevant use cases – each of which must include all of the aspects of the use case life cycle.
Developing the right use cases, and having an effective development and implementation process, is more than half the battle in reducing response time to a potential attack and minimizing its impact.
Developing the right use cases, and having an effective development and implementation process, is more than half the battle in reducing response time to a potential attack and minimizing its impact.
Building a use case package requires specific cyber security risk assessment skills – from building effective threat detection rules in the SIEM to defining robust playbook logic and powerful automations for faster response. This means a use case factory should be driven by a mix of SIEM experts, security analysts and automation specialists for optimal outcomes.
Integrating an Automated Response
In developing playbooks and computer security incident management workflows, a smart SOC should implement automated enrichments and response activities, to gain the efficiencies to react quickly and respond effectively.
Generally speaking, alert triage teams (Level 1 analysts) are responsible for examining alerts then escalating the ones that might indicate an attack. Today, most of the work done by L1 analysts involves understanding context, in order to make good judgement calls about alerts and escalate to L2 analysts when required.
There are a number of enrichment tasks that are going on – whether they involve resolving whose IP address an alert belongs to, identifying whether there’s a vulnerability in the system, or what network a device may be part of. Most of this can be done automatically by virtual analysts (smart bots) – freeing up teams to deal with higher-level decision-making, manual investigations, and threat containment.
The Role of Managed Services Providers
Development of use cases that leverage automation requires expertise, and expertise is not easy to come by. The process of creating customized use cases demands hands-on cyber security experience and know-how not just for automated responses but also for the development of custom SIEM threat detection rules, custom scripting, process automation, and creating specific dashboards & reports.
The process of creating customized use cases demands hands-on cyber security experience and know-how.
And that’s why advanced managed services providers build Use Case Factories, providing organizations with a constant supply of effective use cases – and provide access to the kinds of high-level security professionals that may be difficult for organizations to maintain in-house.
This is part 1 of a 2-part post about the Use Case Factory. If you’d like to more in-depth information about the use case process itself, see part 2.
Contact CyberProof for more information about building a Use Case Factory for your organization.