A SIEM (security information and event management) system is a platform that aggregates security log data from across your entire IT infrastructure. A SIEM is also key in helping  cybersecurity analysts respond to potential cybersecurity incidents.  As a core part of the security infrastructure with access to a huge range of data sources across an organization, a SIEM has many different use cases. 

SIEMs help create regulatory and compliance reports. In fact, most compliance regulations, like PCI-DSS, HIPAA, GDPR and the Department of Defense Cybersecurity Maturity Model Certification (CMMC), mandate review of SIEM logs.

Let’s take a look at some of the most compelling use cases that we at Digital Hands leverage our SIEM for. These range from edge use cases like access abuse and detecting insider threats, to the traditional use cases like compliance.

SIEM Use Case One - Insider Threats

The 2020 Data Breach Investigation Report ¹  from Verizon tells us that insider threats can often go undetected for months and that they feature in the top five causes of cybersecurity breaches. In thirty-eight percent of cases, they can go undetected for years. 

This is because detecting insider threats can be enormously challenging, typically because the person causing the threat seems like a legitimate user. Unless they do something particularly egregious, they don’t set off your security alerting tools. The two internal security threats to look for are malicious insiders (your own employees working against you) and compromised insiders, where an external malicious actor has obtained employee credentials.

Being able to detect these threats relies on user entity behavioral analysis (EUBA), which uses behavioral profiling and machine learning techniques. This establishes user baselines and identifies anomalies among user groups. It goes well beyond the traditional statistical and rule-based correlation of a SIEM and is an advanced SIEM use case.

Detect Compromised Users 

Behavioral analysis can detect any potentially anomalous behavior from users that may indicate stolen credentials or lateral movement. This includes employees trying to access data and systems that they don’t normally work in, logging in more than they usually do or at odd hours.

Detect C&C Activity

Command and control (C&C) attacks are one of the most damaging cyber attacks.  Once an attacker infects a system with malware, the system establishes communication with the threat actors server and executes their instructions.  Your SIEM can correlate threat intelligence feeds with network data to detect systems downloading malware onto other systems or networks.

Detect Data Exfiltration 

Leverage your SIEM to correlate and analyze what seem to be unrelated events using behavioral analysis. These events can include users accessing personal email accounts, inserting USB drives, and accessing unapproved cloud services.

Detect Lateral Movement 

Malicious insiders often try to access other accounts, computers, and servers in an attempt to access something they shouldn’t. A SIEM with a broad view of your entire IT infrastructure can be tuned to detect this lateral movement behavior.

Detect Privilege Escalation 

Set up your SIEM to detect a compromised insider account trying to change or escalate their privileges in an attempt to move laterally.

Detect Rapid Encryption 

Rapid encryption can be a ransomware indicator. A SIEM can be used to detect this and stop the offending machine from encrypting large amounts of data.

SIEM Use Case Two - Access Abuse

The Verizon Data Breach Investigation Report tells us that the third-largest cause of business data breaches is privileged access abuse. It’s a common problem that stems from having gaps in user access control processes. 

When employees are prohibited from doing things on IT infrastructure (like installing software), they can sometimes abuse their privileged access to do so, weakening your security in the process. Set up a SIEM to detect the telltale signs of privileged access abuse and put a stop to it.

Detect Third-Party Violations 

Set up your SIEM to watch for third-party partners and vendors who have access to your IT systems. This way, you can spot them escalating privileges or engaging in anomalous behavior which could be malicious.

Detect Disgruntled Ex-Employee Activity 

A SIEM can alert you of any unexpected and potentially malicious activity from terminated or inactive user accounts.

Detect Unwanted Activity 

Set up your SIEM to monitor and report on any potentially suspicious activity around sensitive data, like access or download requests.

Detect Overaccess 

The SIEM can alert you if any employees are accessing data or systems outside of their user profile and that they do not regularly access.

SIEM Use Case Three - Threat Hunting

Threat hunting for cyber threats on the network and IT infrastructure is something that everyone should be doing regularly. However, according to a SANS Institute study, most businesses only conduct one following a cybersecurity incident. Instead, a SIEM can proactively hunt for new data breaches and cyber-attacks.

Because hunting threats need broad access to security logs and data from across the business, the SIEM forms an essential part of any threat-hunting strategy.

Alerting 

The SIEM’s primary job is delivering actionable alerts that provide data and context around potentially cybersecurity incidents.

Detecting Anomalies 

By leveraging behavioral analytics and using correlations, your SIEM can help identify potentially malicious anomalies in IT infrastructure.

Leveraging Threat Intelligence 

A SIEM can combine security data from IT infrastructure with third-party threat intelligence to detect cyberattacks on systems.

Testing Your Hypothesis 

Your SIEM can help your SOC analysts frame and test a ‘known risk’ hypothesis using the security data the SIEM collects and correlates.

Checking for Similar Incidents 

SOC analysts can leverage your SIEM to check security logs and data for any patterns that might indicate a similar security incident, either one that is in progress or a previous incident that they may have already remediated.

SIEM Use Case Four - IoT Cybersecurity

In this day and age, most businesses are using some kind of connected device to manage an operation or process. Typically, they are using more than one. These can be as mundane as CCTV cameras, all the way through to network-connected sensors, medical equipment, industrial control machines, and even power grid infrastructure. 

The problem with this is that many IoT devices have not been designed well from a security standpoint. Therefore, many IoT devices have baked-in hardware (and software) security vulnerabilities which can be hard to remediate once the devices have been deployed into an environment. If your business has deployed lots of IoT devices, a SIEM can help mitigate their vulnerabilities and the cyber threats that come with them in different ways:

Manage Access Control 

Set up your SIEM to monitor IoT device access and where those accessing the devices are connecting from, alerting you when a connection is suspicious.

Monitor Data Flow 

Many IoT devices are set up to communicate over unencrypted channels which can be used to exfiltrate data. Set up the SIEM to monitor unusual data flows and alert when suspicious data flow traffic through the device is detected.

Detect Compromised IoT Devices 

Set up your SIEM to alert you if anomalous behavior is detected from an IoT device which could be an indicator of compromise.

Manage IoT Vulnerabilities 

A SIEM can be configured to detect unpatched IoT vulnerabilities, insecure protocols, and old IoT operating systems on IoT devices.

Monitor for DoS Attacks 

The SIEM can monitor for unusually large amounts of traffic from IoT devices, which could indicate they are being used to perform a DoS attack.

Conclusion

There are many more use cases for a SIEM, including detecting data exfiltration, trusted host, and entity compromise. In more advanced use cases, you even leverage your SIEM to help you adhere to regulatory compliance like SOX, HIPAA, PCI, and GDPR. 

Ultimately, leveraging a SIEM is all about maturing the processes and rulebooks that govern your SIEM. That can take some time, even for the most experienced cybersecurity operations center. If you have any questions about building playbooks for your SIEM or getting the best return on your SIEM investment, talk to Digital Hands. When it comes to SIEM, we have seen it all before and we can work with you to help you realize your investment on the SIEM you already have, or help you avoid the cost and CAPEX of a SIEM completely, and provide you with our CyGuard® Cloud SIEM as a service, enabling you to realize the benefits of a SIEM without the heavy upfront expenditure usually associated with acquiring one, configuring and maturing it.

Contact Digital Hands

Digital Hands employs a deeply experienced team of cybersecurity professionals who can help your business get to grips with your cybersecurity posture. We help you implement controls and technology to help stop cyberattacks before they become a major cyber incident.

If you need a competent partner to help you make the right moves with your cybersecurity, get in touch with Digital Hands today at (855) 511-5114 or info@digitalhands.com.

About Digital Hands:  Recently ranked as one of the Top MSSPs in 2020, Digital Hands is a trusted global cybersecurity leader continuously taking action to protect our customers’ most valuable assets against relentless threats. 

Digital Hands is proud to offer extensive security expertise and advanced monitoring and reporting capabilities. Our robust set of innovative cybersecurity services and solutions ensures your organization, customers and employees are defended against cybersecurity attacks and data breaches round the clock.    

We are proactive in our response orchestration that includes in-depth analysis and business context. Digital Hands enables our customers to harden their security posture, outmatch bad actors and benefit from our complementary white glove service and excellence in delivery. Our industry – leading customer retention rate and Net Promoter Score of 94 reflects how we go above and beyond every day for our customers.

References:

1)  https://www.verizonenterprise.com/verizon-insights-lab/dbir/

Recent Blogs

Top Cyber Attacks of October 2022

Read More

The SOC of the Future: Scale your Security at Speed

Read More

Top Cyber Attacks of September 2022

Read More