Defining, building, and making use cases work Paul Brettle Presales Manager, Americas Pacific Region
What is a use case? Compliance FISMA, PCI, SOX, etc Network security firewalls, IDS, routers & switches Malware Systems application and operating system User monitoring identity, privileged user, shared accounts SOC metrics management metrics, analyst team, infrastructure performance Fraud banking, atms Others? 2
Defining a Use Case Problem statement 1 6 Evaluate and refine Define the objective 2 Identify Identify 5 deliverables Define thresholds 4 data source 3 3
Example use case audit log cleared How do I want to be made aware? Notification to CIRT Dashboard tracking Compliance Report to Auditors of Audit Log Cleared 4 How do I know when the audit Problem log is cleared on my systems? statement Evaluate and refine Identify Define the objective Identify I need to be notified when audit logs are cleared for my critical assets Operating System deliverables Data data source IDS/IPS (Host) Firewalls Define thresholds What are my thresholds? (Always, Frequency based, something else?)
Building a use case Capture the data / requirements consistently Utilise a standard process What works for you is great Consider Use Case forms https://protect724.arcsight.com/docs/doc-1523 (Cindy Jones) Targeted, simple, manageable Steer clear of monolithic packages 5
Simple tactics to make your life easy KISS principle still stands Normal mechanisms stand, but control is the key part Keep named user control around role based access Limit options for access rights operators DON T need write to rules! Group by general use / log source type / purpose your choice! Use the numbering structures / schemes Remember the use case process and captured data Build out on deliverables Build out on threat / risk 6
ArcSight use cases Under used previously been present since ESM 4.5 Much more content and documentation around for ESM 6.0c and Express 4.0 Look at focused content built around specific data sets Usually focused around several active lists imported or used as standard Linked resources for filters, active channels etc common naming, structure etc Wizard tool to drive content configuration 7
Configuring a use case 8
Steps to build use cases 1. Problem statement 2. Define objectives 3. Identify data sources 4. Define thresholds 5. Identify the deliverables 6. Evaluate & refine as needed 1 2 3 4 5 6 9
Example use case Problem statement: Identify unauthorized privileged user access to critical servers Define the objective: Ensure we have the ability to identify when unauthorized access is: Attempted Succeeds Occurs without authorization Identify unusual behavior Allow easy identification of other activities 10
Example use case Identify the data sources: Servers Network devices Other? But also need to identify supporting data sources: Who is an privileged user? Can we identify them easily? How can we identify if they are allowed / authorized or not? Change control system? Change window? Supporting network log data? 11
Example use case Data source -> list Log data -> event Alert -> rule Consider supporting information Critical servers asset list Privileged users external list Default privileged user external list 12
Example use case Define the thresholds How to trigger rules? What content to build out? Where does the information go? Individuals? Team to process? Tracking list? 13
Example use case Identify deliverables Content to show what we want Dashboards Reports Alerts How to use the data? Dashboards Investigation Ease of use? External data compliance Audit information 14
Example use case Evaluate and refine How to improve? Where to refine and get better? What content can be extended? Focus on key data / log sources better privileged user information Integrate automated data feeds export / import Improve data, quality and content Add further capabilities on different log sources / systems 15
Review of use case approach Building Meaningful Use Cases Formalized approach to understand what is required Define, develop, build and use focused content Process helps define what is needed: Problem Statement Define Objectives Identify Data Sources Define Thresholds Identify the Deliverables Evaluate & Refine as Needed Assists in so many other areas 16
Summary Advanced Malware Server Admin Monitor Threat Intelligence User Monitoring Monitor Perimeter Monitoring Social Media Feed Insider Network Anomaly Detection Threat App Monitoring Third Party Monitor Baseline Monitoring 17
Please give me your feedback Session TB3057 Speaker Paul Brettle Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 18
Thank you