SIEM Use Case Developers assume a central position in the Cyber Defense Team. They develop detection logics, coordinate countermeasures in the event of IT security incidents, and advise customers on upcoming strategic decisions regarding their company’s cyber security. But what exactly is behind the SIEM use case development job description? We asked one of our cyber defense consultants in more detail.
How would you describe your job in a few sentences?
If you ask me for an attribute that best describes my job as a cyber defense consultant, the answer can only be: varied! Because as a Cyber Defense Consultant, I am involved in an extremely diverse task structure. My tasks include developing detection logic for our customers’ SIEM systems, developing and coordinating countermeasures in the event of acute IT security incidents, and of course advising customers on important, strategic decisions. In short, no two days are the same here – and I rarely know when I start work what to expect during the day. That makes my job quite challenging and extremely exciting.
What role does SIEM use case development play in your job?
If you don’t know what to do with SIEM use case development at first, you’re like a lot of people around me. Use cases, as the logical element for detecting attacks or their detection rules as the technical implementation of logic, are the heart of a SIEM system. Therefore, I will go into this particularly exciting and challenging area of my job in more detail below and try to present the task a bit more tangibly.
Our customers are confronted with a wide variety of threat scenarios on a daily basis. Because as IT security evolves, cybercriminals are also employing new methods and tactics. To illustrate the SIEM use case evolution, I would like to list a current common threat scenario called “Remote Services” in MITRE ATT&CK. Remote Services comes from the field of “Lateral Movements”, an approach where an attacker moves from one system to another within the enterprise network. The goal of the attacker(s) is either to maximize propagation within the victim’s network (when deploying ransomware, for example) or to locate and exfiltrate specific data as part of industrial espionage.
What are the individual phases of your use case development?
The basis for all further measures is first of all that I understand the attack scenario, so that we can effectively protect our customers from the threat of remote services with a SIEM system. Usually, the MITRE ATT&CK framework is my starting point to develop a theoretical understanding of the attackers’ approach, methods and specifics. For most attack scenarios, I already have a rough idea – so the first step is primarily to flesh out my ideas about the attack.
Then I start researching. I look for the most concrete examples of attacks possible in blogs and forums or in white papers. In this way, I get an overview “from practice” in addition to the very theoretical MITRE ATT&CK framework. In this step, I try to come up with all the details around the typical flow of an attack. The more concretely I understand the structure and process of the attack, the more precise will be the results of the now following step.
After the “basic work” I have to gather practical experience about the course of the attack. For this purpose, I have a test environment at my disposal in which I carry out the attacks as “realistically” as possible. Very often, there are clear differences between the theory described and the actual practice. These small details are immensely important and are documented. Piece by piece, a picture of the attack process emerges. Through the simulations, I recognize the ways in which attackers typically move from one system to another. Do they use SMB, RPC or WinRM – or is RDP the preferred route?
If I know how the attackers move through the systems, I look for a way to detect the movements and patterns as error-free as possible. For this, there is mostly freely available information on the net – which I like to use in a supportive manner. However, I check each of the information thoroughly and exactly also in practice, because besides outdated info there is unfortunately always a lot of wrong or erroneous information. The simulations in our test environment are my most effective “filter” in this respect.
Once I have found the most reliable approach to detecting the threat, I implement it in one of the SIEM systems in our test environment and then re-run the attack – in a variety of ways. This enables me to practically verify the set of rules. In parallel, I document the advantages and disadvantages of different detection approaches.
Finally, the use case created in this way is discussed with a more experienced employee. The “4-eyes principle” represents quality assurance – and the experienced colleagues can still give me input, if necessary, regarding possible alternatives in the solution approaches. If necessary, the recognition approaches are also adjusted again.
How long does it take to develop a SIEM use case?
The creation of a use case is a complex matter. Accordingly, the entire process takes a lot of time. We usually calculate about 2 – 4 days per use case, always depending on the complexity of the scenario. Since hardly any use case is the same as another, we can only ever estimate the amount of work involved in advance. But that’s exactly what I like about my job. I initially only know a rough threat scenario and then work my way into the finer details bit by bit – without knowing at the beginning exactly what results I will be able to use to expand our customers’ SIEM system in the end.
Good to know: What are use cases and why do you need them?
Use cases, as a logical element for detecting attacks or their detection rules as a technical implementation of logic, are the heart of a SIEM system. For almost all providers of SIEM solutions, supplied use cases as practical “out-of-the-box” solutions are the selling point. However, for several reasons, the pre-built rules usually add little value.
These detection rules are usually very generic and thus hardly fit the respective IT landscape or the threat situation. In most cases, the use cases lack both the information about which logs/events are required by the IT system and action instructions for the cyber defense analysts. Furthermore, a large number of rules are provided that either massively overwhelm the SIEM analysts if they are all activated or need to be selected in advance in a meaningful way. Among other things, it is important both for this selection process and for the subsequent processing of alerts from the use cases that these have a direct link to known IT security frameworks such as MITRE ATT&CK. With this and appropriate expert knowledge, the most essential goal of use case selection – to obtain the maximum coverage of known attack vectors with the smallest possible number of high-quality use cases – can be achieved. fazitende