Search for Use Case for SIEM
Glossary:
SIEM (Security Information & Event Management) is a software and hardware system for collecting information about events (logs), their correlation and analysis. Wiki .
Use Case (applied to SIEM) is an established term for a specific set of rules / scripts and / or visualization mechanisms. For example, to detect port scans, reconcile IP addresses with an external reputation database, etc. Use Case'y can write yourself, take ready from the manufacturer’s website or order from contractors.
')
The objective of this article is to systematize the information found by using Case catalogs and additional resources, as well as an active dialogue in the comments. Please share your experience, and I will update the post with the information received.
Contents :
1. SIEM rating in 2016
2. “Native” Use Case shops on the websites of SIEM manufacturers
3. Recommendations for self-writing Use Case
4. Custom Development: Integrator Map
5. Third-party Use Case catalogs: SOC Prime UCL, vendor forums (list updated)
6. Links to blogs and additional information security resources related to SIEM
If you are still at the stage of choosing a SIEM, then here is their current rating from two independent sources. Plus, it will be clear why the article itself gives a different amount of attention to each of the solutions.
Source: Gartner Magic Quadrant 2016
Source: 2016 InfoSec Nirvana
If the task of import substitution is relevant, then there are at least 3 SIEM with Russian roots:
The rating is not included, but it is worth mentioning:
→ OSSIM (Open Source Security Information Management) habr1 , habr2
→ OpenSOC , grown in Apache Metron
2. “Native” Use Case shops on the websites of SIEM manufacturers
Information as of the date of publication (end of November 2016). Now only 4 manufacturers have organized their own sites for publishing Use Cases. Also, most manufacturers have an internal forum for sharing information and finding solutions to emerging problems.
HPE ArcSight Marketplace
There are paid and free. If you do not use additional filtering, then the site has a total of 170 Use Cases.
IBM Security App Exchange
Downloading is free. A total of 73 Use Cases are available, developed both by IBM and its partners.
Logrhythm
So far, only 19 Use Cases. Rather, their marketing descriptions.
Splunk
The subsection “Security, Fraud and Compliance” contains 487 applications. But if only applications are filtered out (and not add-ons, although they are important too) and indicate the product version is 6.0 and higher, then the total amount is reduced to 236 Use Cases.
The development methodology for Use Cases is well described in the blog (Anton Chuvakin) and the article .
In short, it is necessary to approach the task as a full-fledged mini-project:
If your own strength / time / competence is not enough, then you can turn to professionals - in 99% of cases this will be an integrator company that will independently, or with the involvement of Professional Services from a SIEM vendor, perform customized development and support of Use Cases.
Links to “partner locator” sections of popular SIEM:
→ findapartner.hpe.com
→ www-356.ibm.com/partnerworld/wps/bplocator/search.jsp
→ logrhythm.com/partners/resellers-and-mssps/find-a-partner (the list of partners is not public, they offer to fill out a request form, in response they will send the data of partners).
→ www.rsa.com/en-us/partners/find
→ www.splunk.com/en_us/partners/find-a-partner.html
Based on the information about the partners available on these links, I have compiled a general table using the example of Ukraine (and the SIEM distributed here). As you can see, some integrators are not “monogamous.”
Information is not 100% relevant, as the partner status is updated rather inertly and situationally: someone can give it in advance, someone has already achieved significant results, but the status will be updated only six months later, and someone already lost engineers along with reputation, but still with a full set of regalia is listed. Plus, large vendors (HPE, IBM) find it difficult to understand which partner specializes in which of the great variety of products. Therefore, I additionally recommend (anonymously) to call the distributors of your SIEM and ask which of the partners they recommend.
The lack of an official partner status, as a rule, does not prevent successfully selling products - only earnings will be less. Obtaining status during occasional work with a product can be irrational (for example, if it requires mandatory expensive certification of engineers and / or a certain annual level of sales).
At the moment I have found only a few alternative resources where you can try to download the Use Case for your needs:
Total: 22 applications. According to the site, the launch of the site was 08/31/2016, so there are hopes for further growth. Another 22 Use Cases are under development (under R & D status).
Use Case's are bought for points that can be paid for with money, or you can earn with your own hard work (reviews on purchased applications, post your Use Case, suggest an idea through the feedback form).
Continuation of the first screenshot, but with an alternative list display scheme:
Not immediately able to register there, as it turned out later - ignored the public gmail email-address, forcing to register only for corporate. “If attackers can easily register via free emaill and learn the protection algorithm, they will learn to bypass such protection more quickly.”
About the author :
My work experience is 4 years in the security integrator, 2 years in the distributor’s security department, and the last 3 years on the FMCG customer side in the IT Business Analyst position. Out of habit, I still track security news, but with the task of finding Use Cases, I helped a friend with fresh tracks and decided to prepare an article.
SIEM (Security Information & Event Management) is a software and hardware system for collecting information about events (logs), their correlation and analysis. Wiki .
Use Case (applied to SIEM) is an established term for a specific set of rules / scripts and / or visualization mechanisms. For example, to detect port scans, reconcile IP addresses with an external reputation database, etc. Use Case'y can write yourself, take ready from the manufacturer’s website or order from contractors.
')
The objective of this article is to systematize the information found by using Case catalogs and additional resources, as well as an active dialogue in the comments. Please share your experience, and I will update the post with the information received.
Contents :
1. SIEM rating in 2016
2. “Native” Use Case shops on the websites of SIEM manufacturers
3. Recommendations for self-writing Use Case
4. Custom Development: Integrator Map
5. Third-party Use Case catalogs: SOC Prime UCL, vendor forums (list updated)
6. Links to blogs and additional information security resources related to SIEM
1. SIEM rating in 2016
If you are still at the stage of choosing a SIEM, then here is their current rating from two independent sources. Plus, it will be clear why the article itself gives a different amount of attention to each of the solutions.
Source: Gartner Magic Quadrant 2016
Source: 2016 InfoSec Nirvana
If the task of import substitution is relevant, then there are at least 3 SIEM with Russian roots:
Additional information provided by PositiveTechnologies
- link to the MP SIEM LE page - www.ptsecurity.com/ru-ru/promo/siem-le
- a separate link to the current booklet www.ptsecurity.com/upload/ptru/products/documents/mpsiem/PT-MaxPatrol-SIEM-Product-Booklet-rus.pdf
- link to the detailed webinar on MP SIEM my.webinar.ru/record/873458
“We believe that of all the“ Russian ”SIEM products, PT is perhaps the only one supported by an extensive IS expertise (pentest and attack scenarios) and also offers free coverage of the customer’s current sources.
Even in MaxPatrol SIEM, a mechanism for transferring to the product an examination center of Positive Research, based on the Positive Technologies Knowledge Base (PTKB), was implemented. This is a high-level, constantly updated data set based on 15 years of experience of the research center, including the experience of penetration tests and security audits. ”
- a separate link to the current booklet www.ptsecurity.com/upload/ptru/products/documents/mpsiem/PT-MaxPatrol-SIEM-Product-Booklet-rus.pdf
- link to the detailed webinar on MP SIEM my.webinar.ru/record/873458
“We believe that of all the“ Russian ”SIEM products, PT is perhaps the only one supported by an extensive IS expertise (pentest and attack scenarios) and also offers free coverage of the customer’s current sources.
Even in MaxPatrol SIEM, a mechanism for transferring to the product an examination center of Positive Research, based on the Positive Technologies Knowledge Base (PTKB), was implemented. This is a high-level, constantly updated data set based on 15 years of experience of the research center, including the experience of penetration tests and security audits. ”
The rating is not included, but it is worth mentioning:
→ OSSIM (Open Source Security Information Management) habr1 , habr2
→ OpenSOC , grown in Apache Metron
2. “Native” Use Case shops on the websites of SIEM manufacturers
Information as of the date of publication (end of November 2016). Now only 4 manufacturers have organized their own sites for publishing Use Cases. Also, most manufacturers have an internal forum for sharing information and finding solutions to emerging problems.
HPE ArcSight Marketplace
There are paid and free. If you do not use additional filtering, then the site has a total of 170 Use Cases.
IBM Security App Exchange
Downloading is free. A total of 73 Use Cases are available, developed both by IBM and its partners.
Logrhythm
So far, only 19 Use Cases. Rather, their marketing descriptions.
Splunk
The subsection “Security, Fraud and Compliance” contains 487 applications. But if only applications are filtered out (and not add-ons, although they are important too) and indicate the product version is 6.0 and higher, then the total amount is reduced to 236 Use Cases.
3. Recommendations for self-writing Use Case
The development methodology for Use Cases is well described in the blog (Anton Chuvakin) and the article .
In short, it is necessary to approach the task as a full-fledged mini-project:
- Clearly define the problem to be solved and its source (this may be a business requirement, the need to comply with industry data protection standards and regulations, etc.).
- Define project boundaries (i.e., a specific area of ​​the protected IT infrastructure).
- After that, identify possible “sources of events”, the processing of which will allow to realize a working Use Case. These can be device logs, event logs, and configuration settings.
- Check that the source regularly supplies all the necessary data - otherwise, the correctly developed Use Case will not be able to work effectively (will not work, or, on the contrary, will give False Positive - false positives).
- Finally, start developing the Use Case.
- Install and test, adjusting logic and trigger thresholds.
- When Use Case is already checked and installed in the product, it is important to correctly configure the response to its operation: is it enough just to output data to the dashboards, or you need an SMS / email notification, or even automatically launch the configuration change of the slave devices (for example, IBM declares that it is SIEM will be able to change the IPS / Firewall rules).
- Hooray, everything works! But the work on this is not completed - maintenance (maintenance) of the developed mini-product is necessary: ​​periodically check whether data is received for processing, whether their format has changed, modify Use Case itself under the changing topology of the IT infrastructure and the needs of the Business.
4. Custom Development: Integrator Map
If your own strength / time / competence is not enough, then you can turn to professionals - in 99% of cases this will be an integrator company that will independently, or with the involvement of Professional Services from a SIEM vendor, perform customized development and support of Use Cases.
Links to “partner locator” sections of popular SIEM:
→ findapartner.hpe.com
→ www-356.ibm.com/partnerworld/wps/bplocator/search.jsp
→ logrhythm.com/partners/resellers-and-mssps/find-a-partner (the list of partners is not public, they offer to fill out a request form, in response they will send the data of partners).
→ www.rsa.com/en-us/partners/find
→ www.splunk.com/en_us/partners/find-a-partner.html
Based on the information about the partners available on these links, I have compiled a general table using the example of Ukraine (and the SIEM distributed here). As you can see, some integrators are not “monogamous.”
SIEM Integrator | QRadar | ArcSight | Splunk |
| Active Audit Agency | - | - | Reseller |
| Betta security | - | - | Reseller |
| BMS Consulting | Business partner | Gold partner | - |
| CBS Group | Business partner | - | - |
| Center of Systrem Integration | - | Business partner | - |
| COMPAREX Ukraine | Business partner | - | - |
| Comsec | - | - | Reseller |
| CS Integra | - | Business partner | - |
| IBPM | Business partner | - | - |
| ICSystems | - | Business partner | - |
| Integrity vision | Business partner | - | - |
| ISSP | - | Silver partner. Engineer certified | - |
| IT for Business (Supportio) | - | Business partner | - |
| IT-Integrator (Incom) | Business partner | - | - |
| Lantec | - | Platinum partner | - |
| SI BIS | Business partner | - | - |
| SI Center | - | Business partner | - |
| Spezvuzavtomatika | - | Business partner | - |
| SPro | Business partner | - | - |
| SVIT IT | Business partner | Gold partner. Engineer certified | - |
| System integration service | Business partner | - | - |
Information is not 100% relevant, as the partner status is updated rather inertly and situationally: someone can give it in advance, someone has already achieved significant results, but the status will be updated only six months later, and someone already lost engineers along with reputation, but still with a full set of regalia is listed. Plus, large vendors (HPE, IBM) find it difficult to understand which partner specializes in which of the great variety of products. Therefore, I additionally recommend (anonymously) to call the distributors of your SIEM and ask which of the partners they recommend.
The lack of an official partner status, as a rule, does not prevent successfully selling products - only earnings will be less. Obtaining status during occasional work with a product can be irrational (for example, if it requires mandatory expensive certification of engineers and / or a certain annual level of sales).
5. Third-Party Use Case Catalogs
At the moment I have found only a few alternative resources where you can try to download the Use Case for your needs:
Official producer forums
Often, users do not have enough time / perseverance or motivation to complete a case for publication in the official catalog. And putting “as is” on the forum is not difficult.
→ www.protect724.hpe.com
→ www.splunk.com/en_us/community.html
IBM Support communities:
Marketplace support myibm.ibm.com/support/forum
Get answers to your products and services questions using a collaborative forum moderated by IBM experts.
developerWorks www.ibm.com/developerworks/community
Learn from the experts in the developerWorks community.
dW Answers developer.ibm.com/answers
Post questions and look up answers in the developerWorks community
RSA Link community.rsa.com/community/rsa-customer-support
Intel McAfee community.mcafee.com
→ www.protect724.hpe.com
→ www.splunk.com/en_us/community.html
IBM Support communities:
Marketplace support myibm.ibm.com/support/forum
Get answers to your products and services questions using a collaborative forum moderated by IBM experts.
developerWorks www.ibm.com/developerworks/community
Learn from the experts in the developerWorks community.
dW Answers developer.ibm.com/answers
Post questions and look up answers in the developerWorks community
RSA Link community.rsa.com/community/rsa-customer-support
Intel McAfee community.mcafee.com
Security groups on LinkedIn
In principle, this is similar to the previous paragraph. But on average, content can be better designed - after all, the publication is on an HR resource in the field of view of potential employers and a clear link to the profile (also known as a resume).
“SIEM Use-Cases” www.linkedin.com/groups/6704216
“SIEM Use-Cases” www.linkedin.com/groups/6704216
Commercial platform Use Case Library vendor SOC Prime
As of now, three SIEMs are supported: HPE ArcSight, IBM QRadar, Splunk. In the library itself, there are Use Cases, developed by SOC Prime itself, and also laid out by other users. From the unexpected - all content is duplicated in English and Russian! (switches in profile settings).
ucl.socprime.com
ucl.socprime.com
Total: 22 applications. According to the site, the launch of the site was 08/31/2016, so there are hopes for further growth. Another 22 Use Cases are under development (under R & D status).
Use Case's are bought for points that can be paid for with money, or you can earn with your own hard work (reviews on purchased applications, post your Use Case, suggest an idea through the feedback form).
Continuation of the first screenshot, but with an alternative list display scheme:
Not immediately able to register there, as it turned out later - ignored the public gmail email-address, forcing to register only for corporate. “If attackers can easily register via free emaill and learn the protection algorithm, they will learn to bypass such protection more quickly.”
SIEM Blogs and Additional Information Security Resources
Anton Chuvakin (a lot about SIEM) blogs.gartner.com/anton-chuvakin
Augusto Barros (more about SOC) blogs.gartner.com/augusto-barros
Deepak Kumar www.linkedin.com/today/author/0_0r-9MaWjS4pt2cnm0EWqkR
Rafael Marty raffy.ch/blog
Ofer Shezaf xiom.com
resources.infosecinstitute.com
infosecnirvana.com/category/siem
www.cybrary.it
securosis.com/search/results/e9fc8ff294a13141edb0affefd542297
securityintelligence.com/?s=siem
www.techtarget.com/search/query?q=siem
solutionsreview.com/security-information-event-management
LinkedIn Group “SIEM Use-Cases” www.linkedin.com/groups/6704216
Hub users:
AlexGryn Alexander Grinyuk IBM technical press on security in the CIS region (not including Russia).
alekbr Alexander Bredikhin Technical Director SOC Prime
SearchInform Ivan Mershkov, Technical Director SearchInform
Positive Technologies - a representative of the manufacturer of the same name, actively maintain a corporate blog on Habré.
Augusto Barros (more about SOC) blogs.gartner.com/augusto-barros
Deepak Kumar www.linkedin.com/today/author/0_0r-9MaWjS4pt2cnm0EWqkR
Rafael Marty raffy.ch/blog
Ofer Shezaf xiom.com
resources.infosecinstitute.com
infosecnirvana.com/category/siem
www.cybrary.it
securosis.com/search/results/e9fc8ff294a13141edb0affefd542297
securityintelligence.com/?s=siem
www.techtarget.com/search/query?q=siem
solutionsreview.com/security-information-event-management
LinkedIn Group “SIEM Use-Cases” www.linkedin.com/groups/6704216
Hub users:
AlexGryn Alexander Grinyuk IBM technical press on security in the CIS region (not including Russia).
alekbr Alexander Bredikhin Technical Director SOC Prime
SearchInform Ivan Mershkov, Technical Director SearchInform
Positive Technologies - a representative of the manufacturer of the same name, actively maintain a corporate blog on Habré.
About the author :
My work experience is 4 years in the security integrator, 2 years in the distributor’s security department, and the last 3 years on the FMCG customer side in the IT Business Analyst position. Out of habit, I still track security news, but with the task of finding Use Cases, I helped a friend with fresh tracks and decided to prepare an article.
Source: https://habr.com/ru/post/316496/
All Articles