You deploy more and more technology to keep your environment secure, but it seems like the cybercriminals are always one step ahead. They have a distinct advantage. They only have to find one way to get inside your environment, but you have to defend and protect against every possible scenario. That’s why you likely have anywhere between 25 to 70 different security-centric solutions. That places a pretty heavy burden on your SecOps team not only to manage all those security tools, but to monitor them as well. But of course, that’s why you have a SIEM—to make it easier to centrally monitor all the activity those solutions pick up. Unfortunately, attackers can still slip by undetected if you’re not collecting the right logs that allow you to spot for those evasive indicators of compromise.
Have you ever noticed how after a massive breach, the forensics team can come in, puzzle together all the obscure artifacts, and create a pretty accurate picture of how the attackers got in and the various paths they took to get to the organization’s crown jewels? It’s because all the indicators of compromise were there. The SIEM just wasn’t configured to watch for them. That’s why intelligence-driven Security Operation Centers, or SOCs focus more and more on feeding a variety of use cases into their SIEMs.
A use case starts with a formal description of security challenges you might be trying to solve, such as defending against brute force attacks, alerting on ransomware malware indicators, or identifying sensitive data exfiltration by watching for sudden spikes in network traffic that point to potential malicious activity. Next, the use case specifies the data that needs to be collected and correlated in order to raise alerts within the analyst's triage whenever the indicators of compromise are encountered. It also spells out procedures for response and remediation. The primary driver to having formal use cases defined is to help your SOC become more proactive, agile, and responsive to current and emerging cyber threats.
But there are a few challenges SecOps teams commonly face. First, they don't have a library of best practice alerts and content to build their use cases around. Second, once a use case has been defined, implementing it with a SIEM rule or report is very time consuming and can easily be done wrong. It can quickly become a full time job to build into your SIEM all the documentation, rules, reports, and content needed for the use cases you might want or need. That’s why Micro Focus built ArcSight Activate, a modular content development framework that lets you deploy modular content and standardized use cases easily within ArcSight Enterprise Security Manager (ESM). The framework has more than 249 use cases developed by SIEM experts from Micro Focus and the ArcSight community.
To make it even easier to find, decide on, and manage the use cases you need from the Activate framework, Micro Focus recently released the ArcSight Content Brain tool. Content Brain is a free web-based cloud tool that helps you navigate all the different security challenges and attack vectors out there and then visualize the corresponding best practices and use cases most appropriate for watching for them using your ESM SIEM. And as Micro Focus continues to develop, redefine, and release new rule-sets, dashboards and use case content based on the latest cyber threats and vendor security products, Content Brain helps you easily learn about them and add them to your security arsenal.
With Content Brain you no longer have to spend hours every week or month, white boarding what security uses cases you should implement. You can easily visualize all the use cases out there that other SIEM experts have developed. Its dashboard helps you visually navigate different use cases for different levels of situational awareness and which solutions best address issues at diverse stages. Plus, you can easily track which use cases you’re already using, testing for planned use, or that you might want to use in the future. Content Brain lets you drill down into the details of the different use cases and gives you guidance on how you can better fine-tune your use case monitoring to best meet your needs.
To learn more about how Content Brain can help you in your efforts to be a more intelligence-driven SOC, watch our Content Brain webinar. We also invite you to create your free Content Brain account and browse through all our available use cases.