SIEM Use Case Selection Methodology

The cybersecurity industry and individuals leading the research on defensive mechanisms in safeguarding the world’s data have developed increasingly advanced tools over the past 20 years. One of the main advancements in this field is the development of Security Information and Event Management (SIEM) solutions assisting in detecting adversaries by processing a vast amount of data. The technology offers detection capabilities built on top of available log sources. The SIEM was meant to be the one solution to tie together many different cybersecurity products to visualise the security health of an organisation, to detect attacks and to coordinate response activities.

However, the reality is that a tool does not solve an inherent problem. Most organisations have struggled with the implementation of such tools as SIEM (Perniola & Gray, 2019). The author itself has had 43 discussions with prospects and customers in 2018 alone on the topic of SIEM Use Case selection. Next, to the operational difficulties, there is no globally accepted guidance as to which detection principals should have a focus. If one does not know what to monitor to defend its significant information data assets, then a tool does not take away that decision process.

In response to this problem, this study proposes to investigate a possible methodology in assisting organisations and cybersecurity professionals in selecting SIEM Use Cases based on the catalogued techniques in the Mitre Att@ck Framework. This methodology should consider the respective technical and organisational environment, internal and external requirements, as well as best practices and the available security know-how of the company or organisation.