Whenever I talk with clients interested in or anxious about cybersecurity, my first question falls to, “What are you protecting against?” Invariably, the initial response comes out as “everything.”
While we all want this outcome, it cannot happen, it does not happen and it will not happen. Entities must focus and dedicate a solution around business objectives, need, risk and organizational capability. When designing, purchasing and deploying a cybersecurity environment, there’s only so much time, money and expertise available. To assist clients in narrowing down their “everything” to a more realistic and manageable answer, we focus on use cases. These simple statements focus in numerous areas and tie in specific rules in a log aggregation system or security information and event management (SIEM) platform.
By understanding what use cases most immediately relate to a business or organization, we can deploy a solution that delivers technical data rapidly, thus granting the next level of security to our customers. Engaging experts in use case analysis and review through focused workshops presents a clear opportunity for organizations to understand their needs and plan a road map for future maturity.
Executive Sponsorship Is Critical
Cybersecurity solutions must start at the top with executive sponsorship and alignment with business objectives. Technology purchases, deployments and configurations flow as a natural outcome from business requirements. Use cases align business goals with technological capabilities. While the term “use case” may invoke different meanings or elicit various responses from different parties, they usually revolve around what a solution strives to accomplish. Organizations that want to build and maintain a viable and valuable cybersecurity defensive posture must understand what use cases are and how they will benefit the organization. Additionally, these businesses must make sure they have the tools and staff in place to successfully manage and maintain deployed and future use cases.
Identifying the correct use cases and how to implement, tune and monitor rules enabling successful deployment takes time, focus, business ownership and follow-up. When an organization decides to deploy cybersecurity people, processes and technologies, they must also determine what they must protect against. Many entities look at their competition and similar businesses in their markets to see what they do, and then pattern their implementations accordingly. While this technique delivers success quite frequently, it cannot be a single method for a company to follow. Organizations must look inward and see what risks they face and then compare those to other businesses in the same arena.
Focus on Real-World Situations
Deciding which use cases best meet the needs of a company requires a thorough understanding of the business goals, technologies in use and clarity around what the people monitoring, managing and maintaining the use cases can do. Some use cases are relatively clear and simple to implement and manage, while others take substantial technologies and skill to tune to such a level that the organization can successfully utilize the output surrounding the use case.
Examples include protection against a distributed denial-of-service (DDoS) attack or a spear phishing campaign. The DDoS use case may simply rely upon traffic volume hitting external firewalls while a spear phishing campaign may need traffic flow analysis, network insights that include packet inspection up to and including specific texts within emails as well as capability to search for and identify specific artifacts related to the attack. While all organizations would inherently want both capabilities, not all have the tools or expertise that enable proper implementation and execution to manage these use cases.
One way to reduce the seemingly overwhelming task of identifying the use cases that specifically help an organization is to focus on regulatory and legal requirements. Simple examples include financial services entities focusing on use cases around Sarbanes-Oxley and/or PCI-DSS policies and requirements. Healthcare organizations can dedicate their use case focus around the Health Insurance Portability and Accountability Act (HIPAA). Several use cases that protect these organizations from a compliance issue deal with authorization and access restrictions. Building use cases around these areas ensures the business can comply with the specific regulations as well as guarantee they are in line with their competitors and peer organizations.
Know What Your Business Needs to Move Forward
Use cases play a key role in enabling organizations to focus on relevant cybersecurity defenses. To deploy the proper use cases, businesses should understand the organization’s needs and goals. Investigating and understanding what competitors and peers protect against adds value, although this method cannot be a standalone in determining what use cases a business should implement and focus on. Having the proper people, processes and technologies in place is a requirement to ensure effective use case implementation and monitoring.
To assure a viable and successful cybersecurity defense, businesses need to know what they need to protect against and focus on deploying, managing and maintaining current and future SIEM use cases aligned with business goals and technology capabilities. Eliciting support from consulting practices to review current use cases, aligning them with business needs, and modifying or deploying new use cases will help customers focus on needs and increase cybersecurity maturity.
Learn more about use case review and design
Security Intelligence Staff