Whenever I talk with clients interested in or anxious about cybersecurity, my first question falls to, “What are you protecting against?” Invariably, the initial response comes out as “everything.”

While we all want this outcome, it cannot happen, it does not happen and it will not happen. Entities must focus and dedicate a solution around business objectives, need, risk and organizational capability. When designing, purchasing and deploying a cybersecurity environment, there’s only so much time, money and expertise available. To assist clients in narrowing down their “everything” to a more realistic and manageable answer, we focus on use cases. These simple statements focus in numerous areas and tie in specific rules in a log aggregation system or security information and event management (SIEM) platform.

By understanding what use cases most immediately relate to a business or organization, we can deploy a solution that delivers technical data rapidly, thus granting the next level of security to our customers. Engaging experts in use case analysis and review through focused workshops presents a clear opportunity for organizations to understand their needs and plan a road map for future maturity.

Executive Sponsorship Is Critical

Cybersecurity solutions must start at the top with executive sponsorship and alignment with business objectives. Technology purchases, deployments and configurations flow as a natural outcome from business requirements. Use cases align business goals with technological capabilities. While the term “use case” may invoke different meanings or elicit various responses from different parties, they usually revolve around what a solution strives to accomplish. Organizations that want to build and maintain a viable and valuable cybersecurity defensive posture must understand what use cases are and how they will benefit the organization. Additionally, these businesses must make sure they have the tools and staff in place to successfully manage and maintain deployed and future use cases.

Identifying the correct use cases and how to implement, tune and monitor rules enabling successful deployment takes time, focus, business ownership and follow-up. When an organization decides to deploy cybersecurity people, processes and technologies, they must also determine what they must protect against. Many entities look at their competition and similar businesses in their markets to see what they do, and then pattern their implementations accordingly. While this technique delivers success quite frequently, it cannot be a single method for a company to follow. Organizations must look inward and see what risks they face and then compare those to other businesses in the same arena.

Focus on Real-World Situations

Deciding which use cases best meet the needs of a company requires a thorough understanding of the business goals, technologies in use and clarity around what the people monitoring, managing and maintaining the use cases can do. Some use cases are relatively clear and simple to implement and manage, while others take substantial technologies and skill to tune to such a level that the organization can successfully utilize the output surrounding the use case.

Examples include protection against a distributed denial-of-service (DDoS) attack or a spear phishing campaign. The DDoS use case may simply rely upon traffic volume hitting external firewalls while a spear phishing campaign may need traffic flow analysis, network insights that include packet inspection up to and including specific texts within emails as well as capability to search for and identify specific artifacts related to the attack. While all organizations would inherently want both capabilities, not all have the tools or expertise that enable proper implementation and execution to manage these use cases.

One way to reduce the seemingly overwhelming task of identifying the use cases that specifically help an organization is to focus on regulatory and legal requirements. Simple examples include financial services entities focusing on use cases around Sarbanes-Oxley and/or PCI-DSS policies and requirements. Healthcare organizations can dedicate their use case focus around the Health Insurance Portability and Accountability Act (HIPAA). Several use cases that protect these organizations from a compliance issue deal with authorization and access restrictions. Building use cases around these areas ensures the business can comply with the specific regulations as well as guarantee they are in line with their competitors and peer organizations.

Know What Your Business Needs to Move Forward

Use cases play a key role in enabling organizations to focus on relevant cybersecurity defenses. To deploy the proper use cases, businesses should understand the organization’s needs and goals. Investigating and understanding what competitors and peers protect against adds value, although this method cannot be a standalone in determining what use cases a business should implement and focus on. Having the proper people, processes and technologies in place is a requirement to ensure effective use case implementation and monitoring.

To assure a viable and successful cybersecurity defense, businesses need to know what they need to protect against and focus on deploying, managing and maintaining current and future SIEM use cases aligned with business goals and technology capabilities. Eliciting support from consulting practices to review current use cases, aligning them with business needs, and modifying or deploying new use cases will help customers focus on needs and increase cybersecurity maturity.

Learn more about use case review and design

More from Security Services

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Log4j Forever Changed What (Some) Cyber Pros Think About OSS

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services. Nearly anything from popular consumer and enterprise platforms to critical infrastructure and IoT devices was exposed. Over 35,000 Java packages were impacted by Log4j vulnerabilities. That’s over 8% of the Maven Central repository, the world’s largest…