Whenever I talk with clients interested in or anxious about cybersecurity, my first question falls to, “What are you protecting against?” Invariably, the initial response comes out as “everything.”

While we all want this outcome, it cannot happen, it does not happen and it will not happen. Entities must focus and dedicate a solution around business objectives, need, risk and organizational capability. When designing, purchasing and deploying a cybersecurity environment, there’s only so much time, money and expertise available. To assist clients in narrowing down their “everything” to a more realistic and manageable answer, we focus on use cases. These simple statements focus in numerous areas and tie in specific rules in a log aggregation system or security information and event management (SIEM) platform.

By understanding what use cases most immediately relate to a business or organization, we can deploy a solution that delivers technical data rapidly, thus granting the next level of security to our customers. Engaging experts in use case analysis and review through focused workshops presents a clear opportunity for organizations to understand their needs and plan a road map for future maturity.

Executive Sponsorship Is Critical

Cybersecurity solutions must start at the top with executive sponsorship and alignment with business objectives. Technology purchases, deployments and configurations flow as a natural outcome from business requirements. Use cases align business goals with technological capabilities. While the term “use case” may invoke different meanings or elicit various responses from different parties, they usually revolve around what a solution strives to accomplish. Organizations that want to build and maintain a viable and valuable cybersecurity defensive posture must understand what use cases are and how they will benefit the organization. Additionally, these businesses must make sure they have the tools and staff in place to successfully manage and maintain deployed and future use cases.

Identifying the correct use cases and how to implement, tune and monitor rules enabling successful deployment takes time, focus, business ownership and follow-up. When an organization decides to deploy cybersecurity people, processes and technologies, they must also determine what they must protect against. Many entities look at their competition and similar businesses in their markets to see what they do, and then pattern their implementations accordingly. While this technique delivers success quite frequently, it cannot be a single method for a company to follow. Organizations must look inward and see what risks they face and then compare those to other businesses in the same arena.

Focus on Real-World Situations

Deciding which use cases best meet the needs of a company requires a thorough understanding of the business goals, technologies in use and clarity around what the people monitoring, managing and maintaining the use cases can do. Some use cases are relatively clear and simple to implement and manage, while others take substantial technologies and skill to tune to such a level that the organization can successfully utilize the output surrounding the use case.

Examples include protection against a distributed denial-of-service (DDoS) attack or a spear phishing campaign. The DDoS use case may simply rely upon traffic volume hitting external firewalls while a spear phishing campaign may need traffic flow analysis, network insights that include packet inspection up to and including specific texts within emails as well as capability to search for and identify specific artifacts related to the attack. While all organizations would inherently want both capabilities, not all have the tools or expertise that enable proper implementation and execution to manage these use cases.

One way to reduce the seemingly overwhelming task of identifying the use cases that specifically help an organization is to focus on regulatory and legal requirements. Simple examples include financial services entities focusing on use cases around Sarbanes-Oxley and/or PCI-DSS policies and requirements. Healthcare organizations can dedicate their use case focus around the Health Insurance Portability and Accountability Act (HIPAA). Several use cases that protect these organizations from a compliance issue deal with authorization and access restrictions. Building use cases around these areas ensures the business can comply with the specific regulations as well as guarantee they are in line with their competitors and peer organizations.

Know What Your Business Needs to Move Forward

Use cases play a key role in enabling organizations to focus on relevant cybersecurity defenses. To deploy the proper use cases, businesses should understand the organization’s needs and goals. Investigating and understanding what competitors and peers protect against adds value, although this method cannot be a standalone in determining what use cases a business should implement and focus on. Having the proper people, processes and technologies in place is a requirement to ensure effective use case implementation and monitoring.

To assure a viable and successful cybersecurity defense, businesses need to know what they need to protect against and focus on deploying, managing and maintaining current and future SIEM use cases aligned with business goals and technology capabilities. Eliciting support from consulting practices to review current use cases, aligning them with business needs, and modifying or deploying new use cases will help customers focus on needs and increase cybersecurity maturity.

Learn more about use case review and design

More from Security Services

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today