Connect with us

Hi, what are you looking for?


Management & Strategy

Focus on Use Cases to Improve Security Operations

There was a time when the term “use case” was confined to product development meetings where software and systems engineers worked through defining why and how a product would be used in order to create requirements. Use cases remain a critical tool to ensure teams are building products their customers need and can use. 

There was a time when the term “use case” was confined to product development meetings where software and systems engineers worked through defining why and how a product would be used in order to create requirements. Use cases remain a critical tool to ensure teams are building products their customers need and can use. 

Fast forward ten years and it seems that everyone in the security industry is talking about use cases. Industry analysts advise clients to select products based on use cases. Vendors market and sell solutions based on use cases. And security professionals are evaluating and purchasing products based on use cases, with good reason. The security market has become confusing and it is not about the product or technology to be used; it is about solving a specific problem. Put another way, you don’t know what to buy unless you start with the why. Only then can you determine the capabilities and technologies you need. Here are some of the top use cases security professionals are focused on today.

Spear phishing – Spear phishing emails contain a wealth of hidden evidence that can be used to track and understand the methods used by attackers to target the organization. By extracting that information, analysts can better understand what to look for to identify other users that may have succumbed to the trick. Conducting this level of analysis can be difficult and laborious. Typically, analysts must discover these associations by manually sifting through messages and correlating the information they discover about the campaign with external data on adversaries and their methods.

Threat hunting – Analysts hunt threats to identify nefarious activity that has not triggered a sensor grid alert. While great in theory, there are several challenges to threat hunting. Many security teams don’t know where to begin because they lack the ability to prioritize threats for relevance to their environment. Threat hunting also requires specific knowledge and expertise which tends to limit the practice to a few highly skilled analysts. It is also difficult to see the big picture of what is happening across the environment when security teams and tools operate in silos.

Fraud – Insiders and external threat actors can commit fraud, adding more layers of complexity to detection. These criminals can remain below the radar for months, often going unnoticed until an external party notifies the victim that they’ve been breached. Fraud indicators are different from traditional indicators. In addition to IP addresses, domain names and hashes, analysts also need visibility into data not available through typical threat feeds, such as leaked payment card data and personally identifiable information (PII). As a result, it is time- and resource-intensive to proactively detect and mitigate fraud. 

Incident response – In the aftermath of a cyber attack or data breach, gathering all the required information to conduct an investigation is a difficult and often manual process. The data comes in a great variety of formats from many different teams and tools. Maintaining adversary profiles and historical incident response reports provides a jumpstart to any incident response investigation. But there is typically no central repository to store, share and update key learnings across teams, and no easy way to work collaboratively to accelerate investigation and response.

In each of these use cases, context is critical to understanding the who, what, where, when, why and how of an attack. This requires correlating events and associated indicators from inside the environment with external data on indicators, adversaries and their methods. With the ability to analyze multisource threat intelligence and understand relevance to your environment you can begin to prioritize which to focus on first – be it to thwart spear phishing campaigns, hunt for threats, proactively detect fraud, or accelerate incident response. 

Advertisement. Scroll to continue reading.

Threat intelligence is the foundation for each use case and, thus, the lifeblood of your security operations. It allows you to leverage complementary technologies efficiently and effectively. Whether the use case points you to technology for case management, ticketing, log management, SIEM, detection and prevention, or security orchestration, automation and response (SOAR), each of these requires relevant and prioritized threat intelligence pumping through it in order to perform as promised. 

Use cases began as a vital tool to ensure companies build products their customers need and can use. Now, they are vital to helping you focus on solutions that will deliver what you need to optimize your security operations and not get distracted by the latest “silver bullet” tool. It’s an intelligent approach to making decisions that’s been around for quite some time, and a welcomed shift in how we evaluate and purchase security technologies.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.