Focus on Use Cases to Improve Security Operations

There was a time when the term “use case” was confined to product development meetings where software and systems engineers worked through defining why and how a product would be used in order to create requirements. Use cases remain a critical tool to ensure teams are building products their customers need and can use. 

Fast forward ten years and it seems that everyone in the security industry is talking about use cases. Industry analysts advise clients to select products based on use cases. Vendors market and sell solutions based on use cases. And security professionals are evaluating and purchasing products based on use cases, with good reason. The security market has become confusing and it is not about the product or technology to be used; it is about solving a specific problem. Put another way, you don’t know what to buy unless you start with the why. Only then can you determine the capabilities and technologies you need. Here are some of the top use cases security professionals are focused on today.

Spear phishing – Spear phishing emails contain a wealth of hidden evidence that can be used to track and understand the methods used by attackers to target the organization. By extracting that information, analysts can better understand what to look for to identify other users that may have succumbed to the trick. Conducting this level of analysis can be difficult and laborious. Typically, analysts must discover these associations by manually sifting through messages and correlating the information they discover about the campaign with external data on adversaries and their methods.

Threat hunting – Analysts hunt threats to identify nefarious activity that has not triggered a sensor grid alert. While great in theory, there are several challenges to threat hunting. Many security teams don’t know where to begin because they lack the ability to prioritize threats for relevance to their environment. Threat hunting also requires specific knowledge and expertise which tends to limit the practice to a few highly skilled analysts. It is also difficult to see the big picture of what is happening across the environment when security teams and tools operate in silos.

Fraud – Insiders and external threat actors can commit fraud, adding more layers of complexity to detection. These criminals can remain below the radar for months, often going unnoticed until an external party notifies the victim that they’ve been breached. Fraud indicators are different from traditional indicators. In addition to IP addresses, domain names and hashes, analysts also need visibility into data not available through typical threat feeds, such as leaked payment card data and personally identifiable information (PII). As a result, it is time- and resource-intensive to proactively detect and mitigate fraud. 

Incident response – In the aftermath of a cyber attack or data breach, gathering all the required information to conduct an investigation is a difficult and often manual process. The data comes in a great variety of formats from many different teams and tools. Maintaining adversary profiles and historical incident response reports provides a jumpstart to any incident response investigation. But there is typically no central repository to store, share and update key learnings across teams, and no easy way to work collaboratively to accelerate investigation and response.

In each of these use cases, context is critical to understanding the who, what, where, when, why and how of an attack. This requires correlating events and associated indicators from inside the environment with external data on indicators, adversaries and their methods. With the ability to analyze multisource threat intelligence and understand relevance to your environment you can begin to prioritize which to focus on first – be it to thwart spear phishing campaigns, hunt for threats, proactively detect fraud, or accelerate incident response. 

Threat intelligence is the foundation for each use case and, thus, the lifeblood of your security operations. It allows you to leverage complementary technologies efficiently and effectively. Whether the use case points you to technology for case management, ticketing, log management, SIEM, detection and prevention, or security orchestration, automation and response (SOAR), each of these requires relevant and prioritized threat intelligence pumping through it in order to perform as promised. 

Use cases began as a vital tool to ensure companies build products their customers need and can use. Now, they are vital to helping you focus on solutions that will deliver what you need to optimize your security operations and not get distracted by the latest “silver bullet” tool. It’s an intelligent approach to making decisions that’s been around for quite some time, and a welcomed shift in how we evaluate and purchase security technologies.