University of Exeter - Zero to SIEM in 8 weeks
Part 3

Release Date: 06/01/20

Author: Baz Donoghue - Certified Splunk Consultant

The first and subsequent steps on any organisation’s IT Security journey can be difficult and uncertain at the best of times. To go from little or no security use cases and consolidated view of your security landscape, to a fully implemented SIEM solution is a challenging undertaking. Throw into the mix a compressed timeframe for planning and implementation, this makes an already precarious task all the more formidable. 

This is exactly what University of Exeter (UoE) did with their Splunk Enterprise Security Implementation, along with expert support and services provided by Somerford Associates.

Picking up where we left off from the previous blog, we will be exploring how the above is maintained through a culture of Rationalise, Rectify and Reassess, as well as how to leverage data source analysis to identify potentially viable use cases.

Data Source Analysis: Art of the (currently) possible!

  • As per our previous blogs we explained how it was essential for use cases to be aligned against user stories to fully understand the viability of our use cases.
  • However, value can also be attained by gaining an understanding of how to further leverage the data sources already available to us. This can be carried out in several different ways, from in-depth bottom up data source modeling and threat mapping, to utilising tools like Splunk Security Essentials to gain some quick wins with data usability and utilisation.
The Data Source check feature of Splunk Security Essentials looks at the live data available on your current Splunk instance, as well as the accelerated data models populated to provide you with an idea of which uses cases can be achieved with the data available at that moment in time. This enables us to see which additional use cases can be achieved using the data already onboarded to realise the use cases identified via the user story and risk alignment activity discussed in part 2 of this blog.
The Data Source check then lets you drill down to see what data and configurations are required to achieve each use case. In the above Basic Malware Outbreak example, It mentions that AV data is required but not available.
Another example for a Basic Scanning use case shows that Firewall data is required, as well as having two fields in particular available in the data and normalised; dest_ip and dest_port. It also highlights the missing requirements for utilising an accelerated data model, which needs data to be available in the Network Traffic data model, as well as ensuring this data model is accelerated.

Rationalise, Rectify and Reassess.

  • A key activity in producing, realising and maintaining successful security use cases is ensuring that process is put in place to constantly revisit and review each user story in a bid to make sure that they are still relevant, required and appropriate.

  • This means that there MUST be a review cycle in place to ensure that this content is revisited on a regular basis not only to ensure that the data is still relevant and available but that the use case is actually fit for purpose or still relevant.
  • This review process could be something as simple as a weekly “Use case review” board, which looks at any required, extant and legacy use cases along with available data sources to see if new use cases can be realised, current use cases can be tuned or enriched with newly available data or if legacy use cases can be decommissioned or altered to be more relevant.
  • The ultimate goal from a security context would be to work towards including such a review process into a more widely reaching “Target Operating Model” which outlines all of the process, people and technology relationships and interactions to better manage and maintain an ever adapting and improving security picture and supporting operations.

Not sure how to contact us?

Schedule a call with one of our certified engineers and pre sales team. Or drop us a line if you have any questions.

All views expressed on this blog are the author’s own and do not represent the opinions of any entity whatsoever with which the author 
has been, is now or will be affiliated, inc. this organisation whose website the blog is hosted on, or any partner of this organisation.

Scroll to Top