Use-case modelling is one of the key steps in establishing an effective protective monitoring capability.
While most SIEM software comes with a set of default use-cases, these will only cover common applications and threat models, and are often not well suited to the specifics of the environment. Use-case modelling allows CODA consultants to work with the blue team to identify and develop bespoke use-cases tailored to the key systems and threats facing the organisation.
This can be achieved by carrying out formal threat modelling for all of the systems in scope using one of the industry standard methodologies. However, this is an expensive and time-consuming process, and is often not feasible due to timeline or budgetary constraints. As such, a more informal use-case modelling process can provide much higher value, and allow the protective monitoring solution to quickly improve its effectiveness.
The first step in the process is to identify and prioritise the key systems and areas of the environment, based on a variety of factors such as their exposure, the sensitivity of the data they contain, the existing level of coverage, and the likelihood of them being targeted by an attacker.
Once identified, CODA consultants will work with the specific system owners to fully understand the systems, both at a technical and business level, and to understand the key security concerns around them.
Based on this information and their own penetration testing and red teaming experience, they will then produce a detailed list of likely ways that an attacker would attempt to target or compromise the system, and of indicators on the system that could indicate suspicious or malicious activity. Where possible, this will also be supported with recommendations around the types of logs that could be used to detect this activity, and any other relevant details.
This list can then be used by the blue team to develop a set of bespoke use-cases for the system in order to detect malicious activity. Once implemented these should then be tested as part of the protective monitoring validation process.