10 SIEM Use Cases in a Modern Threat Landscape

10 SIEM Use Cases in a Modern Threat Landscape

Security Information and Event Management (SIEM) systems aggregate security data from across the enterprise; help security teams detect and respond to security incidents; and create compliance and regulatory reports about security-related events. Because SIEM is a core security infrastructure with access to data from across the enterprise, there are a large variety of SIEM use cases.

Below are common SIEM use case examples, from traditional uses such as compliance, to cutting edge use cases such as insider threat detection and IoT security.

SIEM Use Cases: Compliance

SIEM for PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) was created to secure credit cardholder data from theft and misuse. It defines 12 security areas in which companies should enhance protection for this type of data. The requirements apply to anyone involved in credit card processing, including merchants, processors, and 3rd party service providers.

5 Ways SIEMs Can Help with PCI Compliance:

  1. Perimeter Security – Detecting unauthorized network connections and correlating with change management, searching for insecure protocols and services, and checking how traffic is flowing across the DMZ.
  2. User Identities – Monitoring any event that results in changes to user credentials, and activity by terminated users
  3. Real Time Threat Detection – Monitoring antivirus logs, monitoring insecure ports and services and correlating with threat intelligence.
  4. Production and Data Systems – Searching for dev/test or default credentials, replicas, etc. on production systems.
  5. Auditing and Reporting – Collecting system and security logs, including specific PCI logging requirements, auditing them in a format suitable for PCI reporting, and generating compliance reports.

SIEM for GDPR Compliance

The General Data Protection Regulation (GDPR) is Europe’s new framework for protecting security and privacy for Personally Identifiable Information (PII), which came into force in May 2018. GDPR applies to any legal entity which stores, controls or processes personal data for EU citizens, and focuses on two categories: personal data, such as an IP address or username, and sensitive personal data, such as biometric or genetic data.

5 Ways SIEMs can Help with GDPR Compliance

  1. Data Protection by Design – Verifying and auditing security controls, to show that user data underwent appropriate treatment.
  2. Visibility into Log Data – Providing structured access to log information to enable reporting to individual data owners.
  3. GDPR logging and auditing – Monitoring critical changes to credentials, security groups, and so on; auditing databases and servers storing PII, and automatically tracking assets that store sensitive data.
  4. Breach Notification – Detecting data breaches, alerting security staff, analyzing the incident to uncover full impact, and quickly generating detailed reports as required by GDPR.
  5. Record of Data Processing – Identifying events related to personal data, auditing any changes to the data and generating reports as required by GDPR.


The SIEM itself can represent a risk under GDPR, because log data might contain PII. GDPR permits retaining data for “legitimate interest” (Article 6), which may allow the retention of log files for security purposes. Consult with your legal council to understand what data you can or cannot retain in the SIEM under GDPR provisions.

SIEM for HIPAA Compliance

HIPAA is a United States standard pertaining to organizations that transmit health information in electronic form. It applies to organizations of all sizes, from a single physician to national healthcare bodies. HIPAA’s Security Management Process standard requires organizations to perform risk analysis, risk management, have a sanction policy for data breaches, and conducts Information System Activity Reviews—a key element of the standard which ensures all the other parts are in order.

9 Ways SIEMs Can Help with HIPAA Compliance

  1. Security Management Process – Discovering new IT assets, identifying systems at risk, monitoring access to system files, user activity and privileges in critical systems
  2. Employee Access – Monitoring access to critical files and data, capturing login attempts and logins from terminated users.
  3. Information Access Management – Identifying logon success and failures, privilege escalation and modification of user accounts.
  4. Security Awareness – Detecting vulnerabilities and malware, detecting systems with no antivirus, monitoring logon to security devices and critical systems.
  5. Security Incidents – Automatically detecting threats, generating alerts and prioritizing them, enabling threat investigation, and orchestrating automated response to incidents.
  6. Access Control – Monitoring changes to credentials and permissions, session timeouts, and changes to encryption settings.
  7. Audit Controls – Monitoring changes to policies, Data Leakage Protection (DLP) events, file integrity and log analysis for protected data.
  8. Data Integrity – Monitoring modification of health information and changes to data policies.
  9. Transmission Security – Identifying unauthorized communications and attempts to modify applications or storage containing health information.

SIEM for SOX Compliance

The Sarbanes-Oxley Act of 2002 (SOX) is a regulation that sets requirements for US public company boards, management and accounting firms. It was enacted as a reaction to several corporate accounting scandals, including Enron and WorldCom. Two frameworks commonly used by IT organizations to comply with SOX are COSO and COBIT.

The SOX regulation focuses on making sure that an organization informs management, and is able to demonstrate, via SOX reporting procedures:

  • Where sensitive data is stored
  • Who has access to it
  • What happened to it

A SIEM can be helpful in gathering this data and recording it for SOX audits.

5 Ways SIEM Can Help with SOX Compliance and Audits

  1. Security Policies and Standards – Tracking information security policies (for example, an email security policy) and standards (for example, a standard way to secure Windows desktop machines). A SIEM can identify which IT systems are in compliance with policies and standards, and alert about violations in real time.
  2. Access and Authentication – Monitoring account creation, change requests, and activity by terminated employees.
  3. Network Security – Monitoring alerts from firewalls and other edge security devices, and identifying known attack patterns in network traffic.
  4. Log Monitoring – Aggregating security events and alerting on invalid login attempts, port scans, privilege escalations, etc.
  5. Segregation of Duties – The SOX standard requires that no one person controls an entire data process from start to end. A SIEM can ensure, for example, that data entry staff only access the data they are creating, and never view or modify other data.

SIEM Use Cases: Leveraging SIEM for Protection Against Trusted Entities

Insider Threats

According to insider threat statistics provided in the Verizon Data Breach Investigation Report, three of the top five causes of security breaches were related to an insider threat, and insider threats go undetected for months (in 42% of cases) or even years (38% of cases).

Insider threat detection is challenging—behavior doesn’t set off alerts in most security tools, because the threat actor appears to be a legitimate user. However, a SIEM can help discover insider threat indicators via behavioral analysis, helping security teams identify and mitigate attacks.

There is growing awareness of internal security threats, first and foremost insider threats:

  • Malicious Insider – A security threat originating from organization’s employees, former employees, contractors or associates
  • Compromised Insider – An external entity which has obtained the credentials of an insider

6 Ways a SIEM can Help Stop Insider Threats

  1. Detecting Compromised User Credentials – SIEMs can use behavioral analysis to detect anomalous behavior by users, indicating a compromise. For example, logins at unusual hours, at unusual frequency, or accessing unusual data or systems.
  2. Anomalous Privilege Escalation – SIEMs can detect users changing or escalating privileges for critical systems.
  3. Command and Control Communication – SIEMs can correlate network traffic with threat intelligence, to discover malware communicating with external attackers. This is a sign of a compromised user account.
  4. Data Exfiltration – SIEMs can use behavioral analysis to combine and analyze seemingly unrelated events, such as insertion of USB thumb drives, use of personal email services, unauthorized cloud storage or excessive printing.
  5. Rapid Encryption – SIEMs can detect and stop encryption of large volumes of data. This might indicate a Ransomeware attack, which often originates from compromised insiders.
  6. Lateral Movement – Insiders conducting an attack may attempt to switch accounts, machines and IP addresses on their way to a target. SIEMs can detect this behavior because they have a broad view of multiple IT systems.

Next-gen SIEM

Most of the capabilities in this and the following sections are made possible by next-generation SIEMs that combine User Entity Behavioral Analytics (UEBA). UEBA technology uses machine learning and behavioral profiling to establish baselines of IT users and systems, and intelligently identify anomalies, beyond the rules and statistical correlations used by traditional SIEMs.

Highly Privileged Access Abuse

Privileged access abuse is a complex problem stemming from gaps in access control at organizations. Users with access to IT systems are able to perform undesirable actions, because they have more access rights than they need to do their jobs. According to the Verizon 2017 Data Breach Investigation Report, privileged access abuse was the third largest cause of data breaches and the second largest cause of security incidents.

5 Ways a SIEM Can Help Stop Privileged Access Abuse

  1. Unwanted Activity – Monitoring and reporting on suspicious access to any sensitive data.
  2. Third-party Violations – Monitoring activity by external vendors and partners who have access to organizational systems, in order to identify anomalous behavior or escalation of privileges.
  3. Departed Employees – Alerting on any activity by terminated user accounts, or unexpected activity on accounts that are normally inactive.
  4. Human Error – Alerting on anomalous activity that could be a disasterous human error, such as deletion of large quantities of data.
  5. Overexposure – Reporting on users who are accessing systems or data that is not within their regular usage profile.

Trusted Host and Entity Compromise

It is very common for attackers to take control of user credentials or hosts within an organizational network, and carry out attacks stealthily for months or years. According to the Ponemon 2017 Cost of Data Breaches report, the average time US companies took to detect a data breach was 206 days. So a major goal for security teams is to detect and subvert attacks quickly.

4 Ways a SIEM Can Help Detect and Stop Trusted Entity Compromise

  1. User Accounts – Identifying anomalous activity, alerting about it and providing investigators the data they need to understand if a privileged user account was breached.
  2. Servers – Creating a trusted baseline of server activity, detecting deviations from this baseline and alerting security staff.
  3. Network Devices – Monitoring traffic over time and detecting unusual spikes, non-trusted communication sources, insecure protocols, and other signs of malicious behavior.
  4. Anti-virus Monitoring – Malware is a common entry point for host compromise. SIEMs can look at antivirus deployments broadly, reporting on events like protection disabled, antivirus removed, or status of threat updates.

SIEM Use Cases: Leveraging SIEM for Advanced Security Threats Detection

Threat Hunting

Threat hunting is the practice of actively seeking out cyber threats in an organization or network. A threat hunt can be conducted on the heels of a security incident, but also proactively, to discover new and unknown attacks or breaches. According to a 2017 study by the SANS Institute, 45% of organizations do threat hunting on an ad hoc or regular basis. Threat hunting requires broad access to security data from across the organization, which can be provided by a SIEM.

7 Ways SIEM Can Help with Threat Hunting

  1. Alerts from Security Systems – Delivering actionable alerts that provide context and data to help investigate a potential incident.
  2. Environment Anomalies – Identifying anomalies in IT systems using correlations and behavioral analytics
  3. New Vulnerabilities – Organizing data around a new vulnerability—timeline and systems, data and users affected.
  4. Tips from Peers or the Media – Searching historical data for attack patterns or signatures similar to known attacks.
  5. Threat Intelligence – Combining threat intelligence with security data, to intelligently detect attacks in IT systems.
  6. Hypotheses Based on Known Risks – Helping analysts frame a hypothesis and test it by exploring security data in the SIEM.
  7. Similar Incidents – Checking if “this happened before”—searching security data for patterns similar to a current or previous security incident.

Data Exfiltration Detection

Data exfiltration happens when sensitive data is illicitly transferred outside an organization. It can happen manually, when a user transfers data over the Internet or copies it to a physical device and moves it outside the premises, or automatically, as the result of malware infecting local systems.

6 Ways a SIEM Can Help Prevent Data Exfiltration

  1. Backdoors, Rootkits and Botnets – Detecting network traffic to command and control centers and identifying infected systems transmitting data to unauthorized parties.
  2. FTP and Cloud Storage – monitoring network traffic over protocols that facilitate large data transfer, and alerting when unusual quantities or file types are being transferred, or when the target is unknown or malicious.
  3. Web Applications – Monitoring usage of organizational web applications by outsiders, or inside usage of external web applications, which might involve downloads or browser access to sensitive data.
  4. Email Forwarding – Detecting emails forwarded or sent to other entities other than stated recipient.
  5. Lateral Movement – Data exfiltration typically involves attackers attempting to escalate privileges or accessing other IT systems, on their way to a lucrative target. SIEMs can detect lateral movement by correlating data from multiple IT systems.
  6. Mobile Data Security – A SIEM can monitor data from the mobile workforce and identify anomalies that might indicate information leakage via a mobile device.

IoT Security

Many organizations are using connected devices to manage critical operations. Examples include network-connected medical equipment, industrial machinery and sensors, and power grid infrastructure. Internet of Things (IoT) devices were not designed with security in mind, and many suffer from vulnerabilities. These vulnerabilities are difficult to remediate once the devices are already deployed in the field.

6 Ways a SIEM Can Help Mitigate IoT Threats

  1. Denial of Service (DoS) Attacks – Identifying unusual traffic from organization-owned IoT devices, which might be leveraged by an attacker to perform an attack.
  2. IoT Vulnerability Management – Detecting old operating systems, unpatched vulnerabilities and insecure protocols on IoT devices.
  3. Access Control – Monitoring who is accessing IoT devices and where they connect to, and alerting when source or target is unknown or suspicious.
  4. Data Flow Monitoring – Many IoT devices communicate over unencrypted protocols and can be used as a vehicle to transfer sensitive data. A SIEM can monitor unusual data flows to and from IoT devices and alert security staff.
  5. Devices at Risk – Identifying devices at risk due to security vulnerabilities, access to sensitive data or critical functions.
  6. Compromised Devices – Identifying anomalous or suspicious behavior of IoT devices and alerting security staff that a device or fleet of devices has been compromised.

Next-Generation SIEM Technology and Advanced Use Cases

Next-generation Security Information and Event Management (SIEM) solutions, built in line with Gartner’s vision of a SIEM platform integrated with advanced analytics and automation tools, can make many of these advanced use cases possible. Specifically, User Entity Behavioral Analytics (UEBA) technology makes it possible to detect insider threats, perform more sophisticated threat hunting, prevent data exfiltration and mitigate IoT threats, even when traditional security tools don’t raise a single alert.

Exabeam’s Security Intelligence Platform is an example of a next-generation SIEM that comes integrated with Advanced Analytics based on UEBA technology—enabling automated detection of insider threats and mitigation of anomalous behavior that cannot be captured by traditional correlation rules.

See Exabeam in action: Request a demo