In our previous Blog, we covered how customizing SIEM for threat management requires both resources and expertise. As a result, McAfee created “ready to go” content packs based on Gartner’s Top Use cases. targeting aspiring users to expand their SIEM detection and response use cases without spending countless hours and resources on tuning.
Over the past 6 months multiple content packs have been delivered to all licensed ESM customers and are intended to assist members of Security Operations teams.
- For instance, the threat analyst will get new Threat Detection capabilities via 100’s of correlation rules and views enabling visibility into cyber attack chain steps such as Reconnaissance, Exploit or Command & Control
- Incident response and security operations users can improve their visibility and understanding of the security infrastructure by reviewing Firewall traffic, authentications or top blocked web domains trends.
- Senior Security Management staff can assess their team productivity by getting more insights into escalated cases, progress of investigations and summary of all detected malware and correlations activity.
- And finally the SIEM Administrator who will be able implement these new use cases faster with detailed instructions and related McAfee ESM system setting accompanied in the content pack.
Outcomes for the organizations are of course around maturing security analytics and investigations and move more towards a proactive, streamlined threat management model. Use cases and elements to enable these analytics are multifold.
- Use Case 1 : Expand detection across the cyber-attach chain : More than just throwing 100’s or thousands of rules or alarms at users, correlation rules have been grouped inside the Content packs to helps security organizations detect, prioritize and take corrective actions across the cyber-attack chain spectrum. For instance, reconnaissance activity can be detected via 58 new correlation rules grouped under the “Recon” Content Pack, weapon-ization steps can be revealed via abnormal traffic pattern discovery rules provided in the Web Filtering Content Pack and control activity can be is analyzed via alarms and views in Authentication Content Packs.
- Use Case 2 : Same is true for provided Views and reports, which have especially been designed to help the user accelerate investigations. For instance by opening “web filtering view” the analyst can review all external web connections, dive down into denied connections and prioritize via single click only those end points with potential unwanted applications and redirections.
- Use Case 3: Peer analysis : Another popular security analytics use case is based on peer analysis; comparing – on a user-by-user or host-by-host basis – geolocations or zones inside the organization and allowing the analyst to filter high risk users or hosts based on all evidence stored in ESM. This analysis is less dependent on predefined correlation rules and leverages contextual elements to detect adversarial activity as well as potential weaknesses in the existing security infrastructure.
In brief, content packs are great enabler for organizations to expand the breadth and depth of the detection against the cyber-attack chain as well as reducing response efforts via their SIEM. Insights, implementation guidelines and examples are described for each content pack on the expert center and KB articles.
For more information on the content packs please visit expert center.