Skip to main content

 

Splunk Lantern

How CS Corp Uses the Use Case Explorer for Security

 

Who is CS Corp?

CS Corp is a fictitious corporation whose sales are conducted online through their virtual reality web store called the Online Boutique. They are a new entrant in their market and will be delivering an innovative new user experience using cloud-native technologies.

Online user experience is everything in this environment, and CS Corp's competitors have no idea that they are working on this revolutionary new initiative. CS Corp's web store runs on AWS and they collect customer payment information through their application. Therefore, they are concerned with monitoring and securing their applications, as well as ensuring that they protect customer personal and payment information.

CS Corp has a small internal cyber-security team that rely on third-party testing to ensure they are meeting their security and Payment Card Industry (PCI) baselines. They have valid concerns about the frequent upticks in sophisticated attacks on cloud-based businesses, especially with the use of ransomware. They use many disparate security tools that allow them to monitor, detect, and respond to individual events.

In a recent external third-party security assessment, several findings caught the attention of CS Corp's Chief Information Security Officer (CISO). The assessment highlighted gaps in visibility to cloud infrastructure and application logs; alert generation and notifications; PCI compliance use case gaps; and issues with their general incident remediation and response procedures.  

With only a short time before their huge market launch, the security team has been tasked with addressing these findings immediately. They must address these security gaps without impacting the application, and more importantly, the customer experience.

Currently, security engineers check logs and alerts through the individual native user interfaces of their tools. This process, however, is quite time-consuming, and it's often hard to correlate similar security issues and remediate them efficiently. Often, the team has to engage the infrastructure team or the application development team to have them investigate suspicious activity using their own tools and logs. This process isn't sustainable either. As the business grows, it creates unacceptable risk to CS Corp. 

How CS Corp Uses the Use Case Explorer for Security

The security team at CS Corp meet to discuss the problem. Looking at the Value Realization Cycle as a guide, they begin to plan out the work that will be required to solve the problem. Here are the steps they take.

1. Define the problem and goal.

This is how CS Corp describes its goal:

The Online Boutique security staff need the ability to consolidate logging from various security, cloud infrastructure, and applications. They also need to leverage analytics and correlation to gain better visibility into prioritized cybersecurity threats and risks. Finally, they need to more tightly align to compliance frameworks, such as PCI, and ensure they are outperforming them as it will be critical to remain in compliance to protect and assure the trust of their customers and business partners.

2. Identify and record use cases.

After they know what the situation and goal are, CS Corp start deciding what areas to focus on to help them improve the situation and achieve the goal. They work from the Use Case Explorer Map, clicking into the workflow stages, exploring the focal areas within them, and selecting some use cases they want to apply.

clipboard_ee6fa2a0b4fd2dfb8e11378129bf02555.png

This is how CS Corp describes its use cases:

Using the Explorer Map, we determine that we require data availability and normalization focal areas in the Ingest Data workflow stage. We also determine that to effectively optimize detection, we will want to implement security content and analytics stories, as well as prioritize alerting through use cases in the Monitor workflow stage. To address our PCI initiatives and goals, we will want to explore compliance use cases in the Analyze and Investigate workflow stage. Finally, to speed resolution and collaboration when issues arise, we will also want to look at Automating Incident Response and Collaboration use cases in the Act workflow stage.

CS Corp also set up a use case planning session every month to ideate and refresh new use cases to be deployed.

3. Deploy use case(s) and document the value achieved. 

CS Corp records the use cases it wants to complete in the Use Case Registry

The team also sets up a weekly team meeting focused on the Use Case Registry to checkpoint and track progress. In addition, they identified where they could use Splunk OnDemand credits to help deploy a couple of use cases and speed up their overall implementation time. 

Here is the Registry CS Corp starts to work with. Over time, they add to the Registry with updates on the completion of use cases, as well as new use cases that have been identified through their monthly use case planning sessions.

Workflow Stage Use Case Product Expected Value Owner Target Date

Ingest Data

Splunkbase and Technical Add-ons

Splunk Technology Add Ons

 

Identify, ingest and centralize visibility for essential security, infrastructure and application data

 

Steve Striker

7/17/2022

Ingest Data

CIM & data normalization

Splunk Enterprise Security

Establish common fields. Log data structured and assigned similar fields to be ready for correlation

 

Andrew Butters

7/17/2022

Monitor

Monitoring for indicators of ransomware attacks with Splunk Enterprise Security

Splunk Security Essentials

Grow security maturity using expanded use cases and content addressing current and emerging threats

Kenny Powers

7/17/2022

Monitor

Implementing RBA in Enterprise Security

Splunk Enterprise Security

Reduce alert footprint and identify slow evolving threats

Stacy Rai

9/15/2022

Analyze & Investigate

PCI Compliance

Splunk Enterprise Security

Prevent PCI compliance gaps and align with best practices

Rajeev Sikka

9/15/2022

Act

Advanced Security Incident Response using SOAR

Splunk SOAR

Optimize incident notification and automate tasks for security threat investigation

Carlie Smith

10/15/2022

Act

SOAR Case Management

Splunk SOAR

Reduce MTTR (mean time to respond/remediate), Create a collaborative central IR experience

Chris Anderson

10/15/2022