00:00:01 hello team welcome to my session on coffee with PR and

today we're going to discuss about the Sim use case how to write use
cases what is the best way to create a use cases in the Sim and what is
the Thin Line difference between the correlation and aggregation my
name is bra ner for more information do check my LinkedIn profile if
you're new to the channel do subscribe to my YouTube channel and click
on the Bell icon to make sure you should not miss my future videos on a
similar topic so without

00:00:26 wasting a time let's start with the first part thank you [Music]
see before we going to discuss about how to how to write use cases and
all that first we need to understand how the Sim work what is the need of
sim there's a dedicated video I made on Sim so in the description box of
this video you can check the intro video but but just for your visibility and
all that let me explain again why we need a SIM see what happen is uh
when you're talking about your traditional Network infrastructure suppose
this is the firewall we have

00:01:11 okay it is basically connected with the switch okay so we have

a system a we have a system B we have a system C okay so now what
happened is uh there is a IP which is called as a 1. 1.1.1 it was able to
bypass the firewall so fireal generate the lock then it went to system a it
generate a lock it went to B it generate a lock it went to C it generate a
lock okay now as a investigator I need to go to each and every system to
collect the log and correlate which is a problematic task that's why what
happened is we introduce

00:01:55 the concept of the uh we introduce the concept of log

management system so this is basically called as a log management
system so now what happen any activity happen on the firewall any
activity happen on the a b and c they don't store the logs they basically
pull the loog to loog server but problem with the loog server is manually
we need to review and corate the log which is always a tough Cho choice
so what I need I want automation I want a correlations I want this
everything need to be orchestrated

00:02:25 automatically and this is basically where we use sim so log

management Plus data analytics plus automation okay that is basically
the combination called as a Sim so now we have S so in the S what
happened any activity happened the firewall any activity happened the B
CD all information is basically go to the Sim Sim will collect the log
correlate the log generate the event and that event will be notified to the
administrator and according to that he will confirm is it an incident or not
so event is always generated by the tool

00:02:59 it is a incident discovered by the human Okay so Sim play a

crucial role in safeguarding your your informations okay it providing a
realtime analysis okay and but the question is what is the event we need
to we need to generate what is the notification we need to give to the
administrator so proactively he can work on that and that is why in the SI
am we creating a use cases if this this this happen this should be the
activation this happen this should be the activation so that is called as a
use case so developing a use case and

00:03:30 correlation rule is a pivotal in enhancing the efficiency and

effectiveness of the Sim system so here we have a two objective the
primary is to create and implement the use case that addresses specific
security concerns within the organization and secondary is basically
develop the correlation rule that enable the S to detect and respond to the
identified security threats or events so to understand that in more detail
we have a case study so let's understand by the help of case study so
financial

00:03:57 institution is there which is called aspirant Bank they want to

safeguard the it infrastructure okay they want to safeguard the it
infrastructure from the potential cyber threats so that is basically the goal
they have okay now in this scenario and they have a threat called
unauthorized access data breach and other malicious activity so this is the
concern so challenges basically here is we have a two challenge one is
lack of comprehensive use cases because based on a use case only we
create so company did

00:04:29 not have a comprehensive uh you can say uh set of use cases
for the system and this made it difficult to identify the security threats
that need to be addressed and second is they don't have a ineffective
correlation rules so by this they can able to correlate the event and
everything okay so that is basically the concern we have so to overcome
that we understood very well that okay we have a uh you know two M
major objectives here so let me explain you that objectives also so you get
a better visibility

00:05:00 objective is to create and Implement use case that address

specific security concern within the organization second is develop the
correlation rule that enable the Sim system to detect and respond to the
security threats so before we understand about this use case let's
understand the basics of correlation and aggregation see when you go by
the correlation correlation basically is is basically a process which is
referred to linking a related records and identify the pattern that might
just a security

00:05:30 threat okay so example like we have a firewall okay we have a

switch here we have a system a we have a system B and we have a
system C okay so there is IP called 1.11.1 so it bypass the firewall it went
to a it went to B it went to C okay so we have collect the information from
all the source that is called collection then we aggregate that is called
aggregation but to link that aggregate information we have a correlation
so correlation refer to linking a related records identify the pattern so here

00:06:09 linking record mean we need to identify the information to the

1.1 so we identify this information on the firewall at 10:40 p.m. 10:41 we
identify in the system a 10:42 we identify in the system B 10:43 we
identify in system 3 so this is basically called as a correlation but how to
identify this correlation so we have a multiple techniques so first is by the
pattern recognition where we identify the pattern of event that might
indicate the cyber security threat example multiple fail login attempts
which is followed by

00:06:40 the successful login that is called pattern recognition Okay

that is the one second is basically called as a rule base we can utilize the
predefined rule and criteria to identify and correlate the related events
and third is basically alert if it's match it generate alert for a security men
corate event that match the threat indicator is identified so example if
user log in a system from a different geographical location simultaneously
correlation rule can flag this impossible travel indicating a
00:07:08 potential security incident so that is how we have a correlation
on the other side aggregation is basically referred to collection console
data from a various source to minimize the volume and simplify the
analysis so here we consolidate the data we combine the log and even
data from a various Source into the unified format because what happen
is system a suppose is Windows a is window okay B is basically called as a
Linux system so Linux generating a different way to generate a log
window generating in a different logs the state

00:07:41 of format is different okay so we consolidate the log we

normalize the log we reduce the volume we reducing the volume of log
data by consolidating similar or repeated data and normalization is
basically be converting a data into common state as I said Windows
generating a log in a different format Linux generating a log log in a
different format so it is a role of an aggregation to convert the data in a
common format so aggregated all fail login attempt across a various
platform service to analyze and Report the

00:08:09 overall security posture regarding authentication attempt and

then on that we basically apply the correlation okay so that is the
parameter we have so to understand more in detail correlation is all about
linking related events and identifying patterns that suggest the potential
security threat focus on understanding and identifying complex incident
and aggregation is all about collecting and consolidating data to manage
it effectively and ensure the analysis is sufficient and manageable and
focusing on data management and

00:08:38 simplification so first we Aggregate and then we correlate

okay so that is the example we have so let's understand with the case
study how to create a use cases so you get a better visibility so when
you're talking about the case study we have a some actions plan first we
need to identify and create the use case second is we need to develop the
correlation rules then we basically Implement and test then we have a
instant response and then we have a continuous monitoring and
Improvement okay I I repeat again in order to create

00:09:08 a use cases and all that the first step is identify and create a
use cases the second step is called develop the correlation rule so that
you can able to avoid the duplications then we Implement and test that
rule then we based on that we discover the incident which respond to the
incident and based on that we improve the overall program which is done
through the help of continuous monitoring and Improvement so that
something is B basically we going to perform okay so we have a first use
case unauthorized access detection so that is

00:09:37 basically my goal okay I want to detect the unauthorized

access so objective is to identify and alert any unauthorized access to
sensitive information fine so what is a metrix we are setting is data
required is user login data access logs system event logs okay so trigger is
basically multiple fail login attempts access from the unusual locations
access during a non- business server so that is something is a use case we
have set what my goal is I want anous access detection okay someone
Tred to access my server

00:10:07 and all that or or somebody try to modify the system logs and
all that I want to alert so trigger we have a multiple fail login attempts so
sometime what happen user enter wrong password so here what we do is
we set the threshold if user enter two time wrong password it is okay but
if if the locks if the user entering more than three time four time then start
generating a loog so that is basically the anomaly pattern or from the
unknown location they try to access which is not part of the IP so

00:10:34 this is the trigger we have okay so this is the use case we
have created okay and the objective of this use case is to identify alert the
unauthorized access okay so we have another use case which is called
Data exfiltration it mean data should not leave within the organization or
data should not leave outside of the organization okay I'm talking about
inbound to Unbound outbound so objective is detect the potential data X
filtration from a internal to external so data is basically any kind of
network

00:11:01 traffic data we have data transfer logs we have user activity
logs we have so for that we set the triggers triggers can be your unusual
data transfer size so example if someone is trying to send um you know
more than 5 MB data okay it it should s should generate a log so unusual
data transfer size of the destination or especially during off hour so that is
a trigger we have so that is a first step is we create a use case based on
this particular use case we basically the correlation rule we already
discussed correlation mean right

00:11:32 correlation mean aggregate the data connect the match and
Trigger so correlation rule is the second thing which we done based on use
cases so as I said we have a use case one is unauthorized access
detection okay I want to detect theorized access detection for that we set
the rule so rule is if user has more than five failed login attempt within the
5 minutes or access is basically uh access is from The Blacklist IP location
is during a non- business then trigger an alert so that is a condition we set
and

00:12:03 based on this rule if rule match what is action lock the account
okay or send the alert to the securer team so it's a combination instead of
the action can be you know generate the loog okay so it's up to you how
you want to Define is it clear so that's something you can do okay now on
the other side we also have another rule which is called as a uh this one
correlation rule for used to is if data transfer size is more than 5 MB to the
external IP is going it mean if you take example here uh so we have a
system

00:12:40 a we have a system a if any data is basically going outside of

the organization this is the organization we have data going outside the
organization and data size is basically more than 5 MB so DLP will capture
and it send the logs to the S so we set this parameter so action is
temporary block the data transfer and alert the security te okay so this is
the correlation rule we have created okay then so according to the use
case we set the rule according to use case we set the correlation rule but

00:13:11 for correlating you need to aggregate the data first okay so
once we done with that we have a implementation test so first step is data
collection we need to ensure all the relevant logs and data has been feed
into the Sim that is a first step second is basically rule implementation we
implement the develop correlation rule in the Sim system third sometime
we do the test before implementing in the production so we simulate the
scenario to validate if the correlation rules are trigging the desire Alert in
action and if not we can
00:13:42 basically adjust according to the testing to make sure we can
able to reduce the false positive once it trigger then instant response
team will take a call and according to that respond to the incident so first
step is Alert review system team will review the alert examine the
quarantine email for the malicious intent confirm and validate then they
notify they inform the intent recipient about the quarantine email and
provide the education on recognizing of fishing attemps or something else
then we have

00:14:09 an investigation where we investigate the source of the attack

and all that and finally we basically utilize the finding to enhance the
correlation Rule and improve the detection capability so whatever we
have done over that we basically do the enhancement so we continuously
monitor the alerts because company spent 60% of the budget now on the
detection solution until un as we don't detect we cannot able to improve
so continuously monitor the alerts which respond generated by the Sim
system second part is called as a feedback loop

00:14:38 where we establish the feedback loop where the insights and
learning from the incidents are used to refine the use cases and then we
need to ensure the security team is adequately trained to respond to the
alert generated by the Sim system so that is the overall process we have
for the use cases that we create in Sim so do let me know how do you find
this video and shall I made more videos on a similar topic and if you're
new to the channel do subscribe to my YouTube channel and click on the
Bell icon to make sure you

00:15:04 should not miss my future videos on a similar topic good day
bye