Browse Prior Art Database

Digital Use Case Framework and Library

IP.com Disclosure Number: IPCOM000250253D
Publication Date: 2017-Jun-19
Document File: 5 page(s) / 171K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is system that supports a Digital Use Case Framework and Library, which help organizations manage the portfolio of use cases and rules that are used to detect a wide range of threats.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 19% of the total text.

1

Digital Use Case Framework and Library

A Security Operation Center (SOC) is responsible for detecting significant threats, which involves the use of sophisticated technology to identify, detect, and analyze threats. Assuming the SOC has the proper technology components, processes, and staffing, the single greatest factor that drives the return on investment (ROI) for the SOC is the use cases and rules that will be used to detect threats in the environment. Currently, there is no way to effectively evaluate the completeness of coverage for the use cases and rules that are used to detect threats and generate alerts for the SOC to review. Most organizations are using spreadsheets or word processing documents track the use cases and rules that have been developed.

However, the documentation related to the use cases, rules, data sources, and response procedures provide little or no context about the purpose for which the use case was created. Often, only the individual that created the use case or rule can fully explain the reason this use case was created. In addition, many critical relationships should be tracked and managed as part of creating a use case, but this information is not captured and stored in way enables it use to proactively manage and control the use case and rule portfolio.

Herein, a Use Case is a specific scenario that the SOC monitors. For example, a typical control use case is to monitor privileged user IDs. This general use case must be implemented through tens of rules, each one designed to monitor a specific type of privileged user ID, and it requires one or more common or unique data sources. For example, when the SOC director, executive management, auditors, or regulators want to communicate what threats the SOC can detect versus the threats that are currently not detected, there is no easy way to document or communicate this information. In addition, level of completeness for certain types of threats is very difficult to communicate. This makes it difficult for an organization to objectively understand the level of completeness of the current threat detection coverage and identify the key gaps in coverage.

Organizations currently have no way to track the level of completeness for the implementation of each use case is within the SOC. Critical relationships between the elements make up the use case portfolio including but not limited to: use case definition, use case purpose, use case relationships to threat models, security policies and controls, relationships between use cases and rules, rule and data sources procedures, and rule to response procedures. Another major issue with use case and rule development is the lack of a standardized taxonomy to describe and document the use cases and rules. The lack of a standard taxonomy makes it difficult to compare use cases and rules between organizations. It also means that many of the same use cases and rules are custom built over and over vs. being built once and used many...