Security experts consider the following to be the central requirements for developing detection engineering capabilities:
- Data: Detection engineering teams need access to logs and security event data from endpoints, networks, cloud environments and security tools, as well as a centralized SIEM or log management platform to aggregate and normalize it.
- Qualified personnel: Detection engineers, security analysts and threat researchers are needed to develop and refine detection rules.
- Formalized processes: These are essential for modeling and testing threats and integrating threat data into incident response.
CISO Renfrow also recommends that those interested in detection engineering use frameworks such as MITER ATT&CK to ensure that well-known adversary techniques are covered. In addition, the security decision-maker advises user companies to use adversary emulation tools to validate the effectiveness of their efforts.
Automated detection engineering
Artificial intelligence (AI) and machine learning (ML) can also help optimize and automate detection rules, as a further look at the report from SANS and Anvilogic makes clear. Accordingly:
- set 45 percent of study participants used AI in their detection engineering programs to detect anomalies, generate rules and triage alerts.
- are 88 percent believe that AI will have a significant impact on their detection engineering programs in the next three years.
- to use 93 percent of those surveyed are currently using – or planning to use – some form of automation in their detection engineering workflow.
“One of the strongest use cases for AI is to analyze massive amounts of data to identify anomalies, especially when it comes to AI models trained on custom data sets,” says Glenn Thorpe, senior director of security research and detection engineering at platform provider GreyNoise Intelligence.
When it comes to automating detection engineering processes, users primarily focus on three areas. She:
- map their detection coverage with the MITER ATT&CK framework,
- identify faulty or misconfigured detection rules, and
- operationalize threat intelligence into actionable detection rules.
However, security expert Thorpe warns companies against looking for a one-size-fits-all solution to build detection engineering capacity: “To build an effective team in this area, a creative, multi-layered way of thinking and curiosity are required above all.”
According to the manager, a good starting point would be to identify your company’s core data and find people who can analyze it from different perspectives: “Get a realistic picture of what you don’t know – and then close these information gaps. You will probably find that even small changes create more transparency and make it easier to understand network traffic.” (fm)
This article originally appeared at our sister publication CSOonline.com.
