We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
SAINTCON 2023 - Ivan Koshkin - The Lifecycle of Detection Engineering
Learn about the lifecycle of detection engineering, a holistic approach that enhances detection accuracy, reduces false positives, and improves security operations efficiency through design, testing, and maintenance.
- Detection engineering is a holistic approach to detection, involving design, testing, and maintenance of detection processes.
- It aims to enhance the coverage and accuracy of detection, reduce false positives and false negatives, and improve the overall efficiency and effectiveness of security operations.
- Detection engineering involves the use of detection-as-code, which applies software development principles to the detection process, allowing for repetition, refactoring, and reuse of code.
- This approach enables the implementation of detection rules and searches in a modular, structured, and scalable manner.
- A lifecycle of detection engineering includes design, implementation, testing, deployment, and maintenance of detection processes.
- Detection engineering teams can leverage various tools and technologies, including detection-as-code platforms, incident response platforms, and threat intelligence feeds.
- The process involves the curation of detection ideas, which involve analyzing threat intelligence, malware, and attacker tactics, techniques, and procedures.
- The curation process enables the identification of patterns and anomalies, allowing for the development of detection rules and searches.
- Detection engineering is influenced by AI and machine learning, which enables the detection of complex patterns and anomalies in large datasets.
- The approach involves the use of visualization and metrics to monitor the health and performance of detection processes.
- Detection engineering also involves the use of peer review, to ensure that detection processes are reviewed, validated, and tested before deployment.
- Automated testing and validation of detection processes involve the use of simulated adversarial activity to test detection rules and searches.
- A successful detection engineering process involves the close collaboration of various teams, including threat intelligence, malware analysis, and incident response teams.