Introduction to Detection Engineering
Just as threat actors evolve their attacks and techniques, so too must security teams evolve their detection content. Detection engineering, therefore, is a life cycle that requires continual effort. However, when done well, detection engineering can reduce the mean time to detect and respond to a threat, as well as recover from a threat.
Detection engineering is the process of identifying threats before they can do significant damage. Detection engineering is about creating a culture, as well as a process of developing, evolving, and tuning detections to defend against current threats. It aligns content developers, threat hunters, threat intelligence, red teams, risk management, and so forth, to build a threat-informed defense system.
Detection Objective
Detection engineering starts with threat modeling – identifying the threats that are relevant to your organization. You can use the MITRE ATT@CK framework and perform a gap analysis to discover what’s relevant, but it ultimately starts from asking the following questions:
- What do I need to detect?
- What threat actors, techniques, tools, etc., are relevant to us?
- How can I demonstrate the relevance to the business?
The answers to those questions can help you build a formula for the threats your organization should be concerned about.
Detection Requirements
From there, identify available log sources and determine what logs or data sources you’re missing that are necessary to detect the threats you’ve identified. Next, identify use cases, look at vulnerability reports and develop an understanding of the holes in your defense. Do your due diligence. Research and hypothesize about the threat. At that point you can begin writing your detection content.
In this phase, answer the questions:
- How can I detect X?
- What log or data sources do I need to do so?
- What detection logic should I use?
Detection Implementation
Those answers lead into the actual implementation where we talk about a life cycle and how you’ll manage that detection capability on an ongoing basis. Once you’ve written that specific piece of content for detection, you need to continuously tune it for false positives and other nuances that come up. You’re tuning and deploying, but you’re also consistently reviewing the detections that you’ve previously written. As part of this process, ask yourself:
- How can I automate detection?
- Is this detection more suitable as a dashboard, saved search, report, or rule?
The cyclical nature of detection engineering requires a supportive culture in the organization. Without a culture, you’ll fall short. The return on investment from this lifecycle is a reduced mean time to detect and mean time to respond to an incident. Of course, there will always be incidents that creep up that are not necessarily part of the detection lifecycle. That’s where threat hunting comes into play.
Discover the world’s leading AI-native platform for next-gen SIEM and log management
Elevate your cybersecurity with the CrowdStrike Falcon® platform, the premier AI-native platform for SIEM and log management. Experience security logging at a petabyte scale, choosing between cloud-native or self-hosted deployment options. Log your data with a powerful, index-free architecture, without bottlenecks, allowing threat hunting with over 1 PB of data ingestion per day. Ensure real-time search capabilities to outpace adversaries, achieving sub-second latency for complex queries. Benefit from 360-degree visibility, consolidating data to break down silos and enabling security, IT, and DevOps teams to hunt threats, monitor performance, and ensure compliance seamlessly across 3 billion events in less than 1 second.
