Fast-breaking attacks wearing you down … Sunburst, RansomExx, Hafnium, and whatever is next? Agility in your detection engineering process will be your savior.
SOC practitioners know that the threat landscape is as complex and fast-breaking as it has ever been, and attackers are increasingly more well-funded than ever, and therefore the best thing we, as protectors, have going for us is the concept of agility in our processes.
Specifically, what that means is, the detection engineering process must be agile enough to respond to new attack patterns and proactively prepare the SOC for correlated signals that are actually actionable. This is not unlike an agile development process in the world of software development thus spawning monikers like ‘detection as code’. In doing so, the agile process must not pose burdens on detection teams to know the exact attack pattern beforehand, nor should it require detection teams to be expert programmers in the underlying engines.
An ideal detection engineering process would be AI-driven, and must be able to:
1. Render detection use cases per templates designed to catch attack patterns early
2. On-board required data sources with the right level of normalization
3. Deploy, test, and continuously tune use cases for perfection
4. Enrich resulting alerts before handing them off to hunting and IR teams
5. Update the gap matrix, check off the priority list, and reset the ‘maturity’ score
How do you ensure agility in the detection engineering process?
Through automation of course. Specifically, through automation of two kinds — process automation that greatly minimizes the mundane human operations thereby increasing efficiency and more importantly, enhancing job satisfaction of security teams AND depth automation through AI-led recommendations that provide relevant use case development guidance to detection engineers, thereby decreasing time-to-detect and again, enhancing job satisfaction (and hence retention rates) of security teams.
How might this come into play for the next ‘unknown’ attack?
We will explain more about each of the five steps described above and how a real-world scenario will play out in an ideal automated detection engineering environment in an upcoming blog post soon.
In the meantime, watch this space for a post from our own purple team on the Hafnium threat and how a proactive and automated detection engineering process can help SOC teams be well-prepared.