Effective cybersecurity risks demand attention on multiple fronts and a better understanding of all the leading terms and techniques. In this post, we’re going to explain what detection engineering means and how it can help one to reduce the aftermath of an attack.
An Overview of Detection Engineering (DE)
The traditional security approach involves finding threats early and fabricating a remedial solution. However, the present risks are so sophisticated and well-planned that basic detection techniques are no longer viable. This is why organizations need far-sighted detection of threats.
Detection Engineering, or DE, is a modern threat detection approach wherein organizations use systems and tools to detect vulnerabilities before they mature enough to cause lethal damage. Its reach is beyond funding corrupted activities.
DE is about developing a culture wherein the team and concerned people are aware of the risks and their impact, having extensive detection processes, evolving the technology profile, and tweaking detection strategies as threats evolve.
As its scope is wider and it often works in multiple dimensions, risk management, threat hunters, content developers, red team, and threat intelligence are often a part of it. Unlike other security approaches like applying MFA, using WAF, or doing early API threat detection, DE is yet to be fully matured. The world has yet to see a fully standardized version or applicable frameworks that align well with DE.
Advantages of Detection Engineering
When implemented correctly, DE tends to empower an organization and its threat identification strategies in multiple ways, such as:
- It remarkably trims down the average vulnerability response rate as risks are detected early, and the team is notified immediately.
- Detection is fully customized as per the concerned ecosystem.
- Its process remains in sync with the workflow.
- It keeps the entire team, and its members informed about the hazards that are helpful in containing a threat.
The Importance of Detection Engineering
If one closely examines the conventional detection methodologies that most organizations adopt presently, two key issues will surface.
- Security experts are often overburdened with humongous data that they are receiving with common security tools like EDR, SIEM, WAF, and so on. Other than the size of the data received, what concerns security experts most is a considerable number of false negatives and false positives alerts. These alerts waste both the time and efforts of the concerned security experts while it let potential threats slip away.
- Because of the data abundance, the average response rate also increases. Sometimes, remedial actions are implemented very late.
Detection engineering can fix both issues by covering the edge cases, reducing the response time, providing detailed actionable insights, and customizing the detection. With its help, more time is invested in fine-tuning the alerts rather than their sorting and labeling.
The first step that one will take toward DE is performing threat modeling, which involves recognizing risks that are directly linked. For this, organizations are suggested to refer to the MITRE ATT&CK framework and conduct a detailed gap analysis to learn what’s worth consideration and what’s not.
Once the organization has clarity on what log sources are available and what extra you’re requiring, they are recommended to move to the next stage. They must recognize the use cases, scrape the vulnerability report to gather relevant data, and quickly find out the slips in the existing defense system.
It refers to establishing the lifecycle that will help the organization to do quick and accurate detection. The insights from the above stages are combined and combed, false positives are fine-tuned, and detection techniques are continuously evolving.
As one plans to implement DE, some of the key concerning areas remain to learn the best detection automation techniques, reviewing previously identified threats, and finding the suitability of detection as a report, dashboard, and rule.
Additionally, establishing a supportive culture within an organization is crucial for successful detection implementation. The team should take up their responsibilities and remain attentive toward workflows.
Areas of Detection Engineering
When the concept of DE was in the early stage, it only revolved around finding incidental activities. However, it has now spread its wings and started pairing with multiple other security domains, such as:
- Security monitoring: DE can help organizations to have a highly proactive security monitoring approach wherein workflows like applying Sigma rules, applying IOCs on logged data and forwarding crucial information to SIEM.
- Incident response: DE empowers the incident response of an organization as it can generate YARA rules, empower IOCs, and can define goals for detecting harmful tools present on target systems and disk images.
- Malware analysis: Organizations can experience elevated malware analysis with DE as it is useful for IOCs extraction and defining YARA rules.
- Threat intelligence: By creating YARA rules to detect corrupted documents and toolsets, detection engineering strengthens threat intelligence.
- Digital forensics: DE aids digital forensics greatly as it can establish YARA policies for accurate extraction of specified data like victim details or details of extracted data. Also, it can help security professionals to generate a case-related keyword list.
Detection Engineering Process
One must have clarity on the fact that DE is beyond Detection-as-code, which is often considered as its foundation. A result–driven DE demands crisp detection content and advanced tools that are well-aligned with each other.
One key factor to keep in mind while designing the DE process is to note the code detection data before, in-transit, and postcode insertion processes. Here is an understandable breakdown of the entire process.
- Stage #1 - The Detection
At this stage, detections are identified and logged while a CI/CD process is initiated for DaC.
- Stage #2 - Detection Maintenance
Using techniques like sandboxing, purple teaming, and pentesting, the efficacy of the detection system is tested, and threat hunting is implemented to spot new or previously undetected threats. Often, a highly responsive honeypot is established to watch out for corrupted activities.
All these activities are well-documented and forwarded to the key decision-makers. If new detections are identified, detection codes are modified.
- Step #3 - Threat Intelligence
At last, threat intelligence is deployed. At this stage, organizations often pick viable vulnerability tools and try to work on collecting threat-hunting and pentesting insights.
Detection Engineering and Threat Intelligence
Threat intelligence or CTI is a highly-driven security approach using which organizations can gather insights on potential threats. It gives enterprises a chance to become active toward present threats and recognize them as soon as possible.
As threat intelligence proceeds, raw information on risks is gathered, data is combed further to extract actionable inputs, and detection sketching is done so that it’s easy to understand the nature of the vulnerabilities.
If followed thoroughly, threat intelligence is of great help in finding out organization-specific and detailed threats that further form the foundation of detection engineering.
DE aims to go beyond mere detection and aims to understand the course of action of a threat and how it can impact in the long and short run. As this information is extracted with threat intelligence, organizations are recommended to combine DE and threat intelligence.
DE and Pentest
Pentest or penetration testing is a controlled cyberattack that an organization performs on an existing IT ecosystem to find out the slip ups in the security profile before hackers do. In this approach, cybersecurity experts purposely conduct an attack on the server, networks, APIs, and other important assets to find out which vulnerabilities are permeable through the present security wall.
Mostly, it’s done to alleviate the efficacy of WAF and has multiple types like internal testing, bind testing, external testing, and so on. Now, let’s come to the key question:
How is it important for detection engineering?
The second stage of the detection process, detection maintenance, aims to check how effective detection is in real time. For this, tricks like sandboxing and pentesting are used to plan a conditioned attack. DE takes the help of pentesting to spot the loopholes that can work in favor of hackers.
Threat actors often remain a step ahead of the security experts as they recognize the caveats of the security profile and use them against the organization. Pentesting is a key aspect of detection engineering as it helps an organization figure out the efficiency of its detection tools.
DE and Threat Hunting
DE is incomplete and incompetent if threat hunting is not included in it. Threat hunting, as we all know, refers to the activities that authorized hackers or cyber experts perform to recognize the risks. Using updated IoCs and TTPs tools, threat hunters find risks and often recommend a detecting hypothesis.
By combining tools and expertise, threat hunters are of great help in identifying the risks and provide enough insights that security experts require to fine-tune the detection. It remains a non-negotiable part of DE as new threats keep on showing up, and their early discovery is required.
DE and EDR/XDR
For efficient detection, keeping resources like PCs, servers, networks, containers, microservices, cloud, and APIs are other IT resources within reach and under continual monitoring is required. Lacking visibility to any of these resources leads to inadequate detection that will support vulnerabilities.
EDR or XDR tools are of great help in this regard. They both are advanced security analytics technologies that are designed to do automatic detection. Depending upon the programming method, they can perform extensive detection on both external and internal resources.
Along with the detection, they are triggered to set an alert and even provide a response. However, the default assistance of XDR or EDR tools fails to provide optimized resolutions. Hence, certain tweaking in XDR. EDR implementation is required while they are paired with detection engineering.
For instance, the tools should be:
- Compatible with all sorts of cloud ecosystems used
- They should have enough flexibility so that they can bend as threats evolve
- Highly transparent and can provide better clarity on the detection techniques they use and the data they capture
- Able to integrate with already working security solutions
Wallarm Threat Detection And Protection Tool
Detecting engineering is a strategic approach with great customization and flexibility. Organizations are allowed to use techniques and approaches that fit well with their security goals.
Wallarm provides a highly cutting-edge platform that covers APIs, microservices, and cloud environments of all sorts. It empowers the detection response strategy of an organization by offering an extensive solution for detecting vulnerabilities. With its solutions, one can do passive and active threat recognition.
In addition, its advanced vulnerability scanner can spot any hidden and well-shielded dangers as well. To make attack detection as effective as possible, Wallarm incorporates Library libproton and Library libdetection tools. Also, it allows organizations to declare custom detection rules and optimize DE.
All Wallarm tools/solutions come with amazing integration abilities to allow cybersecurity experts to understand their organizations’ existing security profiles and trim down the tool sprawling. The integration keeps workflows uncomplicated and fully streamlined.
Library libdetection tools - Github
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.