2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Part 1: Bro, do you even detection engineer?

1*sHhtYhaCe2Uc3IU0IgKwIQ.pngPart 1: Bro, do you even detection engineer>
Medium – Atanas Viyachki
Detection engineering is the capability that focuses on identifying threats and building those in-house detections. But, it should not stop there. Focused on enabling security engineers from various departments to be able to create detections, I developed the Open Detection Engineering Framework (ODEF).

ODEF is to my knowledge the first framework that defines the detection lifecycle. With three phases â sunrise, midday and sunset ODEF covers the life of a detection from inception to decommissioning. Each phase has corresponding functions, goals and guidelines. This helps the detection engineer to maintain north star focus and deliver a detection with exceptional quality.

ODEF provides two templates for documenting detections â in yaml and markdown. Each for different purpose:

ODEF phases âSunriseâ is the first phase of the detection lifecycle. It marks the inception, development and commission to production of the detection While sunrising a detection there are 6 core functions that should be addressed:

Research Prepare Build & Enrich Validate Automate Share The âMiddayâ phase is normally the longest phase from detection lifecycle perspective. During this phase the detection is commissioned to production. It should be automated and enabled to run continuously. The phase monitors the detection during its operation and aims to improve it if needed.

High level goals for the Midday phase: Operate and monitor the detection for FP or TP Improve the detection logic in case of influx of FP Perform systematic reviews to ensure relevancy During the âSunsetâ phase the detection is taken out of commission. The phase ensures that resources are not spent for outdated and irrelevant detections. At the same time it ensures that documentation of the detection remains.

High level goals for the Sunset phase: Decommission the detection and leave it in a state that it can be re-enabled anytime Preserve the knowledge ODEF Mindmap The goal of the mindmap is to show the effort required for each lifecycle phase. The more branches you count, the bigger the effort. When building high-quality detections, the sunrise phase takes the biggest amount of effort.

Stay tuned for Part 2 â ODEF Implementation. Where we will see how to grow quality detection as code capability. And enforce detection quality with automated unittests.
Link: https://medium.com/@aviyachki/part-1-bro-do-you-even-detection-engineer-1584dca5ddc9

Categories:

Tags: