More than the usual threat detection practices: Proponents argue that detection engineering differs from traditional threat detection practices in approach, methodology, and integration with the development lifecycle. Threat detection processes are typically more reactive and rely on pre-built rules and signatures from vendors that offer limited customization for the organizations using them. In contrast, detection engineering applies software development principles to create and maintain custom detection logic for an organization’s specific environment and threat landscape. Rather than relying on static, generic rules and known IOCs, the goal with detection engineering is to develop tailored mechanisms for detecting threats as they would actually manifest in an organization’s specific environment.Often this involves a stronger emphasis on behavior-based detections, the integration of threat intelligence to create detections aligned with real-world adversary tactics and the use of threat modeling to anticipate potential attack paths, says Heath Renfrow, CISO and co-founder of Fenix24 a cyber disaster recovery firm. “Unlike conventional threat detection, which often relies on static signatures and pre-built rules, detection engineering is behavior-driven, context-aware, and tailored to an organization’s unique threat landscape,” Renfrow says. “It involves a blend of security operations, threat intelligence, and data science to build more adaptive and resilient detection capabilities.”The SANS-Anvilogic report describes detection engineering practices as evolving over the years from being over-reliant on vendor-specific consoles and proprietary languages to incorporate software development life cycle (SDLC) and continuous integration/continuous deployment (CI/CD) principles. This is enabling teams to test, deploy, and refine detections more efficiently while maintaining auditable trails of changes.
Drivers of detection engineering’s adoption: There are a couple of factors driving adoption of detection engineering practices. The biggest is the fact that out-of-the-box detections aren’t good enough. They don’t baseline the environment, they don’t drive down false positives and, troublingly, they don’t always alert on the things that matter, says Johnathon Miller, vice president of security operations at Lumifi Cyber.Generic alerts that don’t account for organizational context have become a major problem and a contributor to false positive fatigue within many security teams. Sixty-four percent of organizations in Anvilogic’s survey for instance, reported high false positive rates; 61% struggled with detections that lacked environmental accuracy; and 34% said they had encountered delays in updates and improvements.”Traditional threat detection methods historically have been static; if a=a, create an alert,” says Kevin Gonzalez, VP of security, operations and data, Anvilogic. “They are often rigid, black-box mechanisms that lack flexibility in customization. Though useful to some extent, these approaches become unmanageable at scale especially in organizations with hybrid environments,” he says.Growing threat volumes and sophistication are another issue. Attackers are using more advanced and evasive techniques, including fileless malware, living off the land approaches, zero-day exploits and attacks via the software supply chain, rendering signature-based detection largely insufficient. Rising cloud adoption has introduced new vulnerabilities as well and created blind spots that legacy detection methods often struggle to cover. The rise in advanced persistent threats (APTs), supply chain attacks, and ransomware operations has made traditional reactive approaches insufficient, Renfrow says. “Organizations now realize that proactive detection engineering reduces dwell time, improves response capabilities, and enhances overall cyber resilience. Additionally, compliance frameworks and cyber insurance providers are increasingly emphasizing strong detection strategies.”
Industries adopting detection engineering: Organizations in the banking and finance sector, the technology industry, cybersecurity companies and, to a lesser extent, healthcare companies are among the leading adopters of detection engineering practices. Many are in sectors that must deal with regulatory scrutiny or are frequent targets of sophisticated threat actors. But the reality is that most organizations, especially larger ones, can benefit from implementing a systematic approach to developing detection mechanisms for their specific threat profile.Any large enterprise with a complex IT infrastructure can benefit from detection engineering. Security operations centers (SOCs) need to continuously improve and maximize their detection posture. “Along with the evolving threat landscape, their own internal IT infrastructures are constantly changing, which can result in detection ‘drift,’ where detection rules are broken and will no longer fire or alert,” CardinalOps CEO Michael Mumcuoglu says.Security experts point out some key requirements for setting up a detection engineering capability. The biggest among them is data. To succeed, detection engineering teams need access to logs and security event data from endpoints, networks, cloud environments, and security tools and a centralized SIEM or log management platform to aggregate and normalize the security data. An effective detection engineering capability also means having skilled personnel including detection engineers, analysts, and threat researchers, to develop and refine detection rules. Also important are formal processes for threat modeling, testing and integrating threat intelligence with incident response.The goal should be to move beyond static signatures and focus on how attackers operate, by prioritizing behavior-based threat detection. Use frameworks like MITRE ATT&CK to map detection coverage against known adversary techniques and utilize adversary emulation tools like Atomic Red Team to validate effectiveness, Renfrow says. “Detection engineering works best when security operations, threat intelligence, and IT teams work together,” Renfrow notes.
How AI and automation can help: AI/ML can play a key role in rule tuning and automation as well. Some 45% of the survey respondents described their organizations as using AI in their detection engineering programs for purposes like anomaly detection, rule generation and alert triage. Nearly nine in 10 (88%) believed AI would have a big impact on their detection engineering programs in the next three years. “One of [AI’s] strongest use cases is analyzing vast amounts of data to identify anomalies, particularly when utilizing a custom-trained language model,” says Glenn Thorpe, senior director of security research and detection engineering at GreyNoise Intelligence. “Depending on an organization’s threat model and risk tolerance, employing AI with a well-trained LLM can significantly enhance the effectiveness and efficiency of defenders within the organization.”AI is not the only change. More organizations are also adopting automated processes for detection engineering. The areas that organizations are automating include mapping detection coverage to the MITRE ATT&CK framework, identifying broken or misconfigured detections, and being able to operationalize threat intelligence and convert it into actionable detection rules, Mumcuoglu says. Ninety-three percent of Anvilogic’s survey respondents reported they are currently using or plan to use automation in their detection engineering workflow for rules development, tuning existing detections and threat hunting.Thorpe cautions against organizations looking for some kind of one-size-fits-all approach to standing up a detection engineering capability. “Instead, a creative mindset, diversity of thoughts and experiences, and curiosity are vital for building an effective team.”A good place to start is by identifying your organization’s core data and finding individuals who can analyze that data from multiple perspectives. Develop a realistic understanding of what you don’t know and begin to address those information gaps. “You might discover that small changes can significantly improve your visibility and understanding of network traffic,” Thorpe notes.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3847510/rising-attack-exposure-threat-sophistication-spur-interest-in-detection-engineering.html
