Cover Image for Target Your Security Controls: How to Engineer Good Detections
Blog

Target Your Security Controls: How to Engineer Good Detections

12.05.23 | By Ascent

What makes a modern SOC modern? Updated tools seem like the most obvious step, but point solutions and software capabilities only hide the broader problem: clunky security operations. To maximize tool investment, a security operations center (SOC) team’s people and process should work in tandem.

Modern SOC model

Ascent’s modern SOC is divided into four cells or teams: Threat, Operations, Intelligence, and Enablement (also called Adversary, Current Ops, Intel, and Future Ops). The Threat team covers adversary emulation, the Ops team defends, the Intel team provides threat intelligence, and the Enablement team researches and develops new threat detections and automation.

Enablement team detection engineering calibrates security controls (technology and process) so the whole SOC team (people) can tackle the right threats the right way. If a SOC catches the right threats, a business spends its money on the right things and reduces overall cyber risk. In a modern SOC, process validation can impact the business’ bottom line.

So how should an enablement team (or the R&D software engineers) in a modern SOC create and test new security controls?

Detection engineering process

Research: Cyber threat intelligence

Do you know what you’re protecting against and why? Cyber threat intelligence should inform an organization’s threat profile, the evolving set of threats of direct relevance to it as defined by the infrastructure, processes, and policies required to accomplish its mission.  Threat intelligence priorities are thereby determined by organizational risk appetite.

Understanding progress toward any related goal requires knowing the percentage of security controls that aren’t in place or are in place but can’t protect against 100% of potential threats. Risk frameworks like MITRE ATT&CK or MITRE ATLAS are the backbone of control rationale. ATT&CK maps threat actor TTPs, or techniques, tactics, and procedures, by industry, location, and firmographic data points. MITRE ATT&CK heatmaps allow security teams to narrow the scope of any potential threat to the threats most relevant to their business.

Development: Design and coding

After research and control scoping, Enablement asks What do I need to fill the control gaps I identified? Within a modern SOC, an R&D team often designs queries or automated shortcuts to make the blue and red teams’ jobs easier and more secure. Microsoft Sentinel, Ascent’s SIEM (security incident and event management) tool of choice, requires continuous fine-tuning to match threat detections with an ever-evolving threat landscape.

Validation: Accuracy and precision testing

Post-alert or detection design, the R&D team should test for two things: accuracy and precision. Alert accuracy answers the questions, Does my code do what it’s supposed to do? Does it flag the activity I intended it to? Alert precision answers the question How often does my code generate false positives or false negatives? If the detection fails either of those two tests, the R&D team should return to development for further testing.

Deployment: Targeting and tuning

Once a detection does respond to an event with an alert each time its triggered, the R&D team should deploy. Targeting and tuning a deployed alert asks two more questions: Does my query or detection logic stop the kill chain mid-incident? and Can I identify the incident sooner?

The goal of good detection engineering is to identify potentially malicious actions sooner. SOC teams shouldn’t be content with alerts signifying a brute force attempt to log in with an employee’s credentials. The alert is important, but part of threat prevention is tracing the brute force attempt back to the igniting event (perhaps credential theft or social engineering).

Optimization: Back to development

After deployment, SOC teams should test the alert, query, or detection logic rule with red team activities. Some automated attack simulations are valuable, but detection engineering often calls for targeted pen testing, adversary emulation, or scoped tabletop exercises. Note and test the entire process required to trigger the new detection: does each step hold against a red team? If not, what design elements should be improved?

Comprehensive threat protection

Continuous improvement isn’t just an operational goal for business. It’s a security imperative. Ascent’s modern SOC monitors and alerts against threats most relevant to your business. Our managed SOC scales to customer need, whether your business requires holistic support or just the services one cell provides. Reach out to info@meetascent.com for more information.

Share this Post
Whether you’re starting your cybersecurity journey or you’re improving your security posture, our team is passionate about protecting your people and business.
content
Blog
Why Purdue Model Level 0 Is the Most Important to Secure

February 6, 2024 – If you had to divide a business into operating layers and prioritize by importance, how would you do it? Cybersecurity strategy must rank which risk is most likely to topple a business’ continuity.

content
Blog
Enabling Microsoft Security Copilot

December 19, 2023 – Security Copilot is Microsoft’s generative AI complement to its unified security platform. Here’s how to plan a security-aware implementation.

content
Blog
How to Respond to the United States AI Executive Order

December 12, 2023 – How should businesses respond to the United States’ AI Executive Order?