The cyber security threat landscape is continually evolving, driven by advancements in technology and the increasing sophistication of cyber threats. To stay ahead of these threats, organisations must adopt the right automation technologies, leveraging reliable and timely data, all built upon a strategic approach to threat intelligence (TI) and detection engineering.
To maximise the value of detection efforts, organisations should focus on high-impact threats and prioritise alerts based on risk. This involves a careful balance of automation and human expertise. Let’s dive into what we actually mean by this.
Understanding the problem
We meet with customers who operate Security Operations Centres (SOCs) on a near weekly basis and the issues they face typically revolve around limited resources, limited budget for tooling and an overload of data. A SOC seems to be expected to provide a backstop against all known cyber threats all the time. The playbook for SOC detection engineering has therefore defaulted to ‘turn on all the rules, get all the data we can, and buy as much threat intelligence as we can afford. Oh and when we know about a specific threat, we try to write rules for that too!’
This is just not sustainable. In past blogs we’ve discussed how the threat to each organisation is personal, and how SOCs can be financial black holes for many organisations. For a SOC to deliver optimal value, it must mitigate enough risk that it controls the material cost of an intrusion to tolerable levels. It needs to detect only what good security controls cannot prevent, not every known threat to every conceivable technology.
The key purpose of threat intelligence and detection engineering
To implement detection engineering properly, organisations must already have a clear understanding of their risk profile and asset inventory. Additionally, they must invest in maintaining and optimising their detection tools to ensure they are performing at their best, embracing continuous improvement.
The primary goal of detection engineering is to mitigate as much of the known risk as possible without wasting resources on high volume, low-value activities. In the resource-constrained environment of a SOC, it is important to focus available efforts on detecting threats that pose a significant risk to the organisation, rather than chasing every alert. It’s an iterative process of working down the list of prioritised cyber-related organisational risks, identifying what the root of the risk is, how an adversary could cause that risk to materialise, and what combination of data and detection logic can raise associated events to an analyst to review. It is equally important that data and detection logic related to retired risks are deprecated in a timely manner to reduce clutter and associated operational expenses (analyst time, licenses, infrastructure etc.)
In order to maintain ongoing alignment to the most significant threats, an effective SOC should be built upon threat intelligence that contextualises urgent and future threats in terms of their relevance to the organisation’s crown jewel systems, along with the organisation’s fundamental weaknesses.
It is important to note that while IOCs (indicators of compromise) can be a valuable tool, they are not a panacea for detection. For many SOCs, 80% of the value can be derived from 20% of their IOCs, as within the millions of indicators most are not related to the systems protected and the highest impacting threats faced. To effectively operationalise TI, it's therefore crucial to ‘do the leg work’ – leveraging intelligence from various sources (including open-source intelligence, threat feeds and security incident reports), recognising that this operationalisation of intelligence is only as good as the analysts who interpret it and the engineers who subsequently codify it as detection content.
The role of automation and AI
Automation, particularly in the form of Security Orchestration, Automation and Response (SOAR) platforms, has the potential to improve efficiency and effectiveness in threat detection and response. However, the initial hype surrounding SOAR has been tempered by the reality of maintaining and updating these platforms.
It is true that organisations can make huge gains by turning SOAR towards improving event triage. For example, AI and machine learning (ML) can be used to automate tasks such as extracting intelligence from various sources – including screenshots, security incident reports, APIs, unstructured data, open-source intelligence, social media and TI platforms – in order to assess and enrich events as they are presented to analysts. This can free up analysts to use the time between triage activities to focus on higher-value activities, such as threat hunting and incident response.
However, when deciding where to allocate budgets, it's important to consider the trade-off between blunt engineering approaches such as buying yet another a new product, and precision detection engineering which is doubtlessly harder work and thus also expensive to implement in a constrained skills market. Both can lead to an uptick in detection quality, but the new tool will rapidly become another expensive technical debt if built upon shoddy detection foundations. In contrast, ‘doing detection properly’ will maintain the desired high quality over the long term and allow automation to deliver its promised benefits.
As the saying goes, if you get the basics right, everything else falls into place. To reach the levels required to achieve our goals, we have no choice but to do the basics right.
Managing skills and the future of detection engineering
As the field of detection engineering evolves, it's essential to develop a workforce with the necessary skills to leverage new technologies and techniques whilst recognising their limitations. This includes a mix of technical skills – such as understanding AI and ML – and soft skills such as critical thinking and problem solving.
While emerging technologies like AI may change the specific tasks that detection engineers perform, the fundamental skills required will remain largely unchanged. Therefore, organisations should focus on building a strong foundation of core skills (underpinned by proven best practice processes), rather than chasing the latest trends.
In conclusion, threat intelligence and detection engineering are critical components of a sustainable cyber security strategy for high quality operations. By understanding the principles of threat intelligence, leveraging automation and AI, and focusing on high-value activities, organisations can most effectively mitigate risk and protect their assets.
Learn more about our Cyber Security Services
The Digital Thread
Subscribe to our Digital Thread newsletter to receive first-hand insights in your inbox from our data specialists, plus commentary from our defence technology teams, alongside a host of guest content from digital game-changers in space, the armed forces, government departments and more.