Scaling Detection and Response Teams - Enabling Efficient Investigations
12-09, 15:45–16:30 (Europe/London), Track 2

Help! We’ve bought the latest tools, we’ve got all our logs in a SIEM, we’ve tuned and tweaked our detection rules, we’ve even built investigation playbooks… but we still don’t have enough time to investigate all of these alerts!

With modern blue teams investigating more alerts from a wider variety of data sources than ever before, a common reason for being overwhelmed is that it just takes too long per alert for an analyst to perform a meaningful investigation. This inevitably leads to alert fatigue, lower quality investigations, missed true positives and to a detection and response service that can’t scale. So, how do we combat this problem?

In this talk I’ll be discussing a recent case-study of ideas and tools that were implemented in a global detection and response team to:

  • Empower analysts to quickly identify important contextual information during investigations
  • Establish shared investigative baselines between different levels of analyst experience
  • Automate common tasks to allow analysts to perform meaningful investigations

If you’re looking for actionable takeaways that you can build into your blue team’s tooling and processes to help scale your operations, then this is the talk for you!

James (@FranticTyping) has over 10 years of experience working in a number of incident response, detection engineering and security engineering roles. James is currently a Principal Incident Responder within the CSIRT at Coinbase. Before joining Coinbase, James was the global continuous improvement lead in the Managed Detection and Response (MDR) team at F-Secure Countercept.