I’ve been doing detection and response for the last decade, but I didn’t start here. I started on the red team, where I watched blue teams fail time after time. And every time I’d ask: what’s wrong here? The answer was always the same: ineffective, outdated, and after-thought detection and response programs. Defense needs a new approach.

This talk introduces a new approach: a framework for blue teams to build or improve their modern detection and response program.

A modern threat detection and response program goes beyond detection rules and response playbooks. It encompasses capabilities that support the following processes:
* threat intel collection and dissemination
* threat hunting and deception
* micro-purple testing and validation
* continuous improvement via detection, investigation, response, and data development
* monitoring, triage, and analysis triggered by detections and supported by investigation and response playbooks
* forensic evidence collection and analysis
* enterprise-wide incident response

These processes demand modern capabilities like:
* early warning signals and account takeover prevention
* intel driven detection
* endpoint, network, cloud, and unstructured data behavior analytics
* data integration, aggregation, and correlation
* risk and effectiveness scoring
* event workflow and analysis enrichment automation
* response orchestration
* ML-powered detection tuning

In this talk, all of these processes, capabilities, and roles are molded together to create an architectural framework you can use to build a world-class detection and response program.

The key takeaways are:

1. A framework to guide leadership and engineers in building or improving a modern detection and response program, along with a better understanding of what processes, capabilities, and skill sets are needed to detect and respond to modern threats

2. Methods to measure and report on the effectiveness, efficiency, and threat coverage of a detection and response program (and how to identify failures or inefficiencies early and course correct)

3. Lessons learned on how to empower your teams to succeed and overcome operational time-sinks

Who will enjoy this talk?

• A CISO that wants to better understand what modern detection and response should look like and how it fits into their overall program
• Managers and directors building processes and hiring the people executing this type of work
• Engineers that want to understand the bigger picture of how all the tools, capabilities, and processes should fit together and drive business value
• Program managers and project managers supporting detection and response teams
• Anyone interested in learning more about detection and response

Outline

1. Introduction

This will describe the key takeaways: a better understanding of what a modern detect and respond program should look like, how all the tools, capabilities, and processes should fit together, and how to empower your teams to have a real impact in reducing risk and driving business value. I will share a personal story of why worrying can be a super power for blue teams, and why in my personal experience I have seen so many detection and response teams fail.

2. Background and terminology

This will compare the differences between a framework and a methodology. I will answer why I chose to present this as a framework and the considerations – every organization has different lines of business, areas of risk, and technical capabilities. This will also describe the differences between a legacy and a modern detection and response program.

3. Challenges and organizational design

Before we start, we discuss the challenges typically preventing a program from becoming modern: alert fatigue, expensive tools, hiring and retention, and constant firefighting. This will also provide background on the concept of organizational design and how we will use it to apply this framework.

4. Assess and analyze our current state

We begin applying the framework by understanding our starting point using a strategy designed to understand past, present, and future and the relative contributions of strategy, structure, systems, talent bases, culture, and politics. We access and analyze using tools to find the point of view of people, processes, technology, and vision/mission.

5. Design and develop the program

Building on what we learned from the previous topic, we design our program using the framework’s library of processes, technical capabilities, and roles and visualize with example diagrams for each. I will also provide additional external frameworks and references that will help the audience customize and experiment with their overall design. Finally, we will discuss how these outputs can be used to get funding for the program.

6. Implement and overcome while firefighting

Next, this will discuss the challenges that often derail the successful implementation of a modern program. We will address each challenge and detail strategies that allow teams to build while still operating, including strategies for hiring and outsourcing, building and buying, and overcoming the operational burdens of on-call, alert fatigue, and keeping projects on track.

7. Evaluate and report to leadership

Continuing, I will detail how a modern program should report their metrics and successes versus how we’ve been doing it. I will detail and provide visual examples of how to evaluate and report the success of the program to leadership through threat detection observability, risk and impact focused metrics, threat narratives, and a roadmap that highlights priorities and closing gaps.

8. Closing remarks

Finally, this section will provide a moment of bliss where we reflect on how we previously used to operate before this framework, and how going forward the audience is now empowered to make data driven resource requests, use value-driven processes, have a unified vision and technology architecture to guide investments, and tools to measure coverage, performance, and report reduced risk to the business.