2023-10-21 –, ENG 103
You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep).
Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight modern day attackers. But there’s a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from constant firefights.
How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules?
This talk addresses the lack of a framework, which has led to ineffective, outdated, and after-thought detection and response programs. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.
I’ve been doing detection and response for the last decade, but I didn’t start here. I started on the red team, where I watched blue teams fail time after time. And every time I’d ask: what’s wrong here? The answer was always the same: ineffective, outdated, and after-thought detection and response programs. Defense needs a new approach.
This talk introduces a new approach: a framework for blue teams to build or improve their modern detection and response program.
A modern threat detection and response program goes beyond detection rules and response playbooks. It encompasses capabilities that support the following processes:
* threat intel collection and dissemination
* threat hunting and deception
* micro-purple testing and validation
* continuous improvement via detection, investigation, response, and data development
* monitoring, triage, and analysis triggered by detections and supported by investigation and response playbooks
* forensic evidence collection and analysis
* enterprise-wide incident response
These processes demand modern capabilities like:
* early warning signals and account takeover prevention
* intel driven detection
* endpoint, network, cloud, and unstructured data behavior analytics
* data integration, aggregation, and correlation
* risk and effectiveness scoring
* event workflow and analysis enrichment automation
* response orchestration
* ML-powered detection tuning
In this talk, all of these processes, capabilities, and roles are molded together to create an architectural framework you can use to build a world-class detection and response program.
The key takeaways are:
-
A framework to guide leadership and engineers in building or improving a modern detection and response program, along with a better understanding of what processes, capabilities, and skill sets are needed to detect and respond to modern threats
-
Methods to measure and report on the effectiveness, efficiency, and threat coverage of a detection and response program (and how to identify failures or inefficiencies early and course correct)
-
Lessons learned on how to empower your teams to succeed and overcome operational time-sinks
Who will enjoy this talk?
- A CISO that wants to better understand what modern detection and response should look like and how it fits into their overall program
- Managers and directors building processes and hiring the people executing this type of work
- Engineers that want to understand the bigger picture of how all the tools, capabilities, and processes should fit together and drive business value
- Program managers and project managers supporting detection and response teams
- Anyone interested in learning more about detection and response
Outline
1. Introduction
This will describe the key takeaways: a better understanding of what a modern detect and respond program should look like, how all the tools, capabilities, and processes should fit together, and how to empower your teams to have a real impact in reducing risk and driving business value. I will share a personal story of why worrying can be a super power for blue teams, and why in my personal experience I have seen so many detection and response teams fail.
2. Background and terminology
This will compare the differences between a framework and a methodology. I will answer why I chose to present this as a framework and the considerations – every organization has different lines of business, areas of risk, and technical capabilities. This will also describe the differences between a legacy and a modern detection and response program.
3. Challenges and organizational design
Before we start, we discuss the challenges typically preventing a program from becoming modern: alert fatigue, expensive tools, hiring and retention, and constant firefighting. This will also provide background on the concept of organizational design and how we will use it to apply this framework.
4. Assess and analyze our current state
We begin applying the framework by understanding our starting point using a strategy designed to understand past, present, and future and the relative contributions of strategy, structure, systems, talent bases, culture, and politics. We access and analyze using tools to find the point of view of people, processes, technology, and vision/mission.
5. Design and develop the program
Building on what we learned from the previous topic, we design our program using the framework’s library of processes, technical capabilities, and roles and visualize with example diagrams for each. I will also provide additional external frameworks and references that will help the audience customize and experiment with their overall design. Finally, we will discuss how these outputs can be used to get funding for the program.
6. Implement and overcome while firefighting
Next, this will discuss the challenges that often derail the successful implementation of a modern program. We will address each challenge and detail strategies that allow teams to build while still operating, including strategies for hiring and outsourcing, building and buying, and overcoming the operational burdens of on-call, alert fatigue, and keeping projects on track.
7. Evaluate and report to leadership
Continuing, I will detail how a modern program should report their metrics and successes versus how we’ve been doing it. I will detail and provide visual examples of how to evaluate and report the success of the program to leadership through threat detection observability, risk and impact focused metrics, threat narratives, and a roadmap that highlights priorities and closing gaps.
8. Closing remarks
Finally, this section will provide a moment of bliss where we reflect on how we previously used to operate before this framework, and how going forward the audience is now empowered to make data driven resource requests, use value-driven processes, have a unified vision and technology architecture to guide investments, and tools to measure coverage, performance, and report reduced risk to the business.
Allyn Stott is a senior staff engineer at Airbnb on the information security technology leadership team where spends most of his time working on threat detection and incident response. Over the past decade, he has built and run detection and response programs at companies including Delta Dental of California, MZ, and Palantir. Red team tears are his testimonials.