Book Image

Practical Threat Detection Engineering

By : Megan Roddie, Jason Deyalsingh, Gary J. Katz

5 (2)

Book Image

Practical Threat Detection Engineering

5 (2)

By: Megan Roddie, Jason Deyalsingh, Gary J. Katz

Overview of this book

Threat validation is an indispensable component of every security detection program, ensuring a healthy detection pipeline. This comprehensive detection engineering guide will serve as an introduction for those who are new to detection validation, providing valuable guidelines to swiftly bring you up to speed. The book will show you how to apply the supplied frameworks to assess, test, and validate your detection program. It covers the entire life cycle of a detection, from creation to validation, with the help of real-world examples. Featuring hands-on tutorials and projects, this guide will enable you to confidently validate the detections in your security program. This book serves as your guide to building a career in detection engineering, highlighting the essential skills and knowledge vital for detection engineers in today's landscape. By the end of this book, you’ll have developed the skills necessary to test your security detection program and strengthen your organization’s security measures.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Share Your Thoughts

Download a free PDF copy of this book

Part 1: Introduction to Detection Engineering

Part 1: Introduction to Detection Engineering

Free Chapter

Chapter 1: Fundamentals of Detection Engineering

Chapter 1: Fundamentals of Detection Engineering

Foundational concepts

The value of a detection engineering program

A guide to using this book

Chapter 2: The Detection Engineering Life Cycle

Chapter 2: The Detection Engineering Life Cycle

Phase 1 – Requirements Discovery

Exercise – understanding your organization’s detection requirement sources

Phase 2 – Triage

Phase 3 – Investigate

Phase 4 – Develop

Phase 5 – Test

Phase 6 – Deploy

Chapter 3: Building a Detection Engineering Test Lab

Chapter 3: Building a Detection Engineering Test Lab

Technical requirements

The Elastic Stack

Setting up Fleet Server

Building your first detection

Additional resources

Part 2: Detection Creation

Part 2: Detection Creation

Chapter 4: Detection Data Sources

Chapter 4: Detection Data Sources

Technical requirements

Understanding data sources and telemetry

Looking at data source issues and challenges

Adding data sources

Further reading

Chapter 5: Investigating Detection Requirements

Chapter 5: Investigating Detection Requirements

Revisiting the phases of detection requirements

Discovering detection requirements

Triaging detection requirements

Investigating detection requirements

Chapter 6: Developing Detections Using Indicators of Compromise

Chapter 6: Developing Detections Using Indicators of Compromise

Technical requirements

Leveraging indicators of compromise for detection

Further reading

Chapter 7: Developing Detections Using Behavioral Indicators

Chapter 7: Developing Detections Using Behavioral Indicators

Technical requirements

Detecting adversary tools

Detecting tactice, techniques, and procedures (TTPs)

Chapter 8: Documentation and Detection Pipelines

Chapter 8: Documentation and Detection Pipelines

Documenting a detection

Exploring the detection repository

Part 3: Detection Validation

Part 3: Detection Validation

Chapter 9: Detection Validation

Chapter 9: Detection Validation

Technical requirements

Understanding the validation process

Understanding purple team exercises

Simulating adversary activity

Using validation results

Further reading

Chapter 10: Leveraging Threat Intelligence

Chapter 10: Leveraging Threat Intelligence

Technical requirements

Threat intelligence overview

Threat intelligence in the detection engineering life cycle

Threat intelligence for detection engineering in practice

Threat assessments

Resources and further reading

Part 4: Metrics and Management

Part 4: Metrics and Management

Chapter 11: Performance Management

Chapter 11: Performance Management

Introduction to performance management

Assessing the maturity of your detection program

Measuring the efficiency of a detection engineering program

Measuring the effectiveness of a detection engineering program

Calculating a detection’s efficacy

Further reading

Part 5: Detection Engineering as a Career

Part 5: Detection Engineering as a Career

Chapter 12: Career Guidance for Detection Engineers

Chapter 12: Career Guidance for Detection Engineers

Getting a job in detection engineering

Detection engineering as a job

The future of detection engineering

Index

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Download a free PDF copy of this book

Customer Reviews

5 (2)

5 star

100%

4 star

0

3 star

0

2 star

0

1 star

0

Understanding the validation process

The execution of cyber security validation is very similar to typical adversary simulation exercises. The emphasis, however, is on producing data that can be compared against a set of performance criteria defined for each defensive control. In broad terms, validation can be executed in three phases:

Planning: This is easily the most important phase. During this phase, the objectives of the validation exercise are defined, along with the scope, timelines, and stakeholders. The specific defensive capabilities targeted for validation and the criteria for determining their effectiveness are rigidly defined during this phase. Each validation needs to be mapped to a specific defensive control or controls, expected outcomes, and criteria for measuring the performance of the control(s). It is important at this time to also understand the possible limitations of each validation. For example, an organization may want to test T1048: Exfiltration over...