Book Image

Practical Threat Detection Engineering

By : Megan Roddie, Jason Deyalsingh, Gary J. Katz

5 (2)

Book Image

Practical Threat Detection Engineering

5 (2)

By: Megan Roddie, Jason Deyalsingh, Gary J. Katz

Overview of this book

Threat validation is an indispensable component of every security detection program, ensuring a healthy detection pipeline. This comprehensive detection engineering guide will serve as an introduction for those who are new to detection validation, providing valuable guidelines to swiftly bring you up to speed. The book will show you how to apply the supplied frameworks to assess, test, and validate your detection program. It covers the entire life cycle of a detection, from creation to validation, with the help of real-world examples. Featuring hands-on tutorials and projects, this guide will enable you to confidently validate the detections in your security program. This book serves as your guide to building a career in detection engineering, highlighting the essential skills and knowledge vital for detection engineers in today's landscape. By the end of this book, you’ll have developed the skills necessary to test your security detection program and strengthen your organization’s security measures.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Share Your Thoughts

Download a free PDF copy of this book

Part 1: Introduction to Detection Engineering

Part 1: Introduction to Detection Engineering

Free Chapter

Chapter 1: Fundamentals of Detection Engineering

Chapter 1: Fundamentals of Detection Engineering

Foundational concepts

The value of a detection engineering program

A guide to using this book

Chapter 2: The Detection Engineering Life Cycle

Chapter 2: The Detection Engineering Life Cycle

Phase 1 – Requirements Discovery

Exercise – understanding your organization’s detection requirement sources

Phase 2 – Triage

Phase 3 – Investigate

Phase 4 – Develop

Phase 5 – Test

Phase 6 – Deploy

Chapter 3: Building a Detection Engineering Test Lab

Chapter 3: Building a Detection Engineering Test Lab

Technical requirements

The Elastic Stack

Setting up Fleet Server

Building your first detection

Additional resources

Part 2: Detection Creation

Part 2: Detection Creation

Chapter 4: Detection Data Sources

Chapter 4: Detection Data Sources

Technical requirements

Understanding data sources and telemetry

Looking at data source issues and challenges

Adding data sources

Further reading

Chapter 5: Investigating Detection Requirements

Chapter 5: Investigating Detection Requirements

Revisiting the phases of detection requirements

Discovering detection requirements

Triaging detection requirements

Investigating detection requirements

Chapter 6: Developing Detections Using Indicators of Compromise

Chapter 6: Developing Detections Using Indicators of Compromise

Technical requirements

Leveraging indicators of compromise for detection

Further reading

Chapter 7: Developing Detections Using Behavioral Indicators

Chapter 7: Developing Detections Using Behavioral Indicators

Technical requirements

Detecting adversary tools

Detecting tactice, techniques, and procedures (TTPs)

Chapter 8: Documentation and Detection Pipelines

Chapter 8: Documentation and Detection Pipelines

Documenting a detection

Exploring the detection repository

Part 3: Detection Validation

Part 3: Detection Validation

Chapter 9: Detection Validation

Chapter 9: Detection Validation

Technical requirements

Understanding the validation process

Understanding purple team exercises

Simulating adversary activity

Using validation results

Further reading

Chapter 10: Leveraging Threat Intelligence

Chapter 10: Leveraging Threat Intelligence

Technical requirements

Threat intelligence overview

Threat intelligence in the detection engineering life cycle

Threat intelligence for detection engineering in practice

Threat assessments

Resources and further reading

Part 4: Metrics and Management

Part 4: Metrics and Management

Chapter 11: Performance Management

Chapter 11: Performance Management

Introduction to performance management

Assessing the maturity of your detection program

Measuring the efficiency of a detection engineering program

Measuring the effectiveness of a detection engineering program

Calculating a detection’s efficacy

Further reading

Part 5: Detection Engineering as a Career

Part 5: Detection Engineering as a Career

Chapter 12: Career Guidance for Detection Engineers

Chapter 12: Career Guidance for Detection Engineers

Getting a job in detection engineering

Detection engineering as a job

The future of detection engineering

Index

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Download a free PDF copy of this book

Customer Reviews

5 (2)

5 star

100%

4 star

0

3 star

0

2 star

0

1 star

0

Summary

This chapter provided metrics for calculating both the efficiency and effectiveness of an organization. We started by reviewing a CMMI model to track the maturity of our organization and then identified agile process metrics to track the efficiency of the organization. MTTD was introduced as a common organization-wide effectiveness metric. Some limitations of MTTD were identified, which should be understood when using this metric. Next, we categorized our detections into three tiers, allowing us to identify metrics for each tier that reflect their importance to the organization. Low-fidelity coverage using the MITRE ATT&CK matrix and high-fidelity coverage metrics through validation, detection drift, and volatility were examined as ways to calculate coverage and track how coverage changes over time. In the final chapter, Chapter 12, we’ll wrap up by discussing what a career in detection engineering looks like, how you can progress your skill set, and the future of...