What is Detection Engineering?

Detection engineering is a discipline that focuses on designing, building and maintaining systems and processes that can detect and respond to cyber threats. Detection engineering is not just about creating alerts or rules, but rather about creating a holistic and proactive approach to security monitoring and incident response, and these principles are applied in Sekuro’s Managed Services team.

Detection engineering involves several aspects, such as:

• Understanding the threat landscape and the adversary tactics, techniques and procedures (TTPs).
• Developing a detection strategy and a detection framework that aligns with the organisation’s goals, risk appetite and resources.
• Implementing detection tools and platforms that can collect, process, analyze and correlate data from various sources, such as logs, network traffic, endpoints, cloud services, etc.
• Creating detection content that can identify malicious or anomalous activities, such as signatures, indicators of compromise (IOCs), behavioral analytics, etc.
• Testing and validating the detection capabilities and the detection coverage using techniques such as red teaming, purple teaming, threat emulation, etc.
• Tuning and optimising the detection performance and the detection quality using metrics such as signal-to-noise ratio (SNR), false positive rate (FPR), false negative rate (FNR), mean time to detect (MTTD), mean time to respond (MTTR), etc.
• Managing and maintaining the detection lifecycle and the detection hygiene using processes such as change management, configuration management, documentation, etc.

Detection engineering is a dynamic and evolving field that requires continuous learning and improvement. Detection engineers need to keep up with the latest trends and developments in the cyber security domain and adapt their detection capabilities accordingly. Detection engineering is also a collaborative and cross-functional effort that involves working with other teams and stakeholders, such as security operations, incident response, threat intelligence, vulnerability management, etc.

Detection engineering is a key component of any effective cyber security program. By applying detection engineering principles and practices, organisations can enhance their security posture and resilience against cyber attacks.