Is your threat detection practice up to speed? These days, few enterprises have the fundamentals in place to develop and run high quality detections. Improving and sharing detection together is a MUST for defenders, and is the new requirement for speeding up time to detection. The three biggest challenges of threat detection today, what constitutes good vs. bad detections, and insights into how you can level up your enterprise detection and response lifecycle.
- Learn about the current state of detection and modern detection requirements
- Good vs bad detection
- Review the most used detection rules and how they could be improved
- Seven tips to help you improve your detection rules and response
About Speaker
Dr. Anton Chuvakin is Googles cyber security industry expert. Anton was a Research VP and Distinguished Analyst at Gartner for Technical Professionals (GTP) Security and Risk Management Strategies (SRMS) team. At Gartner he covered a broad range of security operations and detection and response topics, and is credited with inventing the term "EDR.
Andrii Bezverkhyi, founder of the worlds largest threat detection marketplace and Founder, CEO and chairman at SOC Prime. Working on Detection as a Code as CI/CD process for masses. Solving the Data Quality problem for cyber. Huge addict and supporter of MITRE ATT&CK and Elastic stack since 2016, taking Sigma to mass market since 2017.
(Webinar) Recorded
Discussion Highlights
1. Topics:
- State of Detection
- Modern Detection Requirements
- Better and Faster
- Detect Your Threats
- Test and refine on historical data
- Where are we now
- How do we get better?
2. Are we finally in Balance?
3. Detection Better Or Faster?
4. Detect Your Threats
- The best threat actors tune their approach for their targets
- The best defenders do too
- Can you, though?
- Get the rules or write them!
5. What is Bad Detection? What is Good?
When you hear "write good detections" what do you actually do?
What about bad detections? Is the bottom of the pyramid bad?
6. You say "Do Good detections"
How to make my directions better
Test and refine them
What if I don't have an attacker handy?
Simulate, use historical data etc
7. Correlation 2021
8. Learnings On Detection
- More noisy (higher FP) rules and less noisy rules both have merit and value
- Rules that do not name a specific threat have merit as well, not all above CVEs
- The value of many rules is in being an input into another rule (or SOAR)
- The only way to judge the rule value is with local context
- Sometimes the speed of rule development is the main value of the rule
- Why is correlation dead? What happened here?
- Some rules nicely achieve what others try to do with ML
9. Threat Bounty Program
10. Connecting the global cyber security community
11. YARA-L threat detection language
- Modified Yara for event logs
- Built for threat detection not data query
- Write rules that work on modern attacks
- Embedded in Chronicle's detection engine
- Apply rules in real time or retrospectively against historical data
12. Run SOC Prime detection rules in Chronicle
- Covert legacy rules with sigma to YARA-L converter
- Use 500+ Yara-L based SOC Prime rules in the chronicle Github repository
- Run detections across all security telemetry in Chronicle
Comments