author photo
By Jack Naglieri
Thu | Dec 1, 2022 | 10:27 AM PST

As a security leader, you want the best tools for your team that will actually help them do their work, not hinder them. You want processes that are streamlined and just make sense. And you want an approach to threat detection that is ever-evolving and scalable with today's demands.

Have you adopted detection-as-code yet?

Detection-as-code is the way to evolve your team into a modern detection team, one preparing for rising data, expanding cloud environments, and increasingly sophisticated threats. If you haven't yet adopted detection-as-code, here are a few tips for how to implement it and why.

Why adopt detection-as-code?

Evolve your threat detection by turning to detection-as-code, an approach to security that combines the benefits of software engineering with the functionality of detecting behaviors that could result in a breach. By creating detection in a universal coding language, and taking an engineering approach of testing and constant iteration, security teams can create custom detections tailored for their organizational needs that can improve response time, cut down on false positive alerts, and increase the impact of the team overall.

Why should a security team adopt detection-as-code? First is the fact that the scale of the internet will never stop expanding either, and is expected to double every two years. As teams think about their security approaches, they'll need repeatability and predictability to allow for that expansion, and detection-as-code can provide that.

Finally, a detection-as-code approach means that you're (obviously) writing code, which makes you more creative and a better problem-solver. Knowing how to code is probably one of the most important skills anyone can possess, as it unlocks a new way of thinking about security more broadly. Expressing detection through code means getting into the mind of an attacker, which will inherently increase your prevention.

Five steps to detection-as-code framework

There are a number of reasons to adopt detection-as-code, and a number of benefits it can bring to your organization. Here are five steps to take if you're looking to develop your own detection-as-code framework, or want to strengthen what you already have in place.

Step 1: Build a Threat Model

To start, establish where you are today and create an updated Threat Model to your organization, including the detections you currently have in place. During this process, you will re-establish where your most protected assets are and can work backward to determine ways attackers could access them. Find your visibility gaps during this process and make efforts to close them.

As you develop your Threat Model, avoid brushing over large parts of your infrastructure that may be too complex. Be comprehensive! Don't forget third-party access to your environment as well, as supply-chain attacks are often an easier way in for malicious actors.

Step 2: Setup Version Control

One of the benefits of detection-as-code is that you can utilize version control to help in your detection evolution. As you begin to create detections, you'll need a place for the code to live, so make sure you carve out a repository in your VCS (like GitHub or Gitlab) with the proper privileges, continuous integration checks, and settings. Avoid using a local VCS. Make sure to check everything into a cloud-based service that you trust, and that there are backups of the repository so you can have a previous version to revert to.

Step 3: Automate with CI/CD

Next, work with your detection team to agree on a code lifecycle for detections. This could include requiring tests, CI checks, code reviews, deployment staging, and much more as you navigate the switch. Avoid shipping to production too fast without assurance that your new detection will work as expected. This can cause teams to either miss important behaviors or cause outages in production.

Step 4: Migrate!

Begin converting your legacy detections into code, ordered by severity and category. For example, you may be able to consolidate multiple network-based detections or even eliminate certain ones that can be easier or more efficiently expressed in code.

Of course, avoid migrating without testing! Always make sure you've done your due diligence. Be sure to add positive (alert is expected) and negative (no alert is expected) testing as well. Tests also protect against regressions as detections evolve, so don't forget the intention. Be sure to also write down why you created this detection and ensure there's a proper owner associated.

Step 5: Tune and Augment

The final step is to tune detections which generate false positives and ensure that you improve efficacy more over time, and monitor alerting metrics to ensure your team isn't getting overwhelmed. Over time, you want to see more log volume but not more alert volume. Finally, avoid ignoring bad rules for too long. Either turn them off or accept the risk!

Detection-as-code today

As a security leader, you want the best for your team, and want to provide them ways to do their excellent work. Detection-as-code will not only give them better ways to approach threat detection today, it will prepare them for the future of threat detection as well.

Comments