EchoTrail Detection Philosophy

  1. Start with the End in Mind
    • Know what assets you are trying to protect and who and what you are protecting them from.
  2. Identify Data Sources
    • Determine what data sources are available from those assets and what additional data sources are needed to detect the adversary activity you set out to detect.
  3. Manage Centrally
    • Creation, testing, validation, and deployment of rules should be accomplished from one place, regardless of the rule origin, language, or target.
  4. Prioritize Content Over Tools
    • Detection content is more important than the tools that evaluate them.
  5. Manage Access and Versioning
    • Detection logic is impactful and complex and should be versioned with highly configurable access controls while remaining accessible to non-technical users.
  6. Customize Detections to Your Environment
    • Detection content might be purchased, copied, and shared but ultimately needs to be customized to the environment and assets in which it is deployed.
  7. Acknowledge the Dynamic Nature of Detections
    • Detections are not static; reviewing, tuning, and managing exceptions and coverage should be built into your tooling.
  8. Work to Mature Detections Over Time
    • All rules start in an immature state and will gain maturity over time through a predictable life cycle.
  9. Hold an Attacker Mindset
    • Engage in regular adversary simulation or pen testing. Continually ask the question: Can we detect the methods that real-world attackers might use against us?