4 Pillars of Detection
Creating a detection program is a complex task with hidden pitfalls that can undermine your efforts. When building your detection program, if you pay attention to the four pillars: reliability, maturity, coverage, and adaptability, you greatly improve your chances of success while avoiding the common pitfalls. As with any large and complex project, it is important to first understand the foundational principles that will guide your work.
4. Adaptability
The adaptability of a detection is its capacity to be modified in response to the changing needs of a business.
- Be able to make frequent, small, and documented changes
The ability to make quick and reliable changes to detection content ensures it can keep up with the rate of change of the business.
- Learn from operational failures
Make sure errors in detections are tied back to the detection itself so it can be adjusted and fixed regardless of who experienced the issue.
- Align to business changes
Make sure detection management is a part of the planning process to ensure coverage when new assets are deployed, technologies change, or priorities shift.
- Store in a standardized and convertible format
Detections should be stored in a format that can be easily converted into the languages needed for the common SIEMs and detection platforms on the market. This helps prevent vendor lock, makes detections more accessible, and lowers training requirements for new employees.
- Keep responses flexible
A detection’s value is linked to the action taken in response to it firing. To maximize the utility and adaptability of a given detection the action taken in response to it firing should be easily adjusted and monitored alongside the rule itself.