4 Pillars of Detection
Creating a detection program is a complex task with hidden pitfalls that can undermine your efforts. When building your detection program, if you pay attention to the four pillars: reliability, maturity, coverage, and adaptability, you greatly improve your chances of success while avoiding the common pitfalls. As with any large and complex project, it is important to first understand the foundational principles that will guide your work.
2. Coverage
The coverage a detection provides is a reflection of the assets it covers and the risks it was designed to mitigate.
- Determine what assets are being protected
Detections are meant to cover one or more business assets. Know what assets, in particular, you are trying to protect with a given detection or set of detections.
- Identify data sources
Learn what data sources are generated from the assets you’ve identified, and determine how those data sources can be used for detection.
- Prioritize detection capabilities
Decide which attacker behaviors are most critical for you to detect or prevent based on your unique business risks.
- Identify gaps
Determine which attacker behaviors you can detect from existing data sources and identify any gaps that need to be filled with a new data source or new detection logic.
- Align directly to risk
A detection was designed with a specific risk in mind and it is important to keep that context as it evolves. Track threat, compliance, or specific business risks directly with the detection itself.
- Factor in preventative controls
A detection may be unnecessary if the condition it is supposed to catch is prevented from happening in the first place. These preventative controls are common and must be considered in order to accurately and effectively manage detections.