4 Pillars of Detection
Creating a detection program is a complex task with hidden pitfalls that can undermine your efforts. When building your detection program, if you pay attention to the four pillars: reliability, maturity, coverage, and adaptability, you greatly improve your chances of success while avoiding the common pitfalls. As with any large and complex project, it is important to first understand the foundational principles that will guide your work.
3. Maturity
Every detection is at a different maturity level based on its history and unique characteristics. Recognizing this and incorporating that knowledge into your workflow will help you to continuously improve the maturity of each detection individually as well as that of your detection program as a whole.
- Manage centrally
Detections help describe the risk posture and visibility of a business and often span multiple tools, languages, and disciplines. Managing them in one place improves visibility, efficiency, and alignment with business needs.
- Prioritize readability, accessibility, and ownership
Detections should be readable and accessible to technical and non-technical people in any area of a business. Combined with well-identified ownership the result is quicker feedback loops, better alignment, and easier cross-discipline discussions.
- Link to process and procedures
A detection is only valuable with respect to the manual or automated action taken after it fires. This will change as the detection is matured and tuned. To properly account for this and provide consistent behavior for any response action, manual or automated, it should be directly linked to the detection that triggers it.
- Acknowledge the lifecycle of a detection
A detection has to go through various phases as it is developed and implemented. Planning for and allowing space for detections that exist on a spectrum of maturity helps communicate their criticality, reliability, and purpose.