4 Pillars of Detection

Creating a detection program is a complex task with hidden pitfalls that can undermine your efforts. When building your detection program, if you pay attention to the four pillars: reliability, maturity, coverage, and adaptability, you greatly improve your chances of success while avoiding the common pitfalls. As with any large and complex project, it is important to first understand the foundational principles that will guide your work.

1. Reliability
2. Coverage
3. Maturity
4. Adaptability

1. Reliability

The reliability of a detection is the ability of a rule to fire when the intended conditions occur.

1. Use version control

   Changes to detections should be tracked, reviewable, and backed up so you never lose the history and context of a rule and changes are predictable and reversible.

2. Create testable detections

   To ensure operation even under difficult real-world scenarios, detections should be designed with comprehensive and layered testing in mind. Leveraging software development testing methodologies keeps detection behavior predictable regardless of the maturity or lifecycle stage of an individual detection.

3. Prioritize observability

   Active detections should be monitored so that the behavior, performance, and health of each can be used for tuning and included in system health monitoring.

4. Plan for needed capacity

   Track the operational performance of detections as a factor of their complexity and coverage to anticipate needed capacity. This helps prevent outages and/or predict operational costs depending on the detection platform (SIEM or similar tool) and hosting environment used.

5. Evaluate with regular attacker simulations

   It is important to verify that your detections are capable of catching real-world adversary activity that may be used against you. Adversary simulation and pen testing should match the maturity level of your detection program.