The cybersecurity landscape is constantly evolving, and so are the threats that organizations face. To keep up with the sophisticated and persistent adversaries, security teams need to have a strong detection and response program that can identify, contain, and remediate incidents quickly and effectively. However, building and maintaining such a program is not easy. Security leaders have to deal with various challenges, such as managing a large volume of alerts, investing in expensive tools, finding and retaining skilled talent, and coping with burnout and stress.
How can they overcome these obstacles and achieve a high level of security maturity? What are the key elements of a successful detection and response program in the modern era? How can they leverage best practices and frameworks to guide their strategy and execution?
These are some of the questions that Allyn Stott, senior staff engineer at Airbnb, will address in his upcoming presentation at Black Hat Europe 2023. He will share his insights and experience on how to design and implement a robust and comprehensive detection and response program that can meet the demands of today's threat environment.
Aligning the Right Skillsets
A robust and comprehensive detection and response program is essential to combat modern attackers, but many organizations face challenges such as alert fatigue, costly tools, talent acquisition difficulties, and an overworked team.
"Many detection and response programs are very reactive, relying on alerts that signal something bad has already happened," Stott says. "You want to be more proactive and not just do threat hunting but adopt a philosophy for detection that focuses on detecting threats as early as possible in an attack."
Many legacy systems are too focused on technology tools and vendors, rather than the capabilities of the security team.
He also notes that many legacy systems are too focused on technology tools and vendors, rather than the capabilities of the security team, and that many of these systems are isolated from the rest of the organization. In the design and development phase, it is important to understand and align the skill sets of the team to avoid building tools that are beyond their capabilities.
"How does your threat intelligence gathering interact with threat hunting or detection engineering, and how does it fit with the more classic incident response tasks — the triage, the analysis, the response, the forensics?" Stott asks. It is important to focus on specific capabilities — for example, host isolation or memory forensics or anomaly detection.
"Think about the different technical capabilities you need for each of those tasks and then determine how they would interact," he advises.
Less Reactive, More Proactive
Many security teams rely on outdated methods of detection and response that are too slow and ineffective to deal with today's threats, according to Stott. "Instead of waiting for alerts that tell you something bad has already happened, you need to shift to a more proactive mindset and look for signs of malicious activity as early as possible in the attack lifecycle," he says.
He also notes that many traditional systems are too focused on technology tools and vendors, rather than the skills and capabilities of the security team, and that they are isolated from the rest of the organization.
"This creates a gap between the security team and the other business units, and prevents them from collaborating effectively," he says. "The security team cannot scale their detection capability alone. They need to work closely with the rest of the organization and leverage their insights and expertise — that's what makes a modern detection and response approach."
Purchases and Build-Outs
A robust and comprehensive detection and response program is essential to combat modern attackers, but many obstacles such as alert fatigue, expensive tools, talent shortage, and overworked staff can hamper progress.
"Traditional detection and response programs have been very reactive, relying on alerts that signal something bad has already occurred," Stott says. "You want to be more proactive and not just do threat hunting but adopt a philosophy for detection that aims to catch threats as early as possible in an attack."
He also notes that many legacy systems are too focused on technology tools and vendors, rather than the capabilities of the security team, and that many of these systems are isolated from the rest of the organization.
In the design and development phase, it is important to understand and align the skills of the team to avoid creating tools that are beyond their abilities.
"How does your threat intelligence collection interact with threat hunting or detection engineering, and how does it fit with more traditional incident response tasks — the triage, the analysis, the response, the forensics?" Stott asks. It is important to focus on specific capabilities — such as host isolation, memory forensics, or anomaly detection.
In phase three, product buying and product building decide how the planning and processes will be implemented.
"The reality is that when you are in detection response, you are building something new, but you still have to be operational, you still have alerts, you still have incidents," Stott says. "You might want to consider hiring a third-party SOC to [give] yourself some breathing room to build the program."
He says a good vendor solution should get you 65% of the way there, and that what matters about any platform is that it incorporates modern principles that enable security teams to customize automation according to their needs.
Let the Metrics Talk
To effectively detect and respond to cyber threats, you need to have a comprehensive understanding of the different techniques that attackers use and the limitations of your detection capabilities. Stott explains that some detection methods may work well for certain environments, such as endpoints, but not for others, such as production systems. This knowledge can help you communicate the value and the challenges of your security operations to your stakeholders and justify the need for more resources or staff.
"By providing observability metrics, you can show the scope and impact of the threats you face across different environments and identify where you have gaps in your visibility," he says.
You can also use these metrics to prioritize the most critical threats, risks, and incidents that require your attention and action.
"To develop a roadmap for improving your detection and response capabilities, you need to align your technical vision with your business goals. You need to present a clear plan of what you want to achieve, how much it will cost, what steps you need to take, and what outcomes you expect. This will help you gain the support and trust of your leadership and stakeholders," he says.
Incident response is not a simple task; it requires a high level of technical expertise, coordination, and communication among various stakeholders. It also involves following best practices and standards that are constantly evolving in response to new threats and challenges.
That's why many organizations choose to partner with security consulting services that can provide them with the guidance, support, and resources they need to improve their incident response capabilities. Security consulting services can offer:
A comprehensive assessment of the organization's current incident response maturity level, gaps, and areas for improvement.
A customized incident response plan that aligns with the organization's goals, policies, and industry standards.
Assistance identifying a team of experienced and certified incident responders who can assist the organization in handling incidents from start to finish.
A range of training and awareness programs that can help the organization's staff develop the skills and knowledge needed to respond effectively to incidents.
A continuous monitoring and improvement process that can help the organization measure and enhance its incident response performance over time.
By working with security consulting services, organizations can benefit from:
Reduced risk of data breaches, financial losses, reputational damage, and legal liabilities.
Faster recovery from incidents and restoration of normal operations.
Improved compliance with regulatory requirements and industry best practices.
Increased confidence and trust among customers, partners, and stakeholders.
Enhanced security posture and resilience against future attacks.
If you are interested in learning more about how good security consulting services can help you improve your incident response capabilities in line with the guidance just described, please contact us today. We would be happy to discuss your needs and offer you a free consultation.