Security weakness confronts every business. Cybersecurity’s rate of modernization means security operations teams must monitor their environments 24-7 to detect threat actor testing or access. Most security teams choose a security incident and event management (SIEM) tool to channel and manage alert triage.
But the data ingest and triage required to monitor identities, devices, apps, and network access isn’t cheap. Alert fatigue (too many detections overwhelming analysts) is an industry cliché for a reason. Security leaders must make tough calls: which threat vectors are most likely to be targeted? Which identity and access controls should the business require? What endpoint behavioral analytics should SOC analysts track and trace?
The Economics of Detection Engineering
Enter detectionomics. Engineering threat detections is both a technical exercise and an economic proposition: what security controls are worth the data spend? If a threat breaches the business by a route deprioritized, do security leaders have both a business and cyber rationale to justify their decision?
Determining Your Industry Threat Profile
Before determining which detections to build, businesses need a solid understanding of their industry threat profile. Cyber threat intelligence informs tactical mapping tools like MITRE ATT&CK, highlighting likely methods of attack and ransomware groups with a history of targeting your industry. Once a business narrows their strategy from any threat to most likely, the security team is ready to weigh the economics of detection engineering.
Narrowing Detection Scope
A business’ SOC plays choose-your-own-adventure every time analysts identify a high-cost threat vector. Co-opting any employee’s credentials could lead to a high-cost breach. But the cost of sending SOC analysts an alert every time one of hundreds or thousands of employees sign in is costly in money (data ingest) and time (analyst hours). Threat actors are more likely to target employees with placement and access. Narrowing the detection scope to a smaller group—like administrators, finance, human resources, and leadership—lowers the alert noise and saves money.
Alert Against Behavioral and Technical Anomalies
Businesses should narrow detections based on two factors: behavioral and technical. What is a typical behavior employees participate in? Maybe for human resources, it’s accessing sensitive data like social security numbers for routine background checks and pulling bank information to complete the payroll process with finance. Large file exports of that same sensitive information might be an abnormal behavior to alert against.
Alerts based on computer commands (this is the action the device or software should routinely perform) focus on software or hardware malfunction. The kill chain may start with an employee behavior (Googling an Excel template for tracking department spend) and continue with threat actor co-opted activity (downloading the Excel template also downloads a malicious Python script). Building an alert to notify the SOC of malware activity might mean monitoring for unusual activity like attempted exfiltration of passwords or other corporate data.
Optimize Your Business’ Ingest Costs
Your Managed Security Services Provider (MSSP) should work with you to build the right detections for your business and optimize your data ingest costs. Ascent’s clients regularly save thousands of dollars after our Security Operations Center (SOC) analysts reduce the volume and number of data sources and alerts necessary for securing the business. Our practitioners provide cyber threat intelligence, vulnerability reporting, asset inventory, and more to provide the context your security leaders need for tactical and strategic modernization.
If you are interested in learning more about Ascent’s managed SOC and detection engineering practice, please reach out to info@meetascent.com.
