Effective security detections: From intent to action

Thursday
 
28
 
November
1:50 pm
 - 
2:30 pm
Topic
Security Monitoring / Analytics / Reporting
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 207
Theme
Cyber Security Operations

Speakers

Aditya Patil
Aditya Patil

Aditya Patil

Aditya Patil

Sr. Security Monitoring Architect
Telstra

Synopsis

In the ever-evolving threat landscape, robust security monitoring has become a critical necessity for safeguarding organizations against security breaches. By detecting and responding to threats as early as possible in the cyber kill chain, organizations can mitigate risks effectively. However, this process relies on skilled security analysts who continuously monitor, triage, and respond to alerts 24/7. Despite their expertise, an analyst’s time remains the most valuable resource. Therefore, every alert raised must be carefully crafted and assessed to determine if it warrants an analyst’s attention.

This talk delves into the intricacies of security detection engineering, providing practical insights for security practitioners. We’ll explore the lifecycle of detection engineering, from identifying relevant threats to implementing actionable alerts with a focus on how to use a SOC analysts time effectively.

Here’s what you can expect:

1. Understanding Security Intent:

  • We’ll dissect what constitutes a robust security detection. How do we define intent? What are the key considerations when selecting security intent for specific use cases?
  • Leveraging the MITRE ATT&CK framework, we’ll identify relevant threat actors, techniques, and tools.

2. Data Sources and Coverage:

  • Effective detection relies on comprehensive data sources. We’ll discuss how to assess existing log sources and identify gaps.
  • Vulnerability reports and threat research will guide our understanding of defence blind-spots and pitfalls.

3. Crafting Detection Content:

  • Armed with threat knowledge, we’ll create detection rules and logic. How can we detect specific threats? Which data sources are essential?

4. Tuning and Continuous Improvement:

  • Detection engineering is not complete if there is no continuous feedback loop. We’ll address false positives, fine-tuning, and ongoing management.
  • Automation plays a crucial role in maintaining an effective detection capability. We’ll explore automation options and consider whether a dashboard, saved search, report, or rule is most suitable.

5. Beyond Flick and Tick: Empowering SOC Analysts:

  • Not all alerts require human intervention. We’ll discuss strategies for automating containment actions.
  • By focusing on higher-confidence alerts, SOC analysts can optimize their investigative efforts.

Join me as we bridge the gap together between detection intent and actionable outcomes, empowering security teams to stay ahead of evolving threats.

Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country