By Huseyin Can YUCEEL • January 02, 2023
Keep up to date with latest blog posts
Cyberattacks have become more sophisticated over time, and threat actors are constantly developing new and more impactful adversary techniques. Against these new threats, security professionals rely on detective security controls heavily to defend their organizations. However, security teams cannot set and forget these security controls. For more effective threat detection, detection rules used by security controls must be maintained and kept up to date to be relevant to the ever-changing cyber threat landscape.
In this blog, we discussed the challenges of detection engineering and how automated detection rule validation helps security teams validate and optimize their detective security controls.
How Detection Rules Work and The Challenges of Threat Detection
Security teams research detection contents from various sources such as red teaming exercises, threat intelligence reports, malware IOCs, and many others. As a result of this research, they identify their organizations' threat landscape and develop threat detection strategies that they can implement in their security controls.
Figure 1: Core Components of Threat Detection
Threat detection strategies guide security teams in managing log sources, detection rules, and alerts. Security professionals manage these tools routinely and encounter similar challenges daily.
Log sources are the starting point for threat detection. Security teams configure their Security Information and Event Management (SIEM) platform to gather log data from various sources, such as security controls, network infrastructure, operating systems, and applications. Log sources provide the log data and visibility that security teams need to identify any irregularities or malicious activities. Without relevant log data, organizations are blind to any threat that targets them. That's why security teams regularly gather new log sources and check the status of existing ones.
However, security teams might have difficulty
- tracking down new log sources for new threats
- improving the quality and verbosity of log data
- identifying problems in log sources or log data
Security teams develop detection rules to identify malicious activities in their network using the gathered log data. As an industry best practice, many organizations use the Detection-as-Code approach to develop rule-based threat detection. While this systematic approach eases organizations' detection rule development process, security teams still face several challenges in managing their rule base, such as
- identifying syntax problems in rules - even a simple syntax error can lead to a broken detection rule.
- assessing rules' performance - rules may be too broad or too limited to generate meaningful alerts
- visualizing detection rule coverage - to threat frameworks such as MITRE ATT&CK
When an anomaly is observed in the network and endpoints, detection rules fire detection alerts by inspecting log data. Then, security teams attend detection alerts and handle the incident based on their severity. In a large enterprise, the rule base tends to be extensive and can generate too many alerts if not maintained well. As a result, security teams tune detection alerts to improve alert fatigue, quality, and performance.
On a daily basis, security teams often encounter problems with
- eliminating false-positive alerts
- identifying resource-hungry rules
- prioritizing alerts
Detection Rule Validation
Detection Rule Validation is the process of measuring and verifying the performance of detection rules. The process inspects log sources, detection rules, and detection alerts to improve the overall threat detection capability of security controls.
While security teams focus on creating new detection rules, validating existing rules is not often a priority. Organizations usually validate their rule base annually or bi-annually. However, validating the detection rules is vital for organizations' ability to detect cyber threats, and the process should be executed frequently to keep up with the cyber threat landscape.
Detection Rule Validation allows security teams to tune detection rules for faster, more accurate, and more efficient detection.
Picus Detection Rule Validation (DRV) Product
Picus Detection Rule Validation product is a continuous and automated detection rule assessment solution that addresses challenges in threat detection and improves rule-based detection controls.
Picus Detection Rule Validation (DRV)
Picus DRV provides a holistic picture of an organization’s threat detection and response capabilities by running static and dynamic analysis for each rule in the rule baseline.
Picus DRV checks log sources, detection rule content, and alerts for each rule. By assessing the historical data and current state, the module identifies broken and inefficient detection rules and provides insights on fixing and improving them.
Picus Detection Rule Validation helps security teams
- maximize confidence in detection rules and alerts
- validate the effectiveness of existing and new rules based on log coverage, alert frequency, and performance metrics
- implement detection capabilities for emerging threats within minutes
- visualize threat coverage and response capabilities of security controls
- prioritize rules that need improvement
- map threat coverage to MITRE ATT&CK
Picus Detection Rule Validation module identifies broken and inefficient detection rules in organizations' security controls and provides security teams insights on how to improve their threat coverage and response capabilities. Picus Detection Rule Validation saves valuable time and resources by automating the manual detection engineering processes and improving the detection effectiveness and efficiency of security controls.