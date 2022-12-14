BY Jack Naglieri4 minute read

Security teams shoulder the responsibility of keeping their organizations safe. Yet many of the tools, systems, and processes security teams utilize haven’t evolved to handle the large volume of data, need for response speed, and complexities that security teams face today.

With 47% of organizations pursuing a cloud-first strategy, combined with the biggest challenge presented to security practitioners being too many alerts generated by their existing SIEM, security teams are facing even bigger challenges as they try to adapt to analyzing data at cloud-scale. What they need are better, faster, and more sophisticated tools and approaches to keep their organizations protected. As someone who has been an incident responder and recognizes there are more efficient methods to security, I’ve seen firsthand the hurdles traditional SIEMs place in front of security teams wanting to do their best work quickly and efficiently. In this piece, I’ll cover some of the challenges security teams face today—and how teams must evolve not only their processes but also their mindset in order to become truly modern detection providers. THE EVOLUTION OF MODERN DETECTION APPROACHES AND SIEMS

Detection is simply looking for threats by continuously analyzing log data for attack patterns. Yet while SIEMs have evolved to help security teams better address the sheer volume of data coming in each day, they haven’t evolved fast enough, which adds strain upon security teams to keep up. Today, security teams face massive data overload, more cloud application usage, and increasing complexity overall—meaning teams need much more real-time and scalable approaches. Many of the tools security teams use today haven’t adopted cloud-native principles, presenting significant cost and performance challenges for organizations using them. Additionally, security practitioners also report their traditional SIEM isn’t able to support highly-customizable alerts, parse data at scale, or generally provide the stability and flexibility security teams need. All these limitations are leaving security teams scrambling.

With these challenges, what steps can a security team take toward becoming a modern detection team? THE FUTURE OF MODERN DETECTION TEAMS Security teams wanting to evolve into modern detection teams can adopt the following tools and approaches to make their processes more efficient and to create a stronger security posture.

ADOPTING A CI/CD MINDSET To better streamline their processes, security teams should adopt a CI/CD mindset and respond more like software engineers when it comes to detection. Teams that take this approach are able to continuously iterate on detection rules and alerts, test those detections, and quickly deploy them. This allows not only for constant responsive improvements, but also for version control, unit testing, automation, and other benefits. MORE CODE AND FEWER DASHBOARDS

While dashboards are a popular way of gaining visibility into the environment, they’re only as good as the data that goes into them, and graphs and simple UI may not be telling the whole story. Modern detection teams wanting to do their best work will rely less on dashboards and more on code, which can give specific insights into their environment. LESS TIME SPENT ON OPERATIONAL OVERHEAD As more teams adopt automation, the time spent on operations will fade. Additionally, because of the progress in cloud services, platforms will have adapted for near-infinite data scale, further reducing the need for management overhead. Another way to reduce overhead? Employing cloud-native architectures, which can assist greatly. This is beneficial to security teams, as it can allow them to focus more on security and less on documentation and management.

HIGHER DETECTION ACCURACY AND PRECISION Some modern security teams opt to utilize detection-as-code to create better security alerts tailored to their needs, which can provide more accurate detection. As a disclosure, my company, Panther, is one provider of such solutions. Detection-as-Code is a modern, flexible, and structured approach to writing detections that apply software engineering best practices to security. By adopting this new paradigm, teams can build scalable processes for writing and hardening detections to identify sophisticated threats across rapidly expanding environments.

Detection-as-Code means every detection is stress tested with data and peer-reviewed. It’s similar to infrastructure-as-code. Additionally, using languages like Python to write detection means a broader set of people can write detections that fit their environment—significantly reducing overhead while accelerating the speed of deploying new detection. Along with improvements to workflow reliability, teams can become more adept at identifying attackers. This can protect organizations by resulting in fewer breaches, which can cost organizations an average of $3.86 million. SMALLER, MORE IMPACTFUL TEAMS

Increased automation means analysts can be increasingly effective and focus on more high-impact work, without spending endless time resolving simpler alerts. Smaller teams can reduce their operational overhead as well. INCREASED COLLABORATION Using universal languages like Python and SQL for detection, analysis, and investigation presents many advantages, including opportunities for greater collaboration. By using standard languages, security teams can have access to much larger repositories of existing code libraries, along with greater support from large communities of developers using languages like Python and SQL. Content is more easily shareable across teams. By sharing across industry platforms such as GitHub, BitBucket, or even internally in a wiki or ITIL page, teams can get more eyes on their problem and more useful solutions.

BOLSTERING TRANSFERABLE SKILLS Finally, with the shift to writing software instead of using one-off domain-specific languages, security teams can begin to invest in transferable knowledge and skills instead of proprietary languages. Security teams have been writing Python scripts for years, and having a system that can utilize those same skill sets for security operations in a more scalable way can provide benefits like improving detection reliability, creating more scalable and collaborative security team workflows, and more. A DETECTION FOUNDATION FOR THE FUTURE

Security teams need to keep their organizations safe, and this requires access to both the tools and mindset that allows them to handle data at scale. The move to cloud-native and common languages will not only give security teams better support through Python and SQL but also make it easier to ensure they have all they need to do their jobs well. Jack Naglieri, CEO and Founder, Panther