New Paper Published: “How to Start Your Threat Detection and Response Practice”

by Anton Chuvakin on May 30, 2018

This is a very special paper that is very dear to my heart (and hopefully to Augusto’s as well). It is called “How to Start Your Threat Detection and Response Practice” (Gartner GTP access required).

Note that this paper is NOT in any way “advanced.” So, if you run a SOC team of 12 people, just do us a favor and don’t read it.

The abstract says “Many organizations need to move beyond simple threat prevention and want to start their threat detection and response practices. This research helps technical professionals focused on security to effectively put together the processes, tools and skills required to start performing those activities.”

Look, you can make fun of us for this, and in fact I do it myself. But now in 2018 there are real organizations who think that “appliances prevent threats” and “adding security to a system means hackers won’t get in.” We need to help them! Like now! Otherwise, next year in 1999, it may be too late for … <sorry, I digress>

Fortunately – and, damn it, I mean it! – some of these organization are waking up and asking us for a roadmap to it. We did say “Shift Cybersecurity Investment to Detection and Response” a few years ago, but we have not said HOW to do it? And now we did!

Sponsorships Available

Some favorite quotes are here, Augusto may post more, perhaps:

“Strong processes are more important than technologies, especially when just getting started. But at lower maturity levels, the belief that technology products will deliver security regardless of processes for using and supporting them is still common.” [A.C. – common, and WRONG, to be sure]
“Do not automatically jump to utilizing an MSSP/MDR without thinking about the relevant threats, your available resources, use cases and known limitations of security outsourcing models.”
“Gartner research again and again confirms that one cannot outsource planning or accountability for detection and response. Indeed, you can use services for almost everything, but planning (and adapting the plan as things change) requires internal resources.” [A.C. – this is my most liked Tweet in recent history]
“Include some form of log management and analysis in the first tier of tools to be implemented (but not necessarily a security information and event management [SIEM]).”
“Security services can help with your detection and response efforts, but they are not a drop-in replacement for an entire set of organizational capabilities and practices.” [A.C – let’s be honest, most of the readers of this paper should be using MSSP / MDR services, but this does not mean you are just along for a ride…]
“Many CIOs and even some security leaders make decisions to proceed with product acquisitions without any regard to corresponding operational practices and personnel requirements. Once this fails, outsourcing becomes the straw they grasp — and then this also fails due to a severe mismatch between security outsourcing promise and reality” [A.C. – this is really depressing. But you know what beats depression hands down? Hilarity!]
“[…] clients report that suffering a security incident and not uncovering it until very late is still the best motivation for threat detection measures. Some technical professionals reported a tiny minority of cases where even this motivator — suffering a damaging breach — was not sufficient for their management. Gartner observes that, in this case, nothing is likely to help.” [A.C. – do we get extra points for honesty here?]
“To develop initial detection and response for your environment, it is helpful to know what your environment really includes. Formulating this in the form of “robust asset management required,” however, is unproductive because few organizations, even large enterprises, excel in that area. […] However, a degree of environment/asset awareness and some asset inventory — a list of critical and/or regulated assets (including applications and data) — is a must.”