Prioritizing Detection Engineering

1. 🚀 Get logging in order.

2. ✋Spend time on hardening and plan to come back to detection.

3. ⏭️ Introduce strictly high-quality detections and alerts.

A. The first batch of alerts should focus on detecting invariants. Your infrastructure should never see these situations based on assumptions you support with controls and policies.

4. ✋ Spend time on management and plan to come back to detection.

A. These core questions must be settled before anyone commits to an entire detection program (And is the primary basis of the original detection engineering essay)

• What does it take to “productionize” an alert?
• How much noise do we tolerate in an alert?
• How close will detection create-er and alert close-er work?

5. 🏁 Fully embracing an engineering approach to detection.

Field Manual | Detection Engineering Weekly | Zack 'techy' Allen | Substack

The Detection Engineering Field Manual is a series of "quick-hit" posts about Detection Engineering, Security Engineering and Incident Response. These posts serve as a resource for security engineers to understand and orient the field of Detection quickly, and stem from years of practice and interviewing 100s of security people into my teams and organizations.

Nuts and Bolts of Detection Engineering: Open Source Edition

We’re going to walk through what Detection Engineering could look like, with open source options along the way.