What Threat Detection is NOT about — before they sell it to you!
--
Detection Engineering is really making its way into the lexicon of what Cybersecurity customers demand today. After advocating for that practice for many years, I thought it would be great to share a few bullets on that.
This might not only serve practitioners in the field but also product managers and other threat detection personas involved in research, product development sales engineering cycles.
Every threat detection solution requires engineering efforts.
Yes, even the 'AI driven' ones. If you outsource detection to a provider, that's where engineering is hopefully happening then.
So before you buy or even build another snake oil, here's my two cents.
Detection Engineering is sexy
Besides being one of the most exciting jobs on the blue side (super biased), I guess there are a few other aspects contributing towards the momentum:
- Regulations requiring logging, security monitoring, and data breach reporting (transparency/accountability) capabilities;
- SIEM/XDR vendors and MSS/MDR providers realizing the competitive advantage of a mature threat detection practice to their business;
- The less disruptive nature of detection controls implementation.
Peace sells but who is buying?
Delivering high-quality detection controls requires engineering skills that can’t be easily found and retained. And what is one of the outcomes from that? Underdeveloped detection programs, poor detection output, etc.
Despite having the noble goal of helping customers implement security controls, a business (vendor) needs to be profitable. But how to sell the solution to this gap? Selling people or outsourcing won't scale.
I don’t think you need to work in Cyber or even in IT to understand how the game is played. Once a problem or rather, a (bad) symptom, is identified, that becomes an opportunity to be explored in the market.
Alert Output symptoms as a distraction
This is part of human behavior, instead of practicing healthy habits or good hygiene, it's easier to tackle the symptoms and carry on.
