Yet one more concept that has been bugging me for years is an concept of “detection as code.” Why is it bugging me and why ought to anyone else care?
First, is “detection as code” only a glamorous time period for what you probably did if you loaded your Snort guidelines in cvs in, say, 1999? Nicely, not precisely.
What I imply by “detection as code” is a extra systematic, versatile and complete strategy to menace detection that’s considerably impressed by software program improvement (therefore the “as code” tag). Simply as infrastructure as code (IaC) will not be merely about treating your little shell scripts as actual software program, however about machine-readable definition recordsdata and descriptive fashions for infrastructure.
Why do we want this idea? It is a good query! Traditionally, from the times of first IDS (1987) to the unhappy days of “IDS is useless” (2003) after which to at the moment, detection bought a little bit of a nasty status. We will debate this, to make sure, however most would most likely agree that menace detection by no means “grew up” to be a scientific self-discipline, with productive automation and predictable (and predictably good!) outcomes. In actual fact, some would say that “Your detections aren’t working.” And that is after ~35 years of attempting …
Detection engineering is a set of practices and techniques to ship trendy and efficient menace detection. Completed proper, it might change safety operations simply as DevOps modified the stolid world of “IT administration.” You mainly wish to devops (sure, I made it a phrase) your detection engineering. I feel “detection as code” is a cool identify for this shift!
As you see, this isn’t a lot about treating detections as code, however about rising detection engineering to be a “actual” observe, constructed on trendy rules used elsewhere in IT (agile this, or DevOps no matter).
Now, to hunt for the true top-tier APTs, you most likely have to be an artist, not merely an excellent safety engineer (IMHO, finest menace looking is each artwork and science, and admittedly extra artwork than science….). However even right here, to allow “inventive” creativity in fixing menace detection issues we want to ensure these options operate on a predictable layer. Furthermore, for a lot of different detection pursuits, similar to detecting ransomware early, we principally want automated, systematic, repeatable, predictable and shareable approaches.
OK, how can we do “detection as code”? How would I describe the traits of this strategy?
- Detection content material versioning to be able to really perceive what particular rule or mannequin triggered an alert — even when this alert was final July. That is much more essential for those who use a mixture of real-time and historic detections.
- Correct “QA” for detection content material that covers each testing for damaged alerts (similar to people who by no means fireplace or people who gained’t fireplace when the supposed menace materializes, and naturally people who fireplace the place there is no such thing as a menace) and testing for gaps in detection total. “False positives” dealing with, naturally, get thrown into this chute as effectively.
- Content material (code) reuse and modularity of detection content material, in addition to group sharing of content material, simply because it occurs for actual programming languages (I believe that is what my esteemed colleague describes right here). As a reminder, detection content material doesn’t equal guidelines; however covers guidelines, signatures, analytics, algorithms, and so forth.
- Cross-vendor content material could be good, in any case we don’t actually program in “vendor X python” or “huge firm C” (regardless that we used to), we simply write in C or Python. Within the detection realm, we have now Sigma and YARA (and YARA-L too). We now have ATT&CK too, however that is extra about organizing content material, not cross-vendor writing of the content material at the moment.
- I additionally assume that attending to cross-tool detection content material could be nice, wherever potential. For instance, you may search for a hash in EDR information and likewise in NDR; and in logs as effectively. SIEM alone gained’t do.
- Metrics and enchancment are additionally key; the above objects offers you loads of metrics (from protection to failure charges), however it’s as much as you to construction this course of so that you simply get higher.
- Whilst you might not be constructing a full CI/CD pipeline for detections to repeatedly construct, refine, deploy and run detection logic in no matter product(s), I’ve met individuals who did simply that. To me, these individuals actually observe detection as code.
- Lastly, I don’t actually assume which means that your detections have to be expressed in a programming language (like Python right here and right here or Jupyter notebooks). What issues to me is the strategy and considering, not precise code (however we are able to have this debate later, if anyone insists)
The rest I missed?
For our current SANS paper / webcast, that talked about this subject, we crafted this instance visible:
Supply: current SANS paper.
Lastly, let’s cattle-prod the elephant within the room: what concerning the crowd that simply doesn’t need something “as code”? Additionally they don’t wish to create their very own detections in any respect. In actual fact, they like their detections as simple as pushing an ON button or downloading a detection pack from a vendor? That is advantageous.
Personally, I’ve met sufficient safety individuals who run away screaming from any expertise that’s “too versatile”, “very configurable” and even “programmable” (or: “… as code”) as a result of their previous expertise signifies that this simply means failure (at their group). Nonetheless, to detect, you want each a instrument and content material. Therefore, each must come from someplace: you may construct, purchase, hire, however you should choose.
Now, upon studying this, a few of chances are you’ll say “duh … what will not be painfully apparent about it?” however I can guarantee you most individuals within the safety trade do NOT assume like that. In actual fact, such considering is alien to most, in my expertise. Possibly they assume detection is a product function. Or maybe they assume that detection is a few magical “menace” content material that comes from “the cloud.”
Therefore, “detection as code” will not be actually an strategy change for them, however a extra philosophical upheaval. Nonetheless, I foresee that menace detection will at all times be a wholesome mixture of each an engineering and a inventive pursuit….
P.S. Because of Brandon Levene for massively helpful contributions to this considering!
Can We Have “Detection as Code”? was initially revealed in Anton on Safety on Medium, the place persons are persevering with the dialog by highlighting and responding to this story.
*** It is a Safety Bloggers Community syndicated weblog from Tales by Anton Chuvakin on Medium authored by Anton Chuvakin. Learn the unique submit at: https://medium.com/anton-on-security/can-we-have-detection-as-code-96f869cfdc79?supply=rss-11065c9e943e——2
automated security testing tools,devsecops,automated security testing using selenium