EP149 Canned Detections: From Educational Samples to Production-Ready Code

Guests:

• John Stoner, Principal Security Strategist, Google Cloud Security

• Dave Herrald, Head of Adopt Engineering, Google Cloud Security

Topics:

• In your experience, past and present, what would make clients trust vendor detection content?

• Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?

• What is more important, seeing the detection or being able to change it, or both?

• If this is about seeing the detection code/content, what about ML and algorithms?

• What about the SOC analysts who don't read the code?

• What about “tuning” - is tuning detections a bad word now in 2023?

• Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?

Resources:

• Video (Linkedin, YouTube)

• Github rules for Chronicle

• DetectionEngineering.net by Zack Allen

• “On Trust and Transparency in Detection” blog

• “Detection as Code? No, Detection as COOKING!” blog

• EP64 Security Operations Center: The People Side and How to Do it Right

• EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• Why is Threat Detection Hard?

• Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)