| People |
Ad-hoc team building/managing detection (i.e. part time IR task) Leadership has basic understanding of detection processes and challenges but limited resources or different priorities may exist SME's in none or very few detection domains (i.e. network, host, etc.) |
Dedicated individuals performing detection work full time Leadership advocates for detection. The size of the team and resources needed may not be fully understood SME’s on some tools & log sources, informally defined domain ownership |
Dedicated team with defined SME's for all detection domains (host, network, application, cloud, etc.) Leadership advocates for involvement in detection processes across the org, as well as necessary tools, licensing and staffing |
| Processes |
Detection strategy and workflow are not well documented or defined Detection quality depends greatly on the understanding of the individual performing the work No backlog or prioritization of known gaps Little or no active maintenance or monitoring of existing detection Little to no detection related metrics |
Detection strategy and workflow are defined and followed Approval and handoff processes are loosely defined Work is prioritized in an ad-hoc way with little to no input from threat intel or others Maintenance and monitoring is performed but is ad-hoc and generally done reactively Some metrics exist for categories such as fidelity, MTTD, and automated resolutions |
Detection strategy is continuously iterated on Defined review and approval processes exist for new and updated detection, and IR is given final approval permissions Work is prioritized by input from threat intel, and technology SME's Maintenance and monitoring is continuous and most issues are identified proactively KPI's are well defined to include applicable Mitre Att&ck coverage per environment (i.e. Win, Mac, Corp, Prod, etc.) |
| Technology |
Visibility is inconsistent and some sources critical for custom detection may be missing Timeliness of log sources is not tracked Little to no detection-as-code principles are followed No alerts are continuously tested to ensure they are functional |
Most critical log sources are available in the SIEM. Some log health alerting exists. Most log sources are timely (< 5-10 min) Some detection as code principles are followed Few alerts are continuously tested, telemetry from other sources are alerted on (SIEM errors, log health) |
Detection defines critical log sources and ensures they are present in the SIEM. Log health is tracked and alerted on Detection as code is engrained in the team, version control, review and approval, static, dynamic and continuous testing are baked into the deployment pipeline Almost all detection logic is continuously tested in an automated way |
| Detection |
Most detection creation is reactive to incidents or near misses Detection is tied loosely to Mitre Att&ck, but there is no formal tracking Threats are emulated by the detection individuals themselves or using historical data, no active red/purple teaming occurs Detection is primarily indicator focused, few behavioral TTP detections exist All detection logic is treated equal in priority All alerts must be manually reviewed and interacted with by the IR team |
Detection creation is more proactive and prioritized loosely on threat intel (known, likely threats) Mitre Att&ck TTP's a detection use-case covers are documented but aggregation of coverage may be manual Reactive purple team exercises occur, potentially loosely driven by threat intel More behavioral based detections exist, new detection is mostly TTP focused (where possible) Some high fidelity, high impact detection logic runs in near real time and priority is communicated to IR The team has some capability to send alerts to end-users for resolution |
Detection creation is proactively prioritized based on known and active threats to the org as identified by threat intel with risk input from other teams (i.e Security engineering, architecture, risk) All use-cases are documented with Att&ck TID's and this data can be programmatically retrieved to calculate metrics PurpleTeam exercises are constantly run to validate and improve detection capabilities Focused primarily on behavioral/TTP detection logic. ML based detection is applied where applicable High fidelity, high impact detection logic runs in near real time and priority is effectively presented to the IR team All alerts where the end-user has context are directed to them. New alerts are constantly questioned for the potential for automated/end-user resolution |