Back to Cooking: Detection Engineer vs Detection Consumer, Again? – Source: securityboulevard.com

This is not a blog about the recent upheaval in the magical realm of SIEM. We have a perfectly good podcast / video about it (complete with hi-la-ri-ous XDR jokes, both human and AI created).

This is about something that bothered me for a long time (since my Gartner days) and I finally figured out how to solve this complicated problem.

Of course, the answer is … A TWITTER POLL!

(source)

On a more serious note, pay attention to the wording “if you look at your SIEM, how many detections have you written.” By combining my Twitter and LinkedIn poll data (that displayed a similar trend), I have arrived at ~800 votes here, that tell a story…

.. so what is the story?

My hypothesis that this data reveals the existence of two worlds

On the left, we have “detection as code” , on the right, we have “EDR-ization of SIEM.” On the left, we fix FPs, on the right, we whine about the FPs to the vendor. On the left, we study threats and make detections. On the right, we pay…

Initially, I wanted to say that these are warring clans, but I think a better metaphor is parallel universes: Clan 1 (who engineer their detections) counts about 30% of the security population and most of their detection content is written by them. Clan 2 (who largely consume detections) is a bit larger at 35% and most of their detection rules are written by their vendors, consultants or whoever else and perhaps lightly tuned. What about the remaining 35%? I intuit that they are in transit to one of the parallel universes…

P.S. What does it has to do with decoupled SIEM? Well, I think the clan of detection engineers strongly prefers the decoupled SIEM, while their opposites skew “tightly integrated” SIEM…. So there is that.

P.P.S My muse for this post is incomparable Allie Mellen 🙂 You rock!

Resources:

• Detection as Code? No, Detection as COOKING!
• EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?
• Cloud Security Podcast on the Day of 3 SIEM Transition
• Cooking Intelligent Detections from Threat Intelligence (Part 6)
• Decoupled SIEM: Brilliant or Stupid?

Back to Cooking: Detection Engineer vs Detection Consumer, Again? was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/back-to-cooking-detection-engineer-vs-detection-consumer-again-ac41b006e8e3?source=rss-11065c9e943e——2