Back to Cooking: Detection Engineer vs Detection Consumer, Again?

Anton Chuvakin
Anton on Security
Published in
3 min readMay 21, 2024

--

This is not a blog about the recent upheaval in the magical realm of SIEM. We have a perfectly good podcast / video about it (complete with hi-la-ri-ous XDR jokes, both human and AI created).

This is about something that bothered me for a long time (since my Gartner days) and I finally figured out how to solve this complicated problem.

Of course, the answer is … A TWITTER POLL!

(source)

On a more serious note, pay attention to the wording “if you look at your SIEM, how many detections have you written.” By combining my Twitter and LinkedIn poll data (that displayed a similar trend), I have arrived at ~800 votes here, that tell a story…

.. so what is the story?

My hypothesis that this data reveals the existence of two worlds

Spelling by your friendly GenAI, obvi :-)

On the left, we have “detection as code” , on the right, we have “EDR-ization of SIEM.” On the left, we fix FPs, on the right, we whine about the FPs to the vendor. On the left, we study threats and make detections. On the right, we pay…

Initially, I wanted to say that these are warring clans, but I think a better metaphor is parallel universes: Clan 1 (who engineer their detections) counts about 30% of the security population and most of their detection content is written by them. Clan 2 (who largely consume detections) is a bit larger at 35% and most of their detection rules are written by their vendors, consultants or whoever else and perhaps lightly tuned. What about the remaining 35%? I intuit that they are in transit to one of the parallel universes…

P.S. What does it has to do with decoupled SIEM? Well, I think the clan of detection engineers strongly prefers the decoupled SIEM, while their opposites skew “tightly integrated” SIEM…. So there is that.

P.P.S My muse for this post is incomparable Allie Mellen :-) You rock!

UPDATE: as several people wisely pointed out, writing 100% detections by hand probably means that they chose the wrong SIEM, or perhaps that their environment is extremely unusual. Ultimately, you cook some (many?) detections, but there is not real need to cook things that your vendor can serve you and that taste well…

Resources:

--

--