Threat Detection Maturity Framework

Published in

Snowflake Builders Blog: Data Engineers, App Developers, AI/ML, & Data Science

4 min readSep 13, 2021

How do you measure the success or maturity of a Threat Detection program? What should a Threat Detection team roadmap look like? What is the north star for Threat Detection? These are questions that I have posed to colleagues and myself or have been asked of my leadership in my journey in the Threat Detection space. Through my discussions and research, I concluded that there is no industry-accepted Threat Detection Maturity Framework with every organization proceeding with Threat Detection in its own manner. Oftentimes, I have found that detection coverage mapped against MITRE's ATT&CK Matrix has been the standard for measuring Threat Detection maturity across many organizations, but this approach is insufficient as tactics, techniques, and procedures (TTPs) are not correlated with risk and there are additional factors outside of the matrix that needs to be considered in the makeup of a Threat Detection team.

In March when I joined Snowflake as the Manager of Global Threat Detection, I began working on a framework that supported our vision: “Be an exemplary function within Snowflake greatly reducing organizational risk while also producing content worth sharing with the broader security community that positions Snowflake as a leader in the Threat Detection space”. This “framework” started as eight pages of scattershot thoughts of everything that I felt was needed for a successful program, but I still needed a way to measure and convey maturity. This prompted me to build the Threat Detection Maturity Framework, a structured and re-usable model that could be used to present the program to my leadership and used by my peers in the Threat Detection space. As I began to structure and organize my thoughts, I found that there were five categories that everything could be grouped into that ultimately serve as the anchors for this framework with three maturity levels for measuring:

Categories:

Processes
Data, Tools, and Technology
Capabilities
Coverage
People

Maturity Levels:

Ad-hoc
Organized
Optimized

After building this maturity framework, I was able to measure the maturity of our Threat Detection function and convey this to leadership in a structured format. Furthermore, the Threat Detection program now has a roadmap that supports our vision, and we utilize it to align our planning efforts; all seeking to continuously enhance the maturity of our Threat Detection program. If this maturity framework is adopted, it should serve as a starting point for the Threat Detection team and be adapted to meet the unique requirements of the organization they’re protecting. The team can then work to structure their roadmap depending on the existing maturity in each respective category, risk appetite, and team goals.

If you think this Threat Detection Maturity Framework can help you build an awesome Threat Detection program, please reach out to me with your thoughts and feedback. Any partnership from my peers and other practitioners in the Threat Detection space in gaining adoption, standardization, and continued support of this framework would be appreciated. My hope in publishing this framework is that this can be of benefit to fellow Leaders who are looking to build a Threat Detection program or who have an existing program but need a framework to measure maturity and build their team’s roadmap.

Finally, I would like to thank Michele Freschi for his continued feedback and support in helping me through this effort, Daniel Wyleczuk-Stern, and Sivaraman Venu for their contributions to establishing this framework, and Omer Singer for providing a vision for this effort.

Feel free to connect with me on LinkedIn: Haider Dost