1: An overview of Detection Engineering concepts and considerations

The cybersecurity industry has exploded in terms of size, scope, and monetary investments over the course of the last two decades. As technology continues to advance and evolve, the industry not only must adapt to stay relevant, but it must also evolve — taking advantage of the same technological improvements.

Rapid growth can have many consequences and influences on how things progress. One example of this is the disproportionality of maturity across the many components encompassed in the security industry. Networking is a good example of a very mature discipline within the industry. Operations, and more specifically Security Operations Centers (SOC), are an example of something fairly mature, but not as mature as networking.

Detection engineering reflects the evolution of the security industry as a whole, where it is composed of very mature and rigorous concepts, along with being newer elements. These independent elements continue to evolve and coalesce, which is creating a discrete discipline that is slowly being standardized, not by force or proclamation, but through the organic process of technological growth and evolution.

The concept of detection engineering has been around for decades, but the specific usage of the term itself is relatively recent. So much so that there still isn’t complete agreement on what actually constitutes detection engineering. Similar to other more established and mature disciplines, it is going through its evolutionary maturation process, where at some point, it may settle into a discrete standardized discipline.

Where I believe the most ambiguity lies is in the scope of the intended meaning behind the term. There are some fantastic books and resources, which exhaustively detail how to apply detection engineering, focusing almost completely at the binary level, detecting single behaviors and practices. On the other hand, it is even more common to see detection engineering discussed where it encompasses multiple teams, processes, and technologies, aimed at sustaining a program around continuous detection engineering capabilities.

Almost as common are some of the operational discrepancies, where we tend to see a lot of disagreement and discussion amongst the differences between threat hunting and detection engineering, along with security operations, product development, and several others. For some, concrete distinction between these is a precursive imperative.

I would argue that this current lack of standardized interpretation is actually a positive thing, serving to benefit the security industry and community. Too often we observe disciplines burrough into their own delineated silos of responsibility, either subconsciously or intentionally, whether from being overwhelmed or under-interested, where regardless, the outcome is less focus and critical thinking across concepts that should never have so definitively diverged.

The reality is that how these concepts and disciplines relate and operationally integrate ultimately depends on many factors, such as primary goals, economic means, threat landscape, expertise, and tons of other business and technological considerations. In short, it depends!

The intent here is not to add to this discussion or assert principles around the standardization and composition of detection engineering, but rather to convey a unified approach to successfully implementing an operational strategy around detection engineering. With that, it is required that this perspective is a shared understanding in order for this content and these concepts to be adequately understood.