Concepts and perspectives

A succinct description on how detection engineering is approached from the perspective of this publication:

A collection of comprehensive processes, workflows, and technologies, across multiple perspectives, focused on supporting an end-to-end ecosystem of continuous research and development of detection and prevention capabilities, at-scale, across a broad threat spectrum and environments, including testing, releasing, and maintaining, with continuous improvements

A breakdown and emphasis on some of the key components:

• End-to-end: comprehensive considerations for the entire lifecycle and considerations

• At scale: supporting a production-sized ecosystem meant to enable large scale operations

• Multiple perspectives: considers how business role impacts how these concepts are perceived and prioritized (this is broken down in detail in the next chapter)

• Continuous: processes and artifacts are not set and forget, but instead maintained by design

• Detection and prevention capabilities: emphasis on capabilities, since outcomes can consist of rules, signatures, scripts, tools, or research and content

• Broad threat spectrum and environments: focus on multiple threats and environments from endpoint, web, CSP, SaaS, network, and beyond

A challenge, or better, an opportunity that arises around such broad and ambiguous concepts is the need for some type of order. At the least, there is a need for a common lexicon, but even more beneficial would be common conceptual principles or frameworks. The key benefit here is being able to speak the same language, at much higher levels, without the constant need to explain the context around every component. It makes the communications less esoteric or proprietary and allows for smoother collaboration and coordination.