Putting it all together to understand the current and future states

Referring back to the original linear model, all of these AI, ML, and statistical approaches can target the incoming data, the generated alerts, or create new functions of detection altogether.

Fig. 90 Linear or functional approach to traditional detection

It could mean parsing out the most relevant events or just enriching events with additional data. Alerts can be intelligently aggregated, summarized, or filtered. Newly detected patterns and relationships can serve as detection mechanisms outright.

The use of these features will only continue to expand and be incorporated into detection capabilities as well as detection engineering operations. Interestingly, with detections as code support and adoption also becoming so popular, it creates some unique opportunities to consider.

DAC makes rule creation and management far more tenable, while AI makes alert analysis and triage far more tenable. Managing rules and alerts has always been a naturally limiting factor to the detection engineering process and total rule counts. Perhaps this is creating a situation where less attention and emphasis will be placed on economical and efficacious rules, and instead move towards an exhaustive coverage approach, where magnitude of alerts is not a concern.