Threat Detection Assurance (TDA)

As you are reading this report and the article, you are most likely involved or related to the cybersecurity domain. And if you are indeed related to cybersecurity, you would have most likely heard statements like, “prevention is not enough”, “it’s no longer about if, it’s about when
the breach will happen”.

Each day with news of a new breach hitting our timelines, unfortunately, these statements have become nothing but a reality. In terms of mitigation, this translates that while we continue to enhance our prevention capabilities, there is a need to evolve our detection capabilities too – so we can detect a breach, ideally before it spreads or at the earliest as soon as it hits us.

To do so, there are multiple areas we will need to focus on:

• How is my coverage of detection?
• Do I have right data to detect an anomaly?
• Do I have the right use case?
• How am I tackling false positives?
• Are my use cases actually doing what they are meant to do?

At Help AG, we have been delivering cybersecurity services to our customers for over two decades and MDR service for 8 years now and we are always learning and evolving. While cyber threats continue to evolve, it’s extremely important to catch up or even better, lead.

One such area of our evolution has been the effectiveness of threat detection. When we develop new threat detection content, we need to provide assurance to our customers and more importantly to ourselves that we can detect what we think and want to detect – this led to birth of Threat Detection Assurance (TDA) process, a term that we, as Help AG, coined ourselves.

Threat Detection Assurance is a process which aims to measure threat detection use case effectiveness, and help us achieve the following:

• Log Ingestion Validation – Validate if relevant logs necessary for detection are enabled and
  being ingested into the appropriate SIEM system
• Use Case Logic Validation – Validate if the use case logic defined is relevant and accurate to
  trigger in the customer environment.
• Identify Blind Spots – If we want to test a use case and there is no relevant data source, this
  will lead to a blind spot, this process also helps us identify blind spots, and highlight a need for new security control or data source to help detect this type of threat.
• False Positive Reduction – Reduce false positives by tweaking thresholds and fine-tuning the
  pattern of expected “good” events.
• Measure “Mean Time to Detect” – Help measure real-life time to detect a defined threat vector and how soon the alerts trigger when a particular attack occurs. It’s possible that our search frequency is too broad, as a result of which, we see the alerts only after an acceptable time.

TDA process involves steps as mentioned in the image above:

• Initiate the process.
• Identify the list of use cases to be tested to ensure coverage of right scope.
• Offensive cybersecurity consultant will start simulating attack vectors, some part of which can also be automated.
• SOC analyst will validate if use case is triggered in the environment.
• If use case has fired then we move onto the next attack vector and if it did not fire, then root cause of it will be identified and accordingly actions will have to be taken to address the root cause.
• Once the root cause is addressed, retest will be carried out and the cycle keeps repeating till all agreed threats have been simulated and use case tested.

You may notice, that TDA looks close to a red teaming exercise, however, the goal and outcome of both these exercises are different and hence the focus is different too. The goal of TDA is specifically to look at the effectiveness of identified specific use cases, while red teaming is a bit broader.

Help AG MSS has introduced TDA process for all our MDR customers – it’s an exercise we now do for all our customers as part of onboarding, and plan to regularly repeat to give assurance to us and our customers.

If you would like to know more about effective Threat Detection covering other aspects involved in the process, do reach out to your Help AG account manager, and it will be our pleasure to share our knowledge, at Help AG we are nurtured and taught that #SHARINGISCARING