Watch the stream
Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well. * How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed? * How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?
In this talk, we will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. We will explore how this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments. We will also discuss the importance of being in control of your detection systems, and how detection-as-code can help you maintain control, quality and ensure proper documentation. By adopting a detection-as-code approach, teams can improve the effectiveness, quality and efficiency of their detection systems and gain the confidence that comes from knowing that their detections and mitigations work as intended.
We will show how we have built a robust and flexible development and deployment process using Azure DevOps, Microsoft Sentinel, the Microsoft Defender suite, Azure Logic-Apps and Functions. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner. We will also show how these tools integrate with each other to provide a single source of truth for our detection logic, and how they can be used to automate various aspects of the development and deployment process. Overall, our approach allows us to build and maintain a highly effective and scalable detection system that is well-suited to the needs of any enterprise or service provider.
Olaf Hartong Security researcher, FalconForce
Olaf Hartong is a security researcher at FalconForce and a Microsoft Security MVP. He specialises in understanding the attacker tradecraft and thereby improving detection capabilities. He has a varied background in blue and purple team operations, network engineering, and security transformation projects.