Would you let misconceptions keep you from adopting a tool that can help your security team do its best work? In my ten years of building security monitoring solutions, I learned that security teams need a strategic overall approach to detection in order to protect their organization. Yet I’ve found that many are hesitant to move away from the processes they’re used to, despite no longer being as effective as they once were. Detection-as-code is a great overall approach to threat detection and response, but many may be reluctant to adopt it due to what they’ve heard: It’s hard to implement, makes teams slower and is just a buzzword. But what if believing these misconceptions kept you from implementing a truly helpful tool for your team?
Here are five common misconceptions around detection-as-code and what security practitioners should believe instead.
What is Detection-as-Code?
Detection-as-code marries the benefits of software engineering with the functionality of detecting behaviors that could lead to a breach. In the long term, detection-as-code will bring sustainability, reliability and standardization to detection and response. It also, by function, forces security teams to automate by default, operate at a larger scale and improve team efficiency.
But does detection-as-code really offer benefits that go beyond the current tools you’re using? Here are five misconceptions we’ve seen security teams believe and the truth of the matter.
Misconception: Detection-as-code is only about writing detection logic in a programming language.
Truth: There’s a misconception that the only thing detection-as-code has to offer is that it encourages writing detections in a universal programming language instead of in a proprietary coding language. But detection-as-code is much broader than that and offers a framework for managing detection logic in the same way software engineers manage code. Using a programming language for detection logic is not a requirement to successfully implement detection-as-code workflows.
Misconception: Detection-as-code is difficult to implement.
Truth: Security teams used to certain tools may be reluctant to move to a new approach due to having to transition, deploy and learn the new platform. Yes, detection-as-code can be difficult to implement from a technology perspective if your SIEM vendor does not embrace it. However, if your SIEM provides command line tools, support and tutorials to enable detection-as-code, implementation can be surprisingly low-effort.
Misconception: Detection-as-code slows the team down.
Truth: Won’t it take a security team more time to actually code and create all these detections and workflows? Transitioning any team to a new workflow takes time to get used to, and teams must build muscle memory over time to operate effectively. The long-term return on investment of a structured, technically-enforced process for managing detection will result in higher quality detection content and time saved by detection engineers and security analysts.
Misconception: Detection-as-code is just a vendor buzzword.
Truth: Many vendors these days now reference detection-as-code as a selling point. Is it just a buzzword and another jump on the “everything-as-code” bandwagon, or are they actually offering something worthwhile to your team? It’s important to understand exactly what the vendor offers for their “detection-as-code solution.” Analyze whether or not that solution really fits the widely adopted frameworks for not only implementing detection-as-code but if that solution will work with your existing infrastructure (i.e., version control and CI/CD systems).
Misconception: Writing code is too hard.
Truth: Finally, for those who haven’t yet learned a coding language—and maybe even for those who have—there’s another misconception that learning how to code is just too hard. As security practitioners, we’re already familiar with Python as a scripting language for local log analysis. Basic Python can be learned by anybody and is a great gateway to increase your knowledge about programming and level up your ability to analyze security data. There are tons of great resources, classes and tutorials on the internet for learning basic Python.
Debunking Detection Myths
Detection-as-code has much to offer security teams, not just in terms of new features they can implement but in an overall process approach that can increase their efficiency and impact. As you think about what tools can improve your team, make sure you look beyond the myths to the truth around detection-as-code.