How Detection-as-Code Revolutionizes Security Posture

Consider a data breach. While security measures like data encryption secures data in the event of a breach, it’s proactive monitoring for suspicious events—like a change in data access permissions—that enables teams to identify and prevent threats before they turn into incidents. This is why effective threat detection and response is recognized as a key part of maintaining full protection of your organization’s assets, data, and operations.

But modern threat detection needs to measure up to modern demands. With ever-changing business requirements and a constantly evolving threat landscape, security teams need agile solutions—threat detection that is flexible enough to pivot with shifting priorities, scales with business, and can be optimized through automation and customization, all while remaining highly accurate. 

Detection-as-code for flexible and customizable detection

Enter detection-as-code (DaC), the modern approach to threat detection and response that enables security teams to write, manage, and deploy their detections through code. 

Like other “as-code” approaches in DevOps and DevSecOps, DaC enables security teams to reap the same process and control benefits that are available to any software code base, such as version control, automation, scalability, and quality assurance. In particular, detection-as-code can be easily customized and extended to cover security gaps. This translates to improved workflows, better alerts, and ultimately an enhanced security posture. But, most important, teams remain flexible to change along with business requirements.

Let’s take a closer look at how DaC works, its features, and how it enhances security posture.

How does detection-as-code work?

Detection-as-code is offered as part of modern SIEM software. A SIEM monitors your applications and infrastructure for threats in real-time, sends an alert when a threat is detected, and enables teams to respond to threats in real-time. SIEMs do this by ingesting and aggregating logs, normalizing them, and then analyzing them against detections. 

A detection is a rule that defines when an alert should trigger based on when an event happens or certain conditions are met. For example, you could create a rule that detects brute force attacks by monitoring for five failed login attempts in a row followed by a successful login. The detection defines both the condition and the alert.

Modern SIEMs offer detection-as-code, which enables teams to write detection rules in code, like Python, and manage the coded detections with version control. Just like with a traditional SIEM, these detections process all ingested log data in real-time, and generate alerts as-needed. Check out the next image for an example. You’ll see a detection rule written in Python and how it translates to an alert regarding a possible misuse of root credentials for an OpenVAS vulnerability scanner. 

Features of detection-as-code

With detection-as-code (DaC), the process of writing and managing detections is structured, yet flexible and customizable. Here are the key features that give detection-as-code this calling card:

• Python. DaC that uses Python or another widely-used programming language can easily extend built-in detections or write custom detections to work for any scenario, enabling teams to cover security gaps. 
• Version control. With version control, teams can effectively collaborate on detections, perform peer reviews or rollbacks, and audit changes to the repository. Coded detections managed with version control are self-documenting. 
• Source data normalization. Detections work with any data source, because data is normalized before being processed by the coded detections. This flexibility enables teams to work more efficiently towards developing full coverage for threat detections, across all data sources.  
• Testing. Teams can create unit tests to verify the efficacy and reliability of coded detections. 
• Automation. Coded detections can be integrated into CI/CD pipelines to automatically test detections against changes and improve deployment reliability.
• Reuse. Coded detections can be reused with new data sources or projects.

Customizable and flexible threat detection improves security posture

Let’s connect the dots and understand how detection-as-code improves security posture and operations. Keep in mind that a robust security posture minimizes the risk of threats and ensures that an organization is prepared to respond efficiently when incidents occur. Here’s how detection-as-code improves both:

• Higher-fidelity alerts. With customized detections, false positives are reduced, which means noise is reduced. This results in diminished alert fatigue and faster incident response as security teams are not chasing down false positives.
• More effective security coverage. DaC enables detections to be reused, automated, and customized, enabling teams to focus on developing tailored threat detection that more effectively monitors vulnerabilities.
• Reduced tool fragmentation. With DaC’s ability to work with any data source, teams can focus on developing tailored detections instead of using many tools to create detection coverage.
• Consistency. Codifying detection rules ensures consistent implementation across different environments, reducing the chances of discrepancies in threat detection.
• Transparency. DaC logic is explicit and can be audited, reviewed, and understood by anyone with access, enhancing both compliance and transparency in threat detection processes.
• Agility. Faster time to production. Faster time to change. With flexible security measures, teams can quickly and effectively respond to new threats by implementing changes to their detections.
• Collaboration. With DaC, developers, security teams, and operations can collaborate more effectively on detection rules, leading to better, more comprehensive detections. 
• Innovation. When security teams can easily customize and adapt their security measures, it encourages them to explore new approaches and technologies.

Comparing a traditional SIEM with detection-as-code

In traditional SIEMs, detections are used in the same way as detection-as-code—they process normalized and aggregated log data in order to detect threats and generate alerts in real-time. However, they are created and managed in a substantially different way:

• Detections are created through forms on a proprietary online portal. This provides a structured and guided way to create new detections, but this lacks the benefit of version control which has peer-review and collaboration built-in. 
• Some detections are created with a vendor-specific language or structure. While this provides support, this can have the drawbacks of added complexity, increased learning curve, and limited flexibility and customizability. This increases overall alert noise and coverage gaps.
• Detections are managed on the online portal. This provides a centralized location to manage all detections for the SIEM, but depending on the SIEM, this also might limit automation, transparency, and a team’s overall agility.

Overall, more effective security coverage comes back to a better security posture. That’s why it’s vital for security teams to use a threat detection solution that is flexible, so that detections can be customized to cover every threat, as they change.

A case study: How Bitstamp uses detection-as-code

There’s more to learn about detection-as-code! Check out the case study of how Bitstamp uses Panther to accelerate its detection testing and deployment. You’ll learn about Bitstamp’s challenges in creating detections with a vendor-specific language, and how switching to use Panther’s Python-based detection-as-code accelerated their operations.

Curious about Panther? Request a demo.