AppOmni’s Drew Gatchell on Creating Better Detection for SaaS Platforms
Dec 20, 2023
Building a detection and response strategy is challenging, but is even more so when working with SaaS platforms and the auto-logs they generate. In this week's episode of our Detection at Scale podcast, Drew Gatchell, Director, Detection Engineering at AppOmni, talks about the strategies they put in place to overcome the challenges of effective SaaS detection.
Here are the top takeaways:
Find an alerting and detection strategy framework you like, and riff on it. Detection engineering can be very ad hoc, so start by having a plan that has a useful framework at its foundation. Drew has augmented their frameworks with attack graphs and security decision trees.
For signal creation, start with a hypothesis, then build into a strategy. Your plan should include what's possible from a data collection point of view, making sure your detection is layered, and building in redundancies in case one signal goes out.
Have generative AI and machine learning assist in your detection strategies. AppOmni uses AI to articulate what the normalization pattern of their auto-logs should look and to create additional content that goes along with the detection rules, like how to triage or investigate the alert.
Leverage data lakes, which are a "tremendous asset to D&R." Having the size to handle the audit logs from large SaaS vendors, offering cheaper storage, and providing the ability to query across a longer period of time are just some of the capabilities and benefits data lakes bring to detection engineering.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.