AppOmni’s Drew Gatchell on Creating Better Detection for SaaS Platforms

Building a detection and response strategy is challenging, but is even more so when working with SaaS platforms and the auto-logs they generate. In this week's episode of our Detection at Scale podcast, Drew Gatchell, Director, Detection Engineering at AppOmni, talks about the strategies they put in place to overcome the challenges of effective SaaS detection.

Here are the top takeaways:

• Find an alerting and detection strategy framework you like, and riff on it. Detection engineering can be very ad hoc, so start by having a plan that has a useful framework at its foundation. Drew has augmented their frameworks with attack graphs and security decision trees.
• For signal creation, start with a hypothesis, then build into a strategy. Your plan should include what's possible from a data collection point of view, making sure your detection is layered, and building in redundancies in case one signal goes out.
• Have generative AI and machine learning assist in your detection strategies. AppOmni uses AI to articulate what the normalization pattern of their auto-logs should look and to create additional content that goes along with the detection rules, like how to triage or investigate the alert.

Leverage data lakes, which are a "tremendous asset to D&R." Having the size to handle the audit logs from large SaaS vendors, offering cheaper storage, and providing the ability to query across a longer period of time are just some of the capabilities and benefits data lakes bring to detection engineering.