Episode 46

Elastic’s Darren LaCasse on Cutting Alert Volumes in Half By Automating Responses

Security at scale demands innovative approaches. In the latest episode of Detection at Scale, I chat with Darren LaCasse, Director of Threat Intelligence, Incident Response, & Threat Detection at Elastic Security Solution, who dives deep into the world of detection as code, shedding light on methodologies to enhance security operations and rise to the challenges.

Here are the top takeaways:

Adopt human-readable languages. Darren highlights the use of TOML for writing detection codes, emphasizing its simplicity and readability. He explains, “TOML looks like YAML, except I haven't had the same problem with spaces like I do with YAML. So it's very similar, feels very familiar, and it's easy to read. That was one of the challenges we started out with, started having that led us to build detection as code is.” This choice not only makes the code accessible but also ensures that it can be easily understood and maintained by security teams, streamlining the detection process.

Prioritize what matters. “Eventually we'll get to the same level of detail and insights for non-critical and public data vendors. But the focus is definitely on the ones that can impact the business and have data we don't want to lose,” Darren says of how his team decides which alerts to address first. He underscores the importance of focusing on critical data and business-impacting elements. By conducting regular gap analyses and attack path discussions, organizations can visualize vulnerabilities and direct their efforts where they matter most, enhancing overall security posture.

Automate and streamline responses. Darren shares how Elastic has successfully implemented automation to handle alerts, significantly reducing the manual workload on their analysts. By integrating context-aware responses and leveraging machine decision-making, they've managed to cut the number of alerts reaching human analysts by half, showcasing a significant productivity gain. “I think context is really essential to making analysts' lives easier. But now that we have context, we can even just exclude that from ever showing up in front of an analyst,” he says.

From what language to use to prioritization strategies, this conversation is a treasure trove of insights for practitioners looking to bolster their security infrastructure.

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo